Description of problem: SELinux denied access requested by /usr/sbin/prelink. It is not expected that this access is required by /usr/sbin/prelink and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for vultureseye, restorecon -v vultureseye If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Version-Release number of selected component (if applicable): How reproducible: Unknown Steps to Reproduce: 1. Recieve alert 2.Run suggested commmands 3.Recieve alert again Actual results: Alert returns Expected results: Alert to go away Additional info: Source Context system_u:system_r:prelink_t:SystemLow-SystemHigh Target Context system_u:object_r:usr_t Target Objects vultureseye [ file ] Affected RPM Packages prelink-0.3.9-2 [application] Policy RPM selinux-policy-2.4.6-7.fc6 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name red1.timmieland.private Platform Linux red1.timmieland.private 2.6.18-1.2860.fc6xen #1 SMP Tue Dec 5 14:28:32 EST 2006 i686 athlon Alert Count 10 Line Numbers Raw Audit Messages avc: denied { read } for comm="prelink" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/prelink" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="vultureseye" pid=5685 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:prelink_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=system_u:object_r:usr_t:s0 tty=(none) uid=0
New Plugin will report similar to the following: -------------------------------------------------------------------------------- Summary SELinux is preventing /usr/sbin/prelink (prelink_t) "read" on viruskiller (usr_t). Detailed Description SELinux denied prelink read on viruskiller. The prelink program is only allowed to manipulate files that are identified as executables or shared librares by SELinux. Libraries that get placed in lib directories get labeled by default as a shared library. Similarly executables that get placed in a bin or sbin directory get labeled as executables by SELinux. However, if these files get installed in other directories they might not get the correct label. If prelink is trying to manipulate a file that is not a binary or share library this may indicate an intrusion attack. Allowing Access You can alter the file context by executing chcon -t bin_t viruskiller or chcon -t lib_t viruskiller if it is a shared library. If you want to make these changes permanant you must execute the semanage command. semanage fcontext -a -t bin_t viruskiller or semanage fcontext -a -t shlib_t viruskiller. If you feel this executable/shared library is in the wrong location please file a bug against the package that includes the file, if you feel that SELinux should know about this file and label it correctly please file a bug against http://bugzilla.redhat.com/bugzilla/enter_bug.cgi. Additional Information Source Context system_u:system_r:prelink_t:SystemLow-SystemHigh Target Context system_u:object_r:usr_t Target Objects viruskiller [ file ] Affected RPM Packages Policy RPM Selinux Enabled Policy Type MLS Enabled Enforcing Mode Plugin Name plugins.prelink_mislabled Host Name Platform Alert Count 1 Line Numbers 1 Raw Audit Messages avc: denied { read } for comm="prelink" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/prelink" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="viruskiller" pid=5685 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:prelink_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=system_u:object_r:usr_t:s0 tty=(none) uid=0
upgrading to selinux-policy-2.4.6-37 and forcing a system relabel resovled this issue.
This bug seems to be present in FC7 for vultureseye at least: Summary SELinux is preventing /usr/sbin/prelink (prelink_t) "create" on vultureseye.#prelink#.sBN9qw (usr_t). Detailed Description SELinux denied prelink create on vultureseye.#prelink#.sBN9qw. The prelink program is only allowed to manipulate files that are identified as executables or shared librares by SELinux. Libraries that get placed in lib directories get labeled by default as a shared library. Similarly executables that get placed in a bin or sbin directory get labeled as executables by SELinux. However, if these files get installed in other directories they might not get the correct label. If prelink is trying to manipulate a file that is not a binary or share library this may indicate an intrusion attack. Allowing Access You can alter the file context by executing chcon -t bin_t vultureseye.#prelink#.sBN9qw or chcon -t lib_t vultureseye.#prelink#.sBN9qw if it is a shared library. If you want to make these changes permanant you must execute the semanage command. semanage fcontext -a -t bin_t vultureseye.#prelink#.sBN9qw or semanage fcontext -a -t shlib_t vultureseye.#prelink#.sBN9qw. If you feel this executable/shared library is in the wrong location please file a bug against the package that includes the file, if you feel that SELinux should know about this file and label it correctly please file a bug against http://bugzilla.redhat.com/bugzilla/enter_bug.cgi. Additional Information Source Context user_u:system_r:prelink_t Target Context user_u:object_r:usr_t Target Objects vultureseye.#prelink#.sBN9qw [ file ] Affected RPM Packages prelink-0.3.10-1 [application] Policy RPM selinux-policy-2.6.4-8.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.prelink_mislabled Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 i686 Alert Count 1 First Seen Tue 05 Jun 2007 08:28:50 AM CEST Last Seen Tue 05 Jun 2007 08:28:50 AM CEST Local ID 6802f34b-80e5-4899-b44d-2949e22fb82a Line Numbers Raw Audit Messages avc: denied { create } for comm="prelink" egid=0 euid=0 exe="/usr/sbin/prelink" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="vultureseye.#prelink#.sBN9qw" pid=13467 scontext=user_u:system_r:prelink_t:s0 sgid=0 subj=user_u:system_r:prelink_t:s0 suid=0 tclass=file tcontext=user_u:object_r:usr_t:s0 tty=(none) uid=0