Bug 244172 - Summary SELinux is preventing /usr/sbin/prelink (prelink_t) "relabelfrom" to xfishtank.#prelink#.T57gVh (usr_t). Detailed Description SELinux denied access requested by /usr/sbin/prelink. It is not expected that this access is re...
Summary SELinux is preventing /usr/sbin/prelink (prelink_t) "relabelfrom...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
i386 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-14 07:21 EDT by SquirreL
Modified: 2013-01-09 23:20 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-10 10:39:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description SquirreL 2007-06-14 07:21:50 EDT
Summary
    SELinux is preventing /usr/sbin/prelink (prelink_t) "relabelfrom" to
    xfishtank.#prelink#.T57gVh (usr_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/prelink. It is not expected
    that this access is required by /usr/sbin/prelink and this access may signal
    an intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for xfishtank.#prelink#.T57gVh,
    restorecon -v xfishtank.#prelink#.T57gVh If this does not work, there is
    currently no automatic way to allow this access. Instead,  you can generate
    a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                user_u:system_r:prelink_t
Target Context                user_u:object_r:usr_t
Target Objects                xfishtank.#prelink#.T57gVh [ file ]
Affected RPM Packages         prelink-0.3.10-1 [application]
Policy RPM                    selinux-policy-2.6.4-12.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.21-1.3194.fc7 #1
                              SMP Wed May 23 22:35:01 EDT 2007 i686 athlon
Alert Count                   1
First Seen                    Thu 14 Jun 2007 04:14:17 AM EDT
Last Seen                     Thu 14 Jun 2007 04:14:17 AM EDT
Local ID                      287ec317-c3b1-419e-a4e0-938982125591
Line Numbers                  

Raw Audit Messages            

avc: denied { relabelfrom } for comm="prelink" dev=dm-0 egid=0 euid=0
exe="/usr/sbin/prelink" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="xfishtank.#prelink#.T57gVh" pid=5203 scontext=user_u:system_r:prelink_t:s0
sgid=0 subj=user_u:system_r:prelink_t:s0 suid=0 tclass=file
tcontext=user_u:object_r:usr_t:s0 tty=(none) uid=0
Comment 1 Daniel Walsh 2007-06-14 09:14:30 EDT
Where is xfishtank installed?  If you chcon -t bin_t xfishtank does the problem
go away?
Comment 2 Daniel Walsh 2007-09-10 10:39:44 EDT
Fixed in rawhide.
Comment 3 SquirreL 2008-08-02 16:16:37 EDT
The original summary for this bug was longer than 255 characters, and so it was truncated when Bugzilla was upgraded. The original summary was:

Summary      SELinux is preventing /usr/sbin/prelink (prelink_t) "relabelfrom" to      xfishtank.#prelink#.T57gVh (usr_t).    Detailed Description      SELinux denied access requested by /usr/sbin/prelink. It is not expected      that this access is required by /usr/sbin/prelink and this access may signal      an intrusion attempt. It is also possible that the specific version or      configuration of the application is causing it to require additional access.    Allowing Access      Sometimes labeling problems can cause SELinux denials.  You could try to      restore the default system file context for xfishtank.#prelink#.T57gVh,      restorecon -v xfishtank.#prelink#.T57gVh If this does not work, there is      currently no automatic way to allow this access. Instead,  you can generate      a local policy module to allow this access - see      http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable      SELinux protection altogether. Disabling SELinux protection is not      recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi      against this package.    Additional Information            Source Context                user_u:system_r:prelink_t  Target Context                user_u:object_r:usr_t  Target Objects                xfishtank.#prelink#.T57gVh [ file ]  Affected RPM Packages         prelink-0.3.10-1 [application]  Policy RPM                    selinux-policy-2.6.4-12.fc7  Selinux Enabled               True  Policy Type                   targeted  MLS Enabled                   True  Enforcing Mode                Enforcing  Plugin Name                   plugins.catchall_file  Host Name                     localhost.localdomain  Platform                      Linux localhost.localdomain 2.6.21-1.3194.fc7 #1                                SMP Wed May 23 22:35:01 EDT 2007 i686 athlon  Alert Count                   1  First Seen                    Thu 14 Jun 2007 04:14:17 AM EDT  Last Seen                     Thu 14 Jun 2007 04:14:17 AM EDT  Local ID                      287ec317-c3b1-419e-a4e0-938982125591  Line Numbers                      Raw Audit Messages                avc: denied { relabelfrom } for comm="prelink" dev=dm-0 egid=0 euid=0  exe="/usr/sbin/prelink" exit=-13 fsgid=0 fsuid=0 gid=0 items=0  name="xfishtank.#prelink#.T57gVh" pid=5203 scontext=user_u:system_r:prelink_t:s0  sgid=0 subj=user_u:system_r:prelink_t:s0 suid=0 tclass=file  tcontext=user_u:object_r:usr_t:s0 tty=(none) uid=0

Note You need to log in before you can comment on or make changes to this bug.