Bug 244509 - Prelink problem with project starfighter (selinux blocked)
Prelink problem with project starfighter (selinux blocked)
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-16 07:07 EDT by Douglas Furlong
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:09:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Douglas Furlong 2007-06-16 07:07:17 EDT
Description of problem:
Okay, first off, I'm REALLY not sure if this is the right package to assign this
to, so I'm sorry if it's not.

I noticed this morning an SELinux exception, and I'm just reporting it.

Version-Release number of selected component (if applicable):

Affected RPM Packages:  glibc-2.6-3 [application]starfighter-1.1-8.fc6
[target]Policy RPM:  selinux-policy-2.6.4-13.fc7

How reproducible:

Not sure.

This is the output from setroubleshoot browser.

SummarySELinux is preventing /lib/ld-2.6.so (prelink_t) "execute" to
/usr/games/starfighter (usr_t).Detailed DescriptionSELinux denied access
requested by /lib/ld-2.6.so. It is not expected that this access is required by
/lib/ld-2.6.so and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.Allowing AccessSometimes labeling
problems can cause SELinux denials. You could try to restore the default system
file context for /usr/games/starfighter, restorecon -v /usr/games/starfighter If
this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
Or you can disable SELinux protection altogether. Disabling SELinux protection
is not recommended. Please file a bug report against this package.Additional
InformationSource Context:  user_u:system_r:prelink_tTarget
Context:  system_u:object_r:usr_tTarget Objects:  /usr/games/starfighter [ file
]Affected RPM Packages:  glibc-2.6-3 [application]starfighter-1.1-8.fc6
[target]Policy RPM:  selinux-policy-2.6.4-13.fc7Selinux Enabled:  TruePolicy
Type:  targetedMLS Enabled:  TrueEnforcing Mode:  EnforcingPlugin
Name:  plugins.catchall_fileHost Name:  localhost.localdomainPlatform:  Linux
localhost.localdomain 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 15:37:31 EDT 2007 i686
i686Alert Count:  1First Seen:  Sat 16 Jun 2007 04:11:09 BSTLast Seen:  Sat 16
Jun 2007 04:11:09 BSTLocal ID:  7dcb0ece-9f34-441e-8172-7765b1c333ddLine
Numbers:  Raw Audit Messages :avc: denied { execute } for comm="ld-linux.so.2"
dev=dm-0 egid=0 euid=0 exe="/lib/ld-2.6.so" exit=-13 fsgid=0 fsuid=0 gid=0
items=0 name="starfighter" path="/usr/games/starfighter" pid=11090
scontext=user_u:system_r:prelink_t:s0 sgid=0 subj=user_u:system_r:prelink_t:s0
suid=0 tclass=file tcontext=system_u:object_r:usr_t:s0 tty=(none) uid=0
Comment 1 Douglas Furlong 2007-06-16 07:17:23 EDT
Reposting the information, so that it is readable.

Summary
SELinux is preventing /lib/ld-2.6.so (prelink_t) "execute" to
/usr/games/starfighter (usr_t).

Detailed Description
SELinux denied access requested by /lib/ld-2.6.so. It is not expected that this
access is required by /lib/ld-2.6.so and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /usr/games/starfighter, restorecon -v
/usr/games/starfighter If this does not work, there is currently no automatic
way to allow this access. Instead, you can generate a local policy module to
allow this access - see FAQ Or you can disable SELinux protection altogether.
Disabling SELinux protection is not recommended. Please file a bug report
against this package.

Additional Information
Source Context:  user_u:system_r:prelink_t
Target Context:  system_u:object_r:usr_t
Target Objects:  /usr/games/starfighter [ file ]
Affected RPM Packages:  glibc-2.6-3 [application]starfighter-1.1-8.fc6 [target]
Policy RPM:  selinux-policy-2.6.4-13.fc7
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall_file
Host Name:  localhost.localdomain
Platform:  Linux localhost.localdomain 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12
15:37:31 EDT 2007 i686 i686
Alert Count:  1
First Seen:  Sat 16 Jun 2007 04:11:09 BST
Last Seen:  Sat 16 Jun 2007 04:11:09 BST
Local ID:  7dcb0ece-9f34-441e-8172-7765b1c333dd
Line Numbers:  
Raw Audit Messages :avc: denied { execute } for comm="ld-linux.so.2" dev=dm-0
egid=0 euid=0 exe="/lib/ld-2.6.so" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="starfighter" path="/usr/games/starfighter" pid=11090
scontext=user_u:system_r:prelink_t:s0 sgid=0 subj=user_u:system_r:prelink_t:s0
suid=0 tclass=file tcontext=system_u:object_r:usr_t:s0 tty=(none) uid=0 
Comment 2 Daniel Walsh 2007-06-18 11:48:10 EDT
Fixed in selinux-policy-2.6.4-17
Comment 3 Daniel Walsh 2007-08-22 10:09:51 EDT
Closing as fixes are in the current release

Note You need to log in before you can comment on or make changes to this bug.