Bug 247267 - SELinux prevents ldconfig from writing to PTS' (policy 2.6.4-8.fc7)
SELinux prevents ldconfig from writing to PTS' (policy 2.6.4-8.fc7)
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-06 10:31 EDT by Colin
Modified: 2008-01-30 14:18 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:18:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Colin 2007-07-06 10:31:57 EDT
Description of problem:

SELinux policies block ldconfig from writing data to the screen if logged in to
a PTS. It also appears to block access to newly created system directories.


Version-Release number of selected component (if applicable):

hera# rpm -q --whatprovides `which ldconfig`
glibc-2.6-3
hera# rpm -qa |grep selinux
libselinux-python-2.0.13-1.fc7
selinux-policy-targeted-2.6.4-8.fc7
libselinux-2.0.13-1.fc7
selinux-policy-2.6.4-8.fc7


How reproducible:

Always.

Steps to Reproduce:
1. ldconfig -v
2. tail /var/log/audit/audit.log
3.
  
Actual results:

ldconfig does not output data when using -v during a rebuild of the ld.so cache
or -p to print the contents of it. The audit logs show this is because SELinux
is blocking it from accessing the pts used by my login.

Expected results:

-v should display verbose information as ldconfig builds the cache
-p should display the contents of the cache.


Additional info:

type=AVC msg=audit(1183731285.240:1164): avc:  denied  { read write } for 
pid=14442 comm="ldconfig" name="1" dev=devpts ino=3
scontext=system_u:system_r:ldconfig_t:s0-s0:c0.c1023 tc
ontext=system_u:object_r:sshd_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1183731285.240:1164): avc:  denied  { read write } for 
pid=14442 comm="ldconfig" name="1" dev=devpts ino=3
scontext=system_u:system_r:ldconfig_t:s0-s0:c0.c1023 tc
ontext=system_u:object_r:sshd_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1183731285.240:1164): avc:  denied  { read write } for 
pid=14442 comm="ldconfig" name="1" dev=devpts ino=3
scontext=system_u:system_r:ldconfig_t:s0-s0:c0.c1023 tc
ontext=system_u:object_r:sshd_devpts_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1183731285.240:1164): arch=40000003 syscall=11
success=yes exit=0 a0=8d70158 a1=8d6ecd0 a2=8d70588 a3=0 items=0 ppid=11946
pid=14442 auid=4294967295 uid=0 gid=
0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="ldconfig"
exe="/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0-s0:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1183731285.240:1164):  path="/dev/pts/1"
type=AVC_PATH msg=audit(1183731285.240:1164):  path="/dev/pts/1"
type=AVC_PATH msg=audit(1183731285.240:1164):  path="/dev/pts/1"


Disabling enforcing allows this to work:

hera# echo 0 > /selinux/enforce; ldconfig -p |head
210 libs found in cache `/etc/ld.so.cache'
        libz.so.1 (libc6) => /lib/libz.so.1
        libz.so (libc6) => /usr/lib/libz.so
        libxslt.so.1 (libc6) => /usr/lib/libxslt.so.1
Comment 1 Daniel Walsh 2007-09-04 16:16:16 EDT
Fixed in selinux-policy-2.4.6-40
Comment 2 Daniel Walsh 2008-01-30 14:18:49 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.