Bug 248703 - ldconfig -p prints nothing
ldconfig -p prints nothing
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
7
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-18 08:02 EDT by Martin Simmons
Modified: 2008-01-30 14:06 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:06:43 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Simmons 2007-07-18 08:02:28 EDT
Description of problem:
ldconfig -p prints nothing. 

Version-Release number of selected component (if applicable):
glibc-2.6-4

How reproducible:
Always

Steps to Reproduce:
1. ldconfig -p
2. ldconfig -p | cat
  
Actual results:
1. Prints nothing
2. Prints the expected output such as "1392 libs found in cache..."

Expected results:
1 and 2 should print the same thing.

Additional info:
I tried it via rlogin and also from the console.
Running it under strace shows it writing to fd 1, but nothing appears.
Comment 1 Jakub Jelinek 2007-07-18 08:29:03 EDT
That's a bug in the SELinux policy, it needs to allow ldconfig to write to
its stdout/stderr, whatever that is.
Comment 2 Daniel Walsh 2007-07-18 09:21:30 EDT
Fixed in selinux-policy-2.6.4-29.fc7

Seems to be fine in RHEL5 and Rawhide already.
Comment 3 Martin Simmons 2007-08-09 15:45:57 EDT
Hmm, I've got selinux-policy-2.6.4-30.fc7 installed now via yum update, but that
hasn't fixed it.
Comment 4 Daniel Walsh 2007-08-09 15:59:01 EDT
Please attach avc messages.
Comment 5 Martin Simmons 2007-08-10 15:48:51 EDT
Sorry, I can't find any avc messages.  No files in /var/log change during the
failed ldconfig and dmesg shows no change.

I ran sealert -b but it only shows old stuff (it had logged the ldconfig
attempts from 2007-07-18).

I do have setroubleshootd running.  I tried service setroubleshoot restart
followed by sealert -q, but then sealert -b failed to connect to it even though
a new setroubleshootd is running.
Comment 6 Daniel Walsh 2007-08-11 07:08:59 EDT
Try selinux-policy-2.6.4-35.fc7
Comment 7 Martin Simmons 2007-08-14 08:26:24 EDT
No visible difference from the previous version (no output, no logs).

However, the update got an "Error during expand" (see below), but I don't know
if it affected the result.  Release 35 is installed now according to rpm -q.

yum --enablerepo=updates-testing update selinux-policy
Loading "installonlyn" plugin
Setting up Update Process
fedora                    100% |=========================| 2.1 kB    00:00     
primary.sqlite.bz2        100% |=========================| 4.7 MB    00:26     
updates-testing           100% |=========================| 1.9 kB    00:00     
updates                   100% |=========================| 1.9 kB    00:00     
primary.sqlite.bz2        100% |=========================| 1.6 MB    00:08     
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy.noarch 0:2.6.4-35.fc7 set to be updated
--> Processing Dependency: selinux-policy = 2.6.4-30.fc7 for package:
selinux-policy-targeted
--> Restarting Dependency Resolution with new changes.
--> Running transaction check
---> Package selinux-policy-targeted.noarch 0:2.6.4-35.fc7 set to be updated

Dependencies Resolved

=============================================================================
 Package                 Arch       Version          Repository        Size 
=============================================================================
Updating:
 selinux-policy          noarch     2.6.4-35.fc7     updates-testing   378 k
Updating for dependencies:
 selinux-policy-targeted  noarch     2.6.4-35.fc7     updates-testing   1.0 M

Transaction Summary
=============================================================================
Install      0 Package(s)         
Update       2 Package(s)         
Remove       0 Package(s)         

Total download size: 1.4 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): selinux-policy-tar 100% |=========================| 1.0 MB    00:05     
(2/2): selinux-policy-2.6 100% |=========================| 378 kB    00:01     
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 30c9ecf8
Importing GPG key 0x30C9ECF8 "Fedora Project (Test Software)
<rawhide@redhat.com>" from /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-test
Is this ok [y/N]: y
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating  : selinux-policy               ######################### [1/4] 
  Updating  : selinux-policy-targeted      ######################### [2/4] 
libsepol.expand_terule_helper: duplicate TE rule for httpd_t
httpd_nagios_script_exec_t:process httpd_nagios_script_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!
  Cleanup   : selinux-policy               ######################### [3/4]
  Cleanup   : selinux-policy-targeted      ######################### [4/4]

Updated: selinux-policy.noarch 0:2.6.4-35.fc7
Dependency Updated: selinux-policy-targeted.noarch 0:2.6.4-35.fc7
Complete!


Other data points: ldconfig -p works after doing setenforce 0; uses of
setenforce are logged in /var/log/audit/audit.log with these messages:

type=MAC_STATUS msg=audit(1187093479.251:46): enforcing=1 old_enforcing=0 auid=597
type=SYSCALL msg=audit(1187093479.251:46): arch=c000003e syscall=1 success=yes
exit=1 a0=3 a1=7fff23446b20 a2=1 a3=0 items=0 ppid=2782 pid=3069 auid=597 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="setenforce"
exe="/usr/sbin/setenforce" subj=user_u:system_r:unconfined_t:s0 key=(null)
type=USER_AVC msg=audit(1187093479.268:47): user pid=1636 uid=81 auid=4294967295
subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received setenforce notice
(enforcing=1) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
Comment 8 Daniel Walsh 2007-08-14 20:50:52 EDT
Yes I pulled 35,  There should now be a 38
Comment 9 Martin Simmons 2007-08-16 10:08:17 EDT
Thanks, that's better.  There were no errors installing 38 and ldconfig -p now
works from the console.

However, it still outputs nothing when stdout is connected to a socket, e.g. two
cases I tried are:

1. from fork/exec connected via socketpair(AF_UNIX,SOCK_STREAM), which is
actually what I was trying to do when I discovered the problem:

type=AVC msg=audit(1187272482.486:330): avc:  denied  { read write } for 
pid=6553 comm="ldconfig" name="[28593]" dev=sockfs ino=28593
scontext=user_u:system_r:ldconfig_t:s0 tcontext=user_u:system_r:unconfined_t:s0
tclass=unix_stream_socket
type=AVC msg=audit(1187272482.486:330): avc:  denied  { read write } for 
pid=6553 comm="ldconfig" name="[28593]" dev=sockfs ino=28593
scontext=user_u:system_r:ldconfig_t:s0 tcontext=user_u:system_r:unconfined_t:s0
tclass=unix_stream_socket
type=SYSCALL msg=audit(1187272482.486:330): arch=c000003e syscall=59 success=yes
exit=0 a0=8c93b0 a1=8c9590 a2=8c8100 a3=31c534c9d0 items=0 ppid=6552 pid=6553
auid=597 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0
comm="ldconfig" exe="/sbin/ldconfig" subj=user_u:system_r:ldconfig_t:s0 key=(null)
type=AVC_PATH msg=audit(1187272482.486:330):  path="socket:[28593]"
type=AVC_PATH msg=audit(1187272482.486:330):  path="socket:[28593]"

2. from rsh localhost ldconfig -p:

type=AVC msg=audit(1187272501.189:335): avc:  denied  { use } for  pid=6586
comm="ldconfig" name="[28600]" dev=sockfs ino=28600
scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:inetd_t:s0
tclass=fd
type=AVC msg=audit(1187272501.189:335): avc:  denied  { use } for  pid=6586
comm="ldconfig" name="[28600]" dev=sockfs ino=28600
scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:inetd_t:s0
tclass=fd
type=AVC msg=audit(1187272501.189:335): avc:  denied  { use } for  pid=6586
comm="ldconfig" name="[28650]" dev=pipefs ino=28650
scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:rshd_t:s0
tclass=fd
type=SYSCALL msg=audit(1187272501.189:335): arch=c000003e syscall=59 success=yes
exit=0 a0=861e08 a1=86bd68 a2=886808 a3=4 items=0 ppid=6555 pid=6586
auid=4294967295 uid=597 gid=100 euid=597 suid=597 fsuid=597 egid=100 sgid=100
fsgid=100 tty=(none) comm="ldconfig" exe="/sbin/ldconfig"
subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC_PATH msg=audit(1187272501.189:335):  path="pipe:[28650]"
type=AVC_PATH msg=audit(1187272501.189:335):  path="socket:[28600]"
type=AVC_PATH msg=audit(1187272501.189:335):  path="socket:[28600]"
Comment 10 Daniel Walsh 2007-08-20 16:38:14 EDT
Please don't use rsh.  This does work fine with ssh.  Strange that you did not
transition to rshd_t?

For the first avc, you would have to add your own local policy mod.

grep ldconfig /var/log/audit/audit.log | audit2allow -M myldconfig
semodule -i myldconfig.pp
Comment 11 Daniel Walsh 2008-01-30 14:06:43 EST
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.