Description of problem: ldconfig -p prints nothing. Version-Release number of selected component (if applicable): glibc-2.6-4 How reproducible: Always Steps to Reproduce: 1. ldconfig -p 2. ldconfig -p | cat Actual results: 1. Prints nothing 2. Prints the expected output such as "1392 libs found in cache..." Expected results: 1 and 2 should print the same thing. Additional info: I tried it via rlogin and also from the console. Running it under strace shows it writing to fd 1, but nothing appears.
That's a bug in the SELinux policy, it needs to allow ldconfig to write to its stdout/stderr, whatever that is.
Fixed in selinux-policy-2.6.4-29.fc7 Seems to be fine in RHEL5 and Rawhide already.
Hmm, I've got selinux-policy-2.6.4-30.fc7 installed now via yum update, but that hasn't fixed it.
Please attach avc messages.
Sorry, I can't find any avc messages. No files in /var/log change during the failed ldconfig and dmesg shows no change. I ran sealert -b but it only shows old stuff (it had logged the ldconfig attempts from 2007-07-18). I do have setroubleshootd running. I tried service setroubleshoot restart followed by sealert -q, but then sealert -b failed to connect to it even though a new setroubleshootd is running.
Try selinux-policy-2.6.4-35.fc7
No visible difference from the previous version (no output, no logs). However, the update got an "Error during expand" (see below), but I don't know if it affected the result. Release 35 is installed now according to rpm -q. yum --enablerepo=updates-testing update selinux-policy Loading "installonlyn" plugin Setting up Update Process fedora 100% |=========================| 2.1 kB 00:00 primary.sqlite.bz2 100% |=========================| 4.7 MB 00:26 updates-testing 100% |=========================| 1.9 kB 00:00 updates 100% |=========================| 1.9 kB 00:00 primary.sqlite.bz2 100% |=========================| 1.6 MB 00:08 Resolving Dependencies --> Running transaction check ---> Package selinux-policy.noarch 0:2.6.4-35.fc7 set to be updated --> Processing Dependency: selinux-policy = 2.6.4-30.fc7 for package: selinux-policy-targeted --> Restarting Dependency Resolution with new changes. --> Running transaction check ---> Package selinux-policy-targeted.noarch 0:2.6.4-35.fc7 set to be updated Dependencies Resolved ============================================================================= Package Arch Version Repository Size ============================================================================= Updating: selinux-policy noarch 2.6.4-35.fc7 updates-testing 378 k Updating for dependencies: selinux-policy-targeted noarch 2.6.4-35.fc7 updates-testing 1.0 M Transaction Summary ============================================================================= Install 0 Package(s) Update 2 Package(s) Remove 0 Package(s) Total download size: 1.4 M Is this ok [y/N]: y Downloading Packages: (1/2): selinux-policy-tar 100% |=========================| 1.0 MB 00:05 (2/2): selinux-policy-2.6 100% |=========================| 378 kB 00:01 warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 30c9ecf8 Importing GPG key 0x30C9ECF8 "Fedora Project (Test Software) <rawhide>" from /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-test Is this ok [y/N]: y Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Updating : selinux-policy ######################### [1/4] Updating : selinux-policy-targeted ######################### [2/4] libsepol.expand_terule_helper: duplicate TE rule for httpd_t httpd_nagios_script_exec_t:process httpd_nagios_script_t libsepol.expand_module: Error during expand libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! Cleanup : selinux-policy ######################### [3/4] Cleanup : selinux-policy-targeted ######################### [4/4] Updated: selinux-policy.noarch 0:2.6.4-35.fc7 Dependency Updated: selinux-policy-targeted.noarch 0:2.6.4-35.fc7 Complete! Other data points: ldconfig -p works after doing setenforce 0; uses of setenforce are logged in /var/log/audit/audit.log with these messages: type=MAC_STATUS msg=audit(1187093479.251:46): enforcing=1 old_enforcing=0 auid=597 type=SYSCALL msg=audit(1187093479.251:46): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fff23446b20 a2=1 a3=0 items=0 ppid=2782 pid=3069 auid=597 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="setenforce" exe="/usr/sbin/setenforce" subj=user_u:system_r:unconfined_t:s0 key=(null) type=USER_AVC msg=audit(1187093479.268:47): user pid=1636 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received setenforce notice (enforcing=1) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
Yes I pulled 35, There should now be a 38
Thanks, that's better. There were no errors installing 38 and ldconfig -p now works from the console. However, it still outputs nothing when stdout is connected to a socket, e.g. two cases I tried are: 1. from fork/exec connected via socketpair(AF_UNIX,SOCK_STREAM), which is actually what I was trying to do when I discovered the problem: type=AVC msg=audit(1187272482.486:330): avc: denied { read write } for pid=6553 comm="ldconfig" name="[28593]" dev=sockfs ino=28593 scontext=user_u:system_r:ldconfig_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1187272482.486:330): avc: denied { read write } for pid=6553 comm="ldconfig" name="[28593]" dev=sockfs ino=28593 scontext=user_u:system_r:ldconfig_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1187272482.486:330): arch=c000003e syscall=59 success=yes exit=0 a0=8c93b0 a1=8c9590 a2=8c8100 a3=31c534c9d0 items=0 ppid=6552 pid=6553 auid=597 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ldconfig" exe="/sbin/ldconfig" subj=user_u:system_r:ldconfig_t:s0 key=(null) type=AVC_PATH msg=audit(1187272482.486:330): path="socket:[28593]" type=AVC_PATH msg=audit(1187272482.486:330): path="socket:[28593]" 2. from rsh localhost ldconfig -p: type=AVC msg=audit(1187272501.189:335): avc: denied { use } for pid=6586 comm="ldconfig" name="[28600]" dev=sockfs ino=28600 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:inetd_t:s0 tclass=fd type=AVC msg=audit(1187272501.189:335): avc: denied { use } for pid=6586 comm="ldconfig" name="[28600]" dev=sockfs ino=28600 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:inetd_t:s0 tclass=fd type=AVC msg=audit(1187272501.189:335): avc: denied { use } for pid=6586 comm="ldconfig" name="[28650]" dev=pipefs ino=28650 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:rshd_t:s0 tclass=fd type=SYSCALL msg=audit(1187272501.189:335): arch=c000003e syscall=59 success=yes exit=0 a0=861e08 a1=86bd68 a2=886808 a3=4 items=0 ppid=6555 pid=6586 auid=4294967295 uid=597 gid=100 euid=597 suid=597 fsuid=597 egid=100 sgid=100 fsgid=100 tty=(none) comm="ldconfig" exe="/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null) type=AVC_PATH msg=audit(1187272501.189:335): path="pipe:[28650]" type=AVC_PATH msg=audit(1187272501.189:335): path="socket:[28600]" type=AVC_PATH msg=audit(1187272501.189:335): path="socket:[28600]"
Please don't use rsh. This does work fine with ssh. Strange that you did not transition to rshd_t? For the first avc, you would have to add your own local policy mod. grep ldconfig /var/log/audit/audit.log | audit2allow -M myldconfig semodule -i myldconfig.pp
Bulk closing a old selinux policy bugs that were in the modified state. If the bug is still not fixed. Please reopen.