Description of problem: SELinux "denied access" error attempting to execute SDK samples. Sep 13 01:06:16 biscayne setroubleshoot: SELinux is preventing /usr/sbin/cimserver (pegasus_t) "execute" access to /usr/share/Pegasus/samples/lib/libSDKInstanceProvider.so (usr_t).For complete SELinux messages. run sealert -l b10b6f7c-cc13-41e7-a3a4-08e4a9e8fffe Version-Release number of selected component (if applicable): tog-pegasus-devel-2.6.1-2.el5 How reproducible: Consistently Steps to Reproduce: 1. cd /usr/share/Pegasus/samples 2. make 3. make setupSDK 4. make testSDK Actual results: make[1]: Entering directory `/usr/share/Pegasus/samples/Clients' make[2]: Entering directory `/usr/share/Pegasus/samples/Clients/DefaultC++' make[3]: Entering directory `/usr/share/Pegasus/samples/Clients/DefaultC++/EnumInstances' Error: CIM_ERR_FAILED: A general error occurred that is not covered by a more specific error code: "ProviderLoadFailure (/usr/lib/Pegasus/providers/libSDKInstanceProvider.so:SampleInstanceProvider):C annot load library, error: /usr/lib/Pegasus/providers/libSDKInstanceProvider.so: failed to map segment from shared object: Permission denied" make[3]: *** [testSDK] Error 1 make[3]: Leaving directory `/usr/share/Pegasus/samples/Clients/DefaultC++/EnumInstances' make[2]: *** [testSDK] Error 2 make[2]: Leaving directory `/usr/share/Pegasus/samples/Clients/DefaultC++' make[1]: *** [testSDK] Error 2 make[1]: Leaving directory `/usr/share/Pegasus/samples/Clients' make: *** [testSDK] Error 2 Expected results: [root@biscayne samples]# make testSDK make[1]: Entering directory `/usr/share/Pegasus/samples/Clients' make[2]: Entering directory `/usr/share/Pegasus/samples/Clients/DefaultC++' make[3]: Entering directory `/usr/share/Pegasus/samples/Clients/DefaultC++/EnumInstances' Total Number of Instances: 3 make[3]: Leaving directory `/usr/share/Pegasus/samples/Clients/DefaultC++/EnumInstances' make[3]: Entering directory `/usr/share/Pegasus/samples/Clients/DefaultC++/InvokeMethod' Output : Hello make[3]: Leaving directory `/usr/share/Pegasus/samples/Clients/DefaultC++/InvokeMethod' make[3]: Entering directory `/usr/share/Pegasus/samples/Clients/DefaultC++/SendTestIndications' Successfully sent test indications make[3]: Leaving directory `/usr/share/Pegasus/samples/Clients/DefaultC++/SendTestIndications' make[3]: Entering directory `/usr/share/Pegasus/samples/Clients/DefaultC++/Associations' +++++ Test Sample Association Provider +++++ Test associators +++++ Test associatorNames +++++ Test references +++++ Test referenceNames +++++ Test association class operations +++++ passed all tests Additional info: The following Providers are build as examples in the SDK. #cd /usr/share/Pegasus/samples #make #cd /usr/share/Pegasus/samples/lib [root@biscayne lib]# ll -Z * -rwxr-xr-x root root root:object_r:usr_t libSDKAssociationProvider.so -rwxr-xr-x root root root:object_r:usr_t libSDKcmpiCWS_Util.so -rwxr-xr-x root root root:object_r:usr_t libSDKDisplayConsumer.so -rwxr-xr-x root root root:object_r:usr_t libSDKFilesAndDirectories.so -rwxr-xr-x root root root:object_r:usr_t libSDKIndicationProvider.so -rwxr-xr-x root root root:object_r:usr_t libSDKInstanceProvider.so -rwxr-xr-x root root root:object_r:usr_t libSDKMethodProvider.so -rw-r--r-- root pegasus system_u:object_r:usr_t target A workaround is to manually change the permissions on the library files. #chcon -u system_u -r object_r -t lib_t lib*
Change component from tog-pegasus to selinux-policy.
I am not sure why these are labeled this way. It does not make sense. but there is a line in policy /usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0) I am going to remove this from rawhide to see if it causes problems. If not I will make this change in the next RHEL5 Update release.
Fixed in selinux-policy-2.4.6-107
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
QE ack for RHEL5.2. Reproducer in comment 0.
I believe your labeling got screwed up somehow putting back in on_qa
This is strange. For the first few attempts to reproduce the bug, it produced AVC denials. But later they "somehow disappeared" and running the test does not produce them anymore (restarting tog-pegasus service does no change). The restorecon had no affect on this. There might be some explanation from the tog- pegasus point of view, cc-ing Vitezslav Crhonek. From the collected AVC messages it looks like cimserver is trying to do execute on libSDKInstanceProvider.so, right? # rpm -q selinux-policy selinux-policy-2.4.6-122.el5 # /etc/init.d/tog-pegasus start Starting up CIM server: [ OK ] # make setupSDK ... +++++ Repository created. make[1]: Leaving directory `/usr/share/Pegasus/samples/Providers/Load' make[1]: Entering directory `/usr/share/Pegasus/samples/Providers/Load' +++++ Registering providers for SDKExamples/DefaultCXX namespace ... Warning: the instance already exists. In this implementation, that means it cannot be changed. Warning: the instance already exists. In this implementation, that means it cannot be changed. Parsing error: parse error: Error adding an instance: CIM_ERR_FAILED: A general error occurred that is not covered by a more specific error code: "A provider is already registered for the specified capability." make[1]: *** [registerproviders] Error 250 make[1]: Leaving directory `/usr/share/Pegasus/samples/Providers/Load' make: *** [setupSDK] Error 2 # ausearch -m AVC -sv no -ts recent <no matches> # make testSDK make[1]: Entering directory `/usr/share/Pegasus/samples/Clients' make[2]: Entering directory `/usr/share/Pegasus/samples/Clients/DefaultC++' make[3]: Entering directory `/usr/share/Pegasus/samples/Clients/DefaultC++/ EnumInstances' Error: CIM_ERR_FAILED: A general error occurred that is not covered by a more specific error code: "ProviderLoadFailure (/usr/lib64/Pegasus/providers/ libSDKInstanceProvider.so:SampleInstanceProvider):Cannot load library, error: / usr/lib64/Pegasus/providers/libSDKInstanceProvider.so: failed to map segment from shared object: Permission denied" make[3]: *** [testSDK] Error 1 make[3]: Leaving directory `/usr/share/Pegasus/samples/Clients/DefaultC++/ EnumInstances' make[2]: *** [testSDK] Error 2 make[2]: Leaving directory `/usr/share/Pegasus/samples/Clients/DefaultC++' make[1]: *** [testSDK] Error 2 make[1]: Leaving directory `/usr/share/Pegasus/samples/Clients' make: *** [testSDK] Error 2 # ausearch -m AVC -sv no -ts recent ---- time->Thu Feb 28 15:48:31 2008 type=SYSCALL msg=audit(1204210111.755:273): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=2067c0 a2=5 a3=802 items=0 ppid=1 pid=11367 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=25 comm="cimserver" exe="/usr/sbin/cimserver" subj=root:system_r:pegasus_t:s0 key=(null) type=AVC msg=audit(1204210111.755:273): avc: denied { execute } for pid=11367 comm="cimserver" path="/usr/share/Pegasus/samples/lib/ libSDKInstanceProvider.so" dev=dm-0 ino=2654599 scontext=root:system_r:pegasus_t:s0 tcontext=root:object_r:usr_t:s0 tclass=file # ll -Z /usr/share/Pegasus/samples/lib/libSDKInstanceProvider.so -rwxr-xr-x root root root:object_r:usr_t /usr/share/Pegasus/ samples/lib/libSDKInstanceProvider.so # restorecon -R -v /usr/share/Pegasus/ And here comes the strange thing. After few attemtps/time the avc denials are not produced anymore?! And the test seems to run fine. # make testSDK ... runs smoothly and with no avc denials ...
After you do the restorecon what does the ll -Z show? ll -Z /usr/share/Pegasus/samples/lib/libSDKInstanceProvider.so
As noted in the previous comment, after running make it shows: # ll -Z /usr/share/Pegasus/samples/lib/libSDKInstanceProvider.so -rwxr-xr-x root root root:object_r:usr_t /usr/share/Pegasus/ samples/lib/libSDKInstanceProvider.so
Fixed in selinux-policy-2.4.6-124
Dan, what should be the correnct context on the .so files in /usr/share/Pegasus/ samples/lib/ directory? There are two file contexts, defined in the targeted version of file_contexts file, that could match this files (in this order): /usr/(.*/)?lib(/.*)? system_u:object_r:lib_t:s0 ... /usr/(.*/)?lib/.+\.so -- system_u:object_r:shlib_t:s0 The files are beeing labeled with type lib_t. And when I try to manually change the context to shlib_t it show message about the change, but nothig does happen. Are there any restrictions I'm missing here? I thought the file should get the last context found in the file_context file. Here is what happens when I try to change the context manually: # chcon -Rcv -t shlib_t lib/ context of lib/ changed to system_u:object_r:shlib_t context of lib//libSDKFilesAndDirectories.so changed to root:object_r:shlib_t context of lib//libSDKAssociationProvider.so changed to root:object_r:shlib_t context of lib//libSDKIndicationProvider.so changed to root:object_r:shlib_t context of lib//libSDKcmpiCWS_Util.so changed to root:object_r:shlib_t context of lib//libSDKDisplayConsumer.so changed to root:object_r:shlib_t context of lib//libSDKMethodProvider.so changed to root:object_r:shlib_t context of lib//libSDKInstanceProvider.so changed to root:object_r:shlib_t context of lib//target changed to system_u:object_r:shlib_t # ll -Zd lib/ drwxr-xr-x root pegasus system_u:object_r:lib_t lib/ [root@rasputin samples]# ll -Z lib/ -rwxr-xr-x root root root:object_r:lib_t libSDKAssociationProvider.so -rwxr-xr-x root root root:object_r:lib_t libSDKcmpiCWS_Util.so -rwxr-xr-x root root root:object_r:lib_t libSDKDisplayConsumer.so -rwxr-xr-x root root root:object_r:lib_t libSDKFilesAndDirectories.so -rwxr-xr-x root root root:object_r:lib_t libSDKIndicationProvider.so -rwxr-xr-x root root root:object_r:lib_t libSDKInstanceProvider.so -rwxr-xr-x root root root:object_r:lib_t libSDKMethodProvider.so -rw-r--r-- root pegasus system_u:object_r:lib_t target # rpm -q selinux-policy selinux-policy-2.4.6-125.el5 And almost forgot to mention that running the SDK samples does not give AVC denials any more.
shlib_t == lib_t in targeted policy. They are aliases for each other.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0465.html