Bug 288771 - SELinux "denied access" error attempting to execute SDK samples.
SELinux "denied access" error attempting to execute SDK samples.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.1
All Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-13 01:50 EDT by Denise Eckstein
Modified: 2012-10-16 04:17 EDT (History)
3 users (show)

See Also:
Fixed In Version: RHBA-2008-0465
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 12:05:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Denise Eckstein 2007-09-13 01:50:25 EDT
Description of problem:
SELinux "denied access" error attempting to execute SDK samples.

Sep 13 01:06:16 biscayne setroubleshoot:      SELinux is 
preventing /usr/sbin/cimserver (pegasus_t) "execute" access 
to /usr/share/Pegasus/samples/lib/libSDKInstanceProvider.so (usr_t).For 
complete SELinux messages. run sealert -l b10b6f7c-cc13-41e7-a3a4-08e4a9e8fffe

Version-Release number of selected component (if applicable):
tog-pegasus-devel-2.6.1-2.el5

How reproducible:
Consistently

Steps to Reproduce:
1. cd /usr/share/Pegasus/samples
2. make
3. make setupSDK
4. make testSDK

Actual results:

make[1]: Entering directory `/usr/share/Pegasus/samples/Clients'
make[2]: Entering directory `/usr/share/Pegasus/samples/Clients/DefaultC++'
make[3]: Entering directory 
`/usr/share/Pegasus/samples/Clients/DefaultC++/EnumInstances'
Error: CIM_ERR_FAILED: A general error occurred that is not covered by a more 
specific error code: "ProviderLoadFailure 
(/usr/lib/Pegasus/providers/libSDKInstanceProvider.so:SampleInstanceProvider):C
annot load library, 
error: /usr/lib/Pegasus/providers/libSDKInstanceProvider.so: failed to map 
segment from shared object: Permission denied"
make[3]: *** [testSDK] Error 1
make[3]: Leaving directory 
`/usr/share/Pegasus/samples/Clients/DefaultC++/EnumInstances'
make[2]: *** [testSDK] Error 2
make[2]: Leaving directory `/usr/share/Pegasus/samples/Clients/DefaultC++'
make[1]: *** [testSDK] Error 2
make[1]: Leaving directory `/usr/share/Pegasus/samples/Clients'
make: *** [testSDK] Error 2


Expected results:

[root@biscayne samples]# make testSDK
make[1]: Entering directory `/usr/share/Pegasus/samples/Clients'
make[2]: Entering directory `/usr/share/Pegasus/samples/Clients/DefaultC++'
make[3]: Entering directory 
`/usr/share/Pegasus/samples/Clients/DefaultC++/EnumInstances'
Total Number of Instances: 3
make[3]: Leaving directory 
`/usr/share/Pegasus/samples/Clients/DefaultC++/EnumInstances'
make[3]: Entering directory 
`/usr/share/Pegasus/samples/Clients/DefaultC++/InvokeMethod'
Output : Hello
make[3]: Leaving directory 
`/usr/share/Pegasus/samples/Clients/DefaultC++/InvokeMethod'
make[3]: Entering directory 
`/usr/share/Pegasus/samples/Clients/DefaultC++/SendTestIndications'
Successfully sent test indications
make[3]: Leaving directory 
`/usr/share/Pegasus/samples/Clients/DefaultC++/SendTestIndications'
make[3]: Entering directory 
`/usr/share/Pegasus/samples/Clients/DefaultC++/Associations'
+++++ Test Sample Association Provider

+++++ Test associators

+++++ Test associatorNames

+++++ Test references

+++++ Test referenceNames

+++++ Test association class operations

+++++ passed all tests

Additional info:

The following Providers are build as examples in the SDK.

#cd /usr/share/Pegasus/samples
#make 

#cd /usr/share/Pegasus/samples/lib
[root@biscayne lib]# ll -Z *
-rwxr-xr-x  root root    root:object_r:usr_t              
libSDKAssociationProvider.so
-rwxr-xr-x  root root    root:object_r:usr_t              libSDKcmpiCWS_Util.so
-rwxr-xr-x  root root    root:object_r:usr_t              
libSDKDisplayConsumer.so
-rwxr-xr-x  root root    root:object_r:usr_t              
libSDKFilesAndDirectories.so
-rwxr-xr-x  root root    root:object_r:usr_t              
libSDKIndicationProvider.so
-rwxr-xr-x  root root    root:object_r:usr_t              
libSDKInstanceProvider.so
-rwxr-xr-x  root root    root:object_r:usr_t              
libSDKMethodProvider.so
-rw-r--r--  root pegasus system_u:object_r:usr_t          target

A workaround is to manually change the permissions on the library files.

#chcon -u system_u -r object_r -t lib_t lib*
Comment 1 Vitezslav Crhonek 2007-09-25 06:56:07 EDT
Change component from tog-pegasus to selinux-policy.
Comment 2 Daniel Walsh 2007-09-25 09:02:40 EDT
I am not sure why these are labeled this way.  It does not make sense. but there
is a line in policy

/usr/share(/.*)?/lib(64)?(/.*)?	gen_context(system_u:object_r:usr_t,s0)

I am going to remove this from rawhide to see if it causes problems.  If not I
will make this change in the next RHEL5 Update release.
Comment 3 Daniel Walsh 2007-10-09 16:48:54 EDT
Fixed in selinux-policy-2.4.6-107
Comment 4 RHEL Product and Program Management 2007-10-15 23:39:58 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 5 Jay Turner 2007-11-30 02:32:09 EST
QE ack for RHEL5.2.  Reproducer in comment 0.
Comment 9 Daniel Walsh 2008-02-22 09:26:14 EST
I believe your labeling got screwed up somehow putting back in on_qa
Comment 10 Eduard Benes 2008-02-28 10:31:28 EST
This is strange. For the first few attempts to reproduce the bug, it produced 
AVC denials. But later they "somehow disappeared" and running the test does not 
produce them anymore (restarting tog-pegasus service does no change). The 
restorecon had no affect on this. There might be some explanation from the tog-
pegasus point of view, cc-ing Vitezslav Crhonek. From the collected AVC 
messages it looks like cimserver is trying to do execute on 
libSDKInstanceProvider.so, right? 

# rpm -q selinux-policy
selinux-policy-2.4.6-122.el5
# /etc/init.d/tog-pegasus start
Starting up CIM server:                                    [  OK  ]
# make setupSDK
...
+++++ Repository created.
make[1]: Leaving directory `/usr/share/Pegasus/samples/Providers/Load'
make[1]: Entering directory `/usr/share/Pegasus/samples/Providers/Load'
+++++ Registering providers for SDKExamples/DefaultCXX namespace  ...
Warning: the instance already exists.
In this implementation, that means it cannot be changed.
Warning: the instance already exists.
In this implementation, that means it cannot be changed.
Parsing error: parse error: Error adding an instance: CIM_ERR_FAILED: A general 
error occurred that is not covered by a more specific error code: "A provider 
is already registered for the specified capability."
make[1]: *** [registerproviders] Error 250
make[1]: Leaving directory `/usr/share/Pegasus/samples/Providers/Load'
make: *** [setupSDK] Error 2

# ausearch -m AVC -sv no -ts recent
<no matches>

# make testSDK
make[1]: Entering directory `/usr/share/Pegasus/samples/Clients'
make[2]: Entering directory `/usr/share/Pegasus/samples/Clients/DefaultC++'
make[3]: Entering directory `/usr/share/Pegasus/samples/Clients/DefaultC++/
EnumInstances'
Error: CIM_ERR_FAILED: A general error occurred that is not covered by a more 
specific error code: "ProviderLoadFailure (/usr/lib64/Pegasus/providers/
libSDKInstanceProvider.so:SampleInstanceProvider):Cannot load library, error: /
usr/lib64/Pegasus/providers/libSDKInstanceProvider.so: failed to map segment 
from shared object: Permission denied"
make[3]: *** [testSDK] Error 1
make[3]: Leaving directory `/usr/share/Pegasus/samples/Clients/DefaultC++/
EnumInstances'
make[2]: *** [testSDK] Error 2
make[2]: Leaving directory `/usr/share/Pegasus/samples/Clients/DefaultC++'
make[1]: *** [testSDK] Error 2
make[1]: Leaving directory `/usr/share/Pegasus/samples/Clients'
make: *** [testSDK] Error 2

# ausearch -m AVC -sv no -ts recent
----
time->Thu Feb 28 15:48:31 2008
type=SYSCALL msg=audit(1204210111.755:273): arch=c000003e syscall=9 success=no 
exit=-13 a0=0 a1=2067c0 a2=5 a3=802 items=0 ppid=1 pid=11367 auid=0 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=25 comm="cimserver" 
exe="/usr/sbin/cimserver" subj=root:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1204210111.755:273): avc:  denied  { execute } for  
pid=11367 comm="cimserver" path="/usr/share/Pegasus/samples/lib/
libSDKInstanceProvider.so" dev=dm-0 ino=2654599 
scontext=root:system_r:pegasus_t:s0 tcontext=root:object_r:usr_t:s0 tclass=file

# ll -Z /usr/share/Pegasus/samples/lib/libSDKInstanceProvider.so
-rwxr-xr-x  root root root:object_r:usr_t              /usr/share/Pegasus/
samples/lib/libSDKInstanceProvider.so

# restorecon -R -v /usr/share/Pegasus/

And here comes the strange thing. After few attemtps/time the avc denials are 
not produced anymore?! And the test seems to run fine.

# make testSDK
... runs smoothly and with no avc denials ...
Comment 11 Daniel Walsh 2008-02-28 12:52:08 EST
After you do the restorecon what does the ll -Z show?

ll -Z /usr/share/Pegasus/samples/lib/libSDKInstanceProvider.so
Comment 12 Eduard Benes 2008-02-28 15:34:42 EST
As noted in the previous comment, after running make it shows:

# ll -Z /usr/share/Pegasus/samples/lib/libSDKInstanceProvider.so
-rwxr-xr-x  root root root:object_r:usr_t              /usr/share/Pegasus/
samples/lib/libSDKInstanceProvider.so
Comment 13 Daniel Walsh 2008-03-04 16:53:02 EST
Fixed in selinux-policy-2.4.6-124
Comment 15 Eduard Benes 2008-03-17 11:51:15 EDT
Dan, what should be the correnct context on the .so files in /usr/share/Pegasus/
samples/lib/ directory?
There are two file contexts, defined in the targeted version of file_contexts 
file, that could match this files (in this order):

/usr/(.*/)?lib(/.*)?    system_u:object_r:lib_t:s0
...
/usr/(.*/)?lib/.+\.so   --      system_u:object_r:shlib_t:s0

The files are beeing labeled with type lib_t. And when I try to manually change 
the context to shlib_t it show message about the change, but nothig does 
happen. Are there any restrictions I'm missing here? I thought the file should 
get the last context found in the file_context file. 

Here is what happens when I try to change the context manually: 

# chcon -Rcv -t shlib_t lib/
context of lib/ changed to system_u:object_r:shlib_t
context of lib//libSDKFilesAndDirectories.so changed to root:object_r:shlib_t
context of lib//libSDKAssociationProvider.so changed to root:object_r:shlib_t
context of lib//libSDKIndicationProvider.so changed to root:object_r:shlib_t
context of lib//libSDKcmpiCWS_Util.so changed to root:object_r:shlib_t
context of lib//libSDKDisplayConsumer.so changed to root:object_r:shlib_t
context of lib//libSDKMethodProvider.so changed to root:object_r:shlib_t
context of lib//libSDKInstanceProvider.so changed to root:object_r:shlib_t
context of lib//target changed to system_u:object_r:shlib_t

# ll -Zd lib/
drwxr-xr-x  root pegasus system_u:object_r:lib_t          lib/
[root@rasputin samples]# ll -Z lib/
-rwxr-xr-x  root root    root:object_r:lib_t              
libSDKAssociationProvider.so
-rwxr-xr-x  root root    root:object_r:lib_t              libSDKcmpiCWS_Util.so
-rwxr-xr-x  root root    root:object_r:lib_t              
libSDKDisplayConsumer.so
-rwxr-xr-x  root root    root:object_r:lib_t              
libSDKFilesAndDirectories.so
-rwxr-xr-x  root root    root:object_r:lib_t              
libSDKIndicationProvider.so
-rwxr-xr-x  root root    root:object_r:lib_t              
libSDKInstanceProvider.so
-rwxr-xr-x  root root    root:object_r:lib_t              
libSDKMethodProvider.so
-rw-r--r--  root pegasus system_u:object_r:lib_t          target

# rpm -q selinux-policy
selinux-policy-2.4.6-125.el5

And almost forgot to mention that running the SDK samples does not give AVC 
denials any more.
Comment 16 Daniel Walsh 2008-03-17 15:25:11 EDT
shlib_t == lib_t in targeted policy.

They are aliases for each other.
Comment 19 errata-xmlrpc 2008-05-21 12:05:37 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html

Note You need to log in before you can comment on or make changes to this bug.