Bug 437668 - SELinux is preventing /usr/sbin/prelink (prelink_t) "read" on mail (httpd_sys_content_t).
SELinux is preventing /usr/sbin/prelink (prelink_t) "read" on mail (httpd_sys...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
All Linux
low Severity medium
: ---
: ---
Assigned To: Josef Kubin
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-15 21:30 EDT by Mukund R.
Modified: 2008-04-01 11:35 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-01 11:35:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mukund R. 2008-03-15 21:30:20 EDT
Description of problem:
SELinux is preventing /usr/sbin/prelink (prelink_t) "read" on mail
(httpd_sys_content_t).

Version-Release number of selected component (if applicable):
fedora 7

How reproducible:
You get the error message on the SELinux troubleshooter and it suggests that you
 change labeling of the file. "You can alter the file context by executing chcon
-t bin_t mail or chcon -t lib_t mail if it is a shared library. If you want to
make these changes permanant you must execute the semanage command. semanage
fcontext -a -t bin_t mail or semanage fcontext -a -t shlib_t mail. "


Steps to Reproduce:
1.
2.
3.
  
Actual results:

Even after you label the files using either semanage or chcon, the error keeps
occurring.

Expected results:

After executing the suggested command,this error should go away.  Again, why is
mail marked as httpd_sys_content_t, shouldn't it be bin_t?   mail is present in
/sbin/mail.

Additional info:
Comment 1 Josef Kubin 2008-03-27 05:53:06 EDT
You have probably a serious problem with labels, try:
# fixfiles relabel
OR
# touch /.autorelabel; reboot 

Even location of your /sbin/mail is strange ...

On my box the mail has following context and location:
# ls -Z /bin/mail 
-rwxr-xr-x  root mail system_u:object_r:bin_t          /bin/mail
Comment 2 Mukund R. 2008-03-27 09:52:37 EDT
I did a touch /.autorelabel; reboot as suggested and I still have the same
information being displayed for ls -Z /bin/mail.

One point to note is that I use postfix and not sendmail as the MTA.  Does that
make a difference?

I also use trac for issue tracking, (I used to have bugzilla setup, but don't
use it anymore).  Apart from that, my Apache instance only runs my personal
applications.

Is there any other information I can provide?
Comment 3 Josef Kubin 2008-03-27 10:23:19 EDT
The httpd_sys_content_t is actually part of
/etc/selinux/targeted/contexts/customizable_types
- therefore `touch /.autorelabel; reboot` didn't help ...

Try to change context to the right context by hand:
# chcon system_u:object_r:bin_t /bin/mail
Comment 4 Mukund R. 2008-03-30 22:45:44 EDT
# ls -Z /bin/mail
-rwxr-xr-x  root mail system_u:object_r:httpd_sys_content_t /bin/mail
# # chcon system_u:object_r:bin_t /bin/mail
# ls -Z /bin/mail
-rwxr-xr-x  root mail system_u:object_r:httpd_sys_content_t /bin/mail
# 

I ended up doing the following to resolve my problem.

# cp /bin/mail /bin/mail.new
# ls -Z /bin/mail.new
-rwxr-xr-x  root root user_u:object_r:bin_t            /bin/mail.new
# rm /bin/mail
rm: remove regular file `/bin/mail'? y
mv /bin/mail.new /bin/mail
# ls -Z /bin/mail
-rwxr-xr-x  root root user_u:object_r:bin_t            /bin/mail

I still don't understand why the original file was being stubborn and refused to
work with chcon.   

Comment 5 Josef Kubin 2008-04-01 11:35:38 EDT
Maybe you should have switch to permissive mode ...

Note You need to log in before you can comment on or make changes to this bug.