Bug 462581 - SELinux is preventing f771 from loading /usr/libexec/gcc/ia64-redhat-linux/3.4.6/f771 which requires text relocation
SELinux is preventing f771 from loading /usr/libexec/gcc/ia64-redhat-linux/3....
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: compat-gcc-34 (Show other bugs)
5.2
ia64 Linux
medium Severity medium
: rc
: ---
Assigned To: Jakub Jelinek
BaseOS QE
:
: 465521 638848 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-17 06:31 EDT by Milos Malik
Modified: 2013-04-12 15:53 EDT (History)
14 users (show)

See Also:
Fixed In Version: compat-gcc-34-3.4.6-4.1
Doc Type: Bug Fix
Doc Text:
Previously, the compatibility C, C++ and Fortran 77 compilers generated binaries that required text relocations on the IA-64 architecture, which SELinux policies disallow by default. With this update, the compatibility C, C++ and Fortran 77 compilers do not anymore generate such binaries.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-10-13 10:02:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
output of sealert (3.33 KB, text/plain)
2008-09-17 06:32 EDT, Milos Malik
no flags Details
bind - TPS rebuild test log file (12.20 KB, text/plain)
2009-01-07 03:04 EST, David Kovalsky
no flags Details

  None (edit)
Description Milos Malik 2008-09-17 06:31:47 EDT
Description of problem:
During building of binary packages from libgcrypt-1.2.4-1.el5.src.rpm I saw AVCs in /var/log/audit/audit.log. Please see the attachment.

It's interesting that the same build passed without AVCs on other platforms. Just ia64 seems to have problems with it.

Version-Release number of selected component (if applicable):
selinux-policy-mls-2.4.6-137.1.el5_2.noarch
selinux-policy-targeted-2.4.6-137.1.el5_2.noarch
selinux-policy-2.4.6-137.1.el5_2.noarch
selinux-policy-devel-2.4.6-137.1.el5_2.noarch
selinux-policy-strict-2.4.6-137.1.el5_2.noarch

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Upgrading selinux-policy to following packages did NOT help:

selinux-policy-2.4.6-154.el5.noarch
selinux-policy-strict-2.4.6-154.el5.noarch
selinux-policy-devel-2.4.6-154.el5.noarch
selinux-policy-targeted-2.4.6-154.el5.noarch
selinux-policy-mls-2.4.6-154.el5.noarch
Comment 1 Milos Malik 2008-09-17 06:32:45 EDT
Created attachment 316934 [details]
output of sealert
Comment 2 Daniel Walsh 2008-09-18 16:33:25 EDT
Uli what is this file?
Comment 3 Ulrich Drepper 2008-09-18 22:35:51 EDT
(In reply to comment #2)
> Uli what is this file?

That's the Fortran compiler.  No idea whether this is really what we ship.  Jakub can find out.
Comment 4 Petr Šplíchal 2008-10-03 11:12:40 EDT
I've encountered similar AVC denial when rebuilding authconfig package:
http://nest.test.redhat.com/mnt/qa/scratch/ia64-5s-2-m1/2009:8103/tps/tps-srpmtest.log
Comment 5 Jakub Jelinek 2008-10-04 05:32:18 EDT
*** Bug 465521 has been marked as a duplicate of this bug. ***
Comment 7 Karel Volný 2008-10-21 08:02:55 EDT
nfs-utils affected too:

http://nest.test.redhat.com/mnt/qa/scratch/ia64-5s-m1/2009:8187/tps/tps-srpmtest.html
Comment 9 David Kovalsky 2009-01-07 03:03:25 EST
Bind is also bitten by the issue:
http://nest.test.redhat.com/mnt/qa/scratch/ia64-5s-m1/2009:8076/tps/tps.html
Comment 10 David Kovalsky 2009-01-07 03:04:49 EST
Created attachment 328353 [details]
bind - TPS rebuild test log file
Comment 12 RHEL Product and Program Management 2009-03-26 13:22:32 EDT
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 13 Petr Šplíchal 2009-05-06 08:05:57 EDT
Another hit by authconfig:
http://nest.test.redhat.com/mnt/qa/scratch/ia64-5s-m1/2009:8455/tps/tps-srpmtest.html
Comment 26 Jakub Jelinek 2010-09-22 11:26:02 EDT
This is upstream PR26090 apparently, GCC older than 4.1 was creating DT_TEXTREL binaries in many cases, and RHEL5 SELinux policy disallows them by default.
With the backported patch the number of FAILs in the compat-gcc-34 testsuite went down a lot:
sed -n '/===TESTING===/,/===TESTING END===/{/^FAIL/p}' compat-gcc-34.log | wc -l
2709
sed -n '/===TESTING===/,/===TESTING END===/{/^FAIL/p}' compat-gcc-34.log2 | wc -l
19
When compat-gcc-34-3.4.6-4 was built, I guess either the policy still didn't have that requirement, or at least the build boxes were using RHEL4 SELinux policy and allowed it.
Comment 29 Jakub Jelinek 2010-09-30 03:07:36 EDT
*** Bug 638848 has been marked as a duplicate of this bug. ***
Comment 31 errata-xmlrpc 2010-10-13 10:02:16 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0766.html
Comment 32 Florian Nadge 2010-10-18 12:20:50 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, the compatibility C, C++ and Fortran 77 compilers generated binaries that required text relocations on the IA-64 architecture, which SELinux policies disallow by default. With this update, the compatibility C, C++ and Fortran 77 compilers do not anymore generate such binaries.

Note You need to log in before you can comment on or make changes to this bug.