Red Hat Bugzilla – Bug 471218
tanukiwrapper generates execmod AVC denial
Last modified: 2009-01-22 11:30:30 EST
Description of problem: When starting Spacewalk 0.3, an execmod AVC denial is logged: type=AVC msg=audit(1226431153.819:93): avc: denied { execmod } for pid=3364 comm="java" path="/usr/lib/libwrapper.so" dev=dm-0 ino=883661 scontext=root:system_r:java_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file Version-Release number of selected component (if applicable): Spacewalk 0.3 with tanukiwrapper-3.2.1-2jpp.ep1.1.el5. How reproducible: Deterministic. Steps to Reproduce: 1. eu-findtextrel /usr/lib/libwrapper.so Actual results: the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeGetUser' is not compiled with -fpic/-fPIC the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeGetInteractiveUser' is not compiled with -fpic/-fPIC the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeSetConsoleTitle' is not compiled with -fpic/-fPIC the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeRequestThreadDump' is not compiled with -fpic/-fPIC the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeInit' is not compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeGetJavaPID' is not compiled with -fpic/-fPIC the file containing the function 'handleInterrupt' is not compiled with -fpic/-fPIC the file containing the function 'handleTermination' is not compiled with -fpic/-fPIC the file containing the function 'wrapperJNIHandleSignal' is not compiled with -fpic/-fPIC the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeGetControlEvent' is not compiled with -fpic/-fPIC the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeGetLibraryVersion' is not compiled with -fpic/-fPIC the file containing the function 'getLastErrorText' is not compiled with -fpic/-fPIC Expected results: eu-findtextrel: no text relocations reported in '/usr/lib/libwrapper.so' Additional info: The strange thing is that tanukiwrapper-3.1.2-4jpp_3rhn.2.el5 (which we shipped with Satellite 5.2.0) does not have the problem, and starting Spacewalk 0.3 with tanukiwrapper downgraded to 3.1.2 does not generate the AVC denial. I've compared the build.logs and did not find any reason why the results should differ -- there is -fPIC there in both cases.
Jesus says: jmrodri adelton, one thing that is different is the makefile patches for tanukiwrapper jmrodri adelton, 3.2.1 has this for the compile jmrodri $(COMPILE) -pthread $(wrapper_SOURCE) -o $(BIN)/wrapper -lm jmrodri while 3.1.2 has this jmrodri $(COMPILE) -lm $(wrapper_SOURCE) -o $(BIN)/wrapper jmrodri diff is -pthread
3.1.2 rpm also patch the %.o: %.c section of the Makefile.linux 3.1.2 orig $(COMPILE) $(DEFS) -Wp,-MD,.deps/$(*F).pp -c $< 3.1.2 patch $(COMPILE) $(DEFS) -fPIC -Wp,-MD,.deps/$(*F).pp -c $< 3.2.1 orig $(COMPILE) $(DEFS) -Wp,-MD,.deps/$(*F).pp -c $< I'm not sure if -fPIC makes a difference here or not.
adelton jmrodri: It's the pthread which seems to be the difference. adelton jmrodri: Yes, at least if my vi and /fPIC do not lie. jmrodri adelton, the odd part is the 3.1.2 has 2 fPIC one for libwrapper.so: $(libwrapper_so_OBJECTS) jmrodri adn another one in %.o: %.c jmrodri while the 3.2.1 only has it in libwrapper.so: $(libwrapper_so_OBJECTS) adelton jmrodri: Nod. But I do not see it in the build.log. jmrodri adelton, agreed I don't see it in build.log either.
It looks like Dennis built / imported # rpm -q tanukiwrapper tanukiwrapper-3.1.2-4jpp_3rhn.2.el5 on 2008-11-09 to koji which fixes the problem as well: # eu-findtextrel /usr/lib/libwrapper.so eu-findtextrel: no text relocations reported in '/usr/lib/libwrapper.so' Moving to MODIFIED, taking this bugzilla for possible kickbacks.
# rpm -q tanukiwrapper tanukiwrapper-3.1.2-4jpp_3rhn.2.el5 And I do not see the given message in audit.log