Red Hat Bugzilla – Bug 480189
tanukiwrapper generates execmod AVC denial
Last modified: 2009-08-17 17:58:20 EDT
+++ This bug was initially created as a clone of Bug #471218 +++ Description of problem: When starting Spacewalk 0.3, an execmod AVC denial is logged: type=AVC msg=audit(1226431153.819:93): avc: denied { execmod } for pid=3364 comm="java" path="/usr/lib/libwrapper.so" dev=dm-0 ino=883661 scontext=root:system_r:java_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file Version-Release number of selected component (if applicable): Spacewalk 0.3 with tanukiwrapper-3.2.1-2jpp.ep1.1.el5. How reproducible: Deterministic. Steps to Reproduce: 1. eu-findtextrel /usr/lib/libwrapper.so Actual results: the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeGetUser' is not compiled with -fpic/-fPIC the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeGetInteractiveUser' is not compiled with -fpic/-fPIC the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeSetConsoleTitle' is not compiled with -fpic/-fPIC the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeRequestThreadDump' is not compiled with -fpic/-fPIC the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeInit' is not compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeGetJavaPID' is not compiled with -fpic/-fPIC the file containing the function 'handleInterrupt' is not compiled with -fpic/-fPIC the file containing the function 'handleTermination' is not compiled with -fpic/-fPIC the file containing the function 'wrapperJNIHandleSignal' is not compiled with -fpic/-fPIC the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeGetControlEvent' is not compiled with -fpic/-fPIC the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeGetLibraryVersion' is not compiled with -fpic/-fPIC the file containing the function 'getLastErrorText' is not compiled with -fpic/-fPIC Expected results: eu-findtextrel: no text relocations reported in '/usr/lib/libwrapper.so' [...] --- Additional comment from jpazdziora@redhat.com on 2008-11-12 09:33:57 EDT --- Jesus says: jmrodri adelton, one thing that is different is the makefile patches for tanukiwrapper jmrodri adelton, 3.2.1 has this for the compile jmrodri $(COMPILE) -pthread $(wrapper_SOURCE) -o $(BIN)/wrapper -lm jmrodri while 3.1.2 has this jmrodri $(COMPILE) -lm $(wrapper_SOURCE) -o $(BIN)/wrapper jmrodri diff is -pthread --- Additional comment from jesusr@redhat.com on 2008-11-12 09:37:34 EDT --- 3.1.2 rpm also patch the %.o: %.c section of the Makefile.linux 3.1.2 orig $(COMPILE) $(DEFS) -Wp,-MD,.deps/$(*F).pp -c $< 3.1.2 patch $(COMPILE) $(DEFS) -fPIC -Wp,-MD,.deps/$(*F).pp -c $< 3.2.1 orig $(COMPILE) $(DEFS) -Wp,-MD,.deps/$(*F).pp -c $< I'm not sure if -fPIC makes a difference here or not. --- Additional comment from jpazdziora@redhat.com on 2008-11-12 09:47:08 EDT --- Please rebuild tanukiwrapper with -fPIC. Thank you.
For the record, it's tanukiwrapper-3.2.3-2.3.fc10.i386.rpm in Fedora 10 which has the problem: $ eu-findtextrel ./libwrapper.so the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeGetUser' is not compiled with -fpic/-fPIC the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeGetInteractiveUser' is not compiled with -fpic/-fPIC the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeSetConsoleTitle' is not compiled with -fpic/-fPIC the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeRequestThreadDump' is not compiled with -fpic/-fPIC the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeInit' is not compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function '_init' might not be compiled with -fpic/-fPIC the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeGetJavaPID' is not compiled with -fpic/-fPIC the file containing the function 'handleInterrupt' is not compiled with -fpic/-fPIC the file containing the function 'handleHangup' is not compiled with -fpic/-fPIC the file containing the function 'handleTermination' is not compiled with -fpic/-fPIC the file containing the function 'wrapperJNIHandleSignal' is not compiled with -fpic/-fPIC the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeGetControlEvent' is not compiled with -fpic/-fPIC the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeGetLibraryVersion' is not compiled with -fpic/-fPIC the file containing the function 'getLastErrorText' is not compiled with -fpic/-fPIC
Deepak, the tanukiwrapper problem is blocking Spacewalk 0.6 with SELinux Enforcing release both for Fedora 10 and for Fedora 11. Will you be able to release newly built package with the -fpic/-fPIC fix? Thank you.
tanukiwrapper-3.2.3-2.4.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/tanukiwrapper-3.2.3-2.4.fc10
Jan, please try the above build and let me know if it fixes the issue. I have patched the make files to compile with -fPIC: # eu-findtextrel /usr/lib/libgmp.so eu-findtextrel: no text relocations reported in '/usr/lib/libgmp.so'
Er, posted wrong example in Comment #4. Meant to display this: # eu-findtextrel /usr/lib/libwrapper.so eu-findtextrel: no text relocations reported in '/usr/lib/libwrapper.so'
tanukiwrapper-3.2.3-2.4.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update tanukiwrapper'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-8193
Thank you, eu-findtextrel /usr/lib/libwrapper.so is indeed clean. Could you do similar rebuild for Fedora 11?
Yep. I built for 10, 11 and rawhide at the same time. Just wanted to make sure it works before pushing for f11. Pushed for updates-testing on F11: https://admin.fedoraproject.org/updates/tanukiwrapper-3.2.3-3.4.fc11
Oh, great. Tested on F11, it looks good. Marking as VERIFIED. Thank you, Jan
tanukiwrapper-3.2.3-2.4.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.