Bug 496898 - avc: denied { execmod } for comm="java" path="/usr/lib64/libwrapper.so"
avc: denied { execmod } for comm="java" path="/usr/lib64/libwrapper.so"
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Milan Zazrivec
wes hayutin
Depends On:
Blocks: 457079
  Show dependency treegraph
Reported: 2009-04-21 11:21 EDT by Milan Zazrivec
Modified: 2009-09-10 15:12 EDT (History)
2 users (show)

See Also:
Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-09-10 15:12:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
# grep 'denied.*execmod' /var/log/audit/audit.log (selinux in permissive) (456 bytes, text/plain)
2009-04-21 11:21 EDT, Milan Zazrivec
no flags Details
/var/log/rhn/rhn_taskomatic_daemon.log (5.87 KB, text/plain)
2009-04-22 10:47 EDT, Milan Zazrivec
no flags Details

  None (edit)
Description Milan Zazrivec 2009-04-21 11:21:25 EDT
Created attachment 340550 [details]
# grep 'denied.*execmod' /var/log/audit/audit.log (selinux in permissive)

Description of problem:
After Satellite 5.3.0 installation on s390x, tanukiwrapper - related selinux
denial occurs.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install RHEL-5 on s390x, selinux enabled (permissive at least).
2. Install Satellite 5.3.0
3. # grep 'denied.*execmod' /var/log/audit/audit.log
Actual results:
See attachment.

Expected results:
No denial.

Additional info:
# eu-findtextrel /usr/lib64/libwrapper.so 
the file containing the function '' might not be compiled with -fpic/-fPIC

I'm assigning this to Dennis as I *think* this problem is caused by
tanukiwrapper being compiled without -fPIC flag on s390x. In
I see that Dennis fixed this problem for i386/x86_64 builds and probably
knows most about building tanukiwrapper :-)
Comment 1 Brandon Perkins 2009-04-21 12:29:25 EDT
This should be fixed by either Dennis or Jesus.
Comment 2 Milan Zazrivec 2009-04-22 10:47:06 EDT
Created attachment 340754 [details]

The problem with -fPIC is in fact much more serious: tanukiwrapper
compilied without PIC causes taskomatic & rhn-search services to
fail during start.
Comment 3 Milan Zazrivec 2009-05-18 06:06:56 EDT
I guess there's no point in waiting. I'm reassigning this to myself.
Comment 4 Milan Zazrivec 2009-05-18 07:02:07 EDT

Comment 5 wes hayutin 2009-06-02 11:10:43 EDT
verified 5/29
Comment 6 Jan Pazdziora 2009-09-07 09:20:30 EDT
Stage validated with Satellite-5.3.0-RHEL5-re20090724.0:

[root@rhndev6 ~]# eu-findtextrel /usr/lib64/libwrapper.so 
eu-findtextrel: no text relocations reported in '/usr/lib64/libwrapper.so'
[root@rhndev6 ~]# grep 'denied.*execmod' /var/log/audit/audit.log
[root@rhndev6 ~]# 

Comment 7 Brandon Perkins 2009-09-10 15:12:37 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.