Bug 496898 - avc: denied { execmod } for comm="java" path="/usr/lib64/libwrapper.so"
avc: denied { execmod } for comm="java" path="/usr/lib64/libwrapper.so"
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server (Show other bugs)
530
All Linux
low Severity medium
: ---
: ---
Assigned To: Milan Zazrivec
wes hayutin
:
Depends On:
Blocks: 457079
  Show dependency treegraph
 
Reported: 2009-04-21 11:21 EDT by Milan Zazrivec
Modified: 2009-09-10 15:12 EDT (History)
2 users (show)

See Also:
Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-10 15:12:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
# grep 'denied.*execmod' /var/log/audit/audit.log (selinux in permissive) (456 bytes, text/plain)
2009-04-21 11:21 EDT, Milan Zazrivec
no flags Details
/var/log/rhn/rhn_taskomatic_daemon.log (5.87 KB, text/plain)
2009-04-22 10:47 EDT, Milan Zazrivec
no flags Details

  None (edit)
Description Milan Zazrivec 2009-04-21 11:21:25 EDT
Created attachment 340550 [details]
# grep 'denied.*execmod' /var/log/audit/audit.log (selinux in permissive)

Description of problem:
After Satellite 5.3.0 installation on s390x, tanukiwrapper - related selinux
denial occurs.

Version-Release number of selected component (if applicable):
tanukiwrapper-3.2.1-6.el5sat.s390x

How reproducible:
Always

Steps to Reproduce:
1. Install RHEL-5 on s390x, selinux enabled (permissive at least).
2. Install Satellite 5.3.0
3. # grep 'denied.*execmod' /var/log/audit/audit.log
  
Actual results:
See attachment.

Expected results:
No denial.

Additional info:
# eu-findtextrel /usr/lib64/libwrapper.so 
the file containing the function '' might not be compiled with -fpic/-fPIC
...

I'm assigning this to Dennis as I *think* this problem is caused by
tanukiwrapper being compiled without -fPIC flag on s390x. In
http://cvs.devel.redhat.com/cgi-bin/cvsweb.cgi/rpms/tanukiwrapper/RHEL-5-RHNSAT-5_3/tanukiwrapper-makefile-linux-x86-32.patch
I see that Dennis fixed this problem for i386/x86_64 builds and probably
knows most about building tanukiwrapper :-)
Comment 1 Brandon Perkins 2009-04-21 12:29:25 EDT
This should be fixed by either Dennis or Jesus.
Comment 2 Milan Zazrivec 2009-04-22 10:47:06 EDT
Created attachment 340754 [details]
/var/log/rhn/rhn_taskomatic_daemon.log

The problem with -fPIC is in fact much more serious: tanukiwrapper
compilied without PIC causes taskomatic & rhn-search services to
fail during start.
Comment 3 Milan Zazrivec 2009-05-18 06:06:56 EDT
I guess there's no point in waiting. I'm reassigning this to myself.
Comment 4 Milan Zazrivec 2009-05-18 07:02:07 EDT
thirdparty.git:
c8436c240af4c6ece1dad4d09173e6bfd2246ab1
b1dec1fdb380a9bfa71602f3ce2df4edda48dd91

tanukiwrapper-3.2.1-9
Comment 5 wes hayutin 2009-06-02 11:10:43 EDT
verified 5/29
Comment 6 Jan Pazdziora 2009-09-07 09:20:30 EDT
Stage validated with Satellite-5.3.0-RHEL5-re20090724.0:

[root@rhndev6 ~]# eu-findtextrel /usr/lib64/libwrapper.so 
eu-findtextrel: no text relocations reported in '/usr/lib64/libwrapper.so'
[root@rhndev6 ~]# grep 'denied.*execmod' /var/log/audit/audit.log
[root@rhndev6 ~]# 

Moving to RELEASE_PENDING.
Comment 7 Brandon Perkins 2009-09-10 15:12:37 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html

Note You need to log in before you can comment on or make changes to this bug.