Description of problem:Summary: SELinux is preventing ld-linux.so.2 from loading /usr/lib/libSDL-1.2.so.0.7.3.#prelink#.Qmut9X which requires text relocation. Detailed Description: The ld-linux.so.2 application attempted to load /usr/lib/libSDL-1.2.so.0.7.3.#prelink#.Qmut9X which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/libSDL-1.2.so.0.7.3.#prelink#.Qmut9X to use relocation as a workaround, until the library is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: If you trust /usr/lib/libSDL-1.2.so.0.7.3.#prelink#.Qmut9X to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t '/usr/lib/libSDL-1.2.so.0.7.3.#prelink#.Qmut9X'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '/usr/lib/libSDL-1.2.so.0.7.3.#prelink#.Qmut9X'" The following command will allow this access: chcon -t textrel_shlib_t '/usr/lib/libSDL-1.2.so.0.7.3.#prelink#.Qmut9X' Additional Information: Source Context root:system_r:prelink_t:SystemLow-SystemHigh Target Context root:object_r:lib_t Target Objects /usr/lib/libSDL-1.2.so.0.7.3.#prelink#.Qmut9X [ file ] Source ld-linux.so.2 Source Path /lib/ld-2.5.so Port <Unknown> Host localhost.localdomain Source RPM Packages glibc-2.5-42.el5_4.2 Target RPM Packages Policy RPM selinux-policy-2.4.6-255.el5_4.1 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execmod Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.18-164.9.1.el5 #1 SMP Wed Dec 9 03:29:54 EST 2009 i686 athlon Alert Count 1 First Seen Thu 31 Dec 2009 11:12:50 AM PST Last Seen Thu 31 Dec 2009 11:12:50 AM PST Local ID aa08bda3-47a5-4fe3-9338-18a9b1f64058 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1262286770.802:136): avc: denied { execmod } for pid=18130 comm="ld-linux.so.2" path="/usr/lib/libSDL-1.2.so.0.7.3.#prelink#.Qmut9X" dev=dm-0 ino=16497330 scontext=root:system_r:prelink_t:s0-s0:c0.c1023 tcontext=root:object_r:lib_t:s0 tclass=file host=localhost.localdomain type=SYSCALL msg=audit(1262286770.802:136): arch=40000003 syscall=125 success=no exit=-13 a0=1f0000 a1=7c000 a2=5 a3=bfb80ae0 items=0 ppid=18120 pid=18130 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="ld-linux.so.2" exe="/lib/ld-2.5.so" subj=root:system_r:prelink_t:s0-s0:c0.c1023 key=(null) Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Hi, Is this a problem with base RHEL?
Yes, as far as I can tell, it is a problem with the base installation. I have made no changes.
Reassigning to selinux component.
Mirosla, Add libs_legacy_use_shared_libs(prelink_t) This is what we have in Fedora.
Duane, could you please provide instructions how to reproduce the bug? Thanks
Fixed in selinux-policy-2.4.6-270.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html