Summary: SELinux is preventing /usr/sbin/prelink "setattr" access . Detailed Description: [prelink has a permissive type (prelink_t). This access was not denied.] SELinux denied access requested by prelink. It is not expected that this access is required by prelink and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:prelink_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects [ fifo_file ] Source prelink Source Path /usr/sbin/prelink Port <Unknown> Host (removed) Source RPM Packages prelink-0.4.3-2.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-2.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.33.2-57.fc13.x86_64 #1 SMP Tue Apr 20 08:57:50 UTC 2010 x86_64 x86_64 Alert Count 3 First Seen Wed 21 Apr 2010 01:19:51 PM PDT Last Seen Wed 21 Apr 2010 01:19:51 PM PDT Local ID f0b22177-e13c-4abd-b975-3bfe1a5d546d Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1271881191.790:23515): avc: denied { setattr } for pid=2737 comm="prelink" name="" dev=pipefs ino=174565 scontext=unconfined_u:unconfined_r:prelink_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=fifo_file node=(removed) type=SYSCALL msg=audit(1271881191.790:23515): arch=c000003e syscall=93 success=yes exit=128 a0=1 a1=0 a2=0 a3=2 items=0 ppid=2426 pid=2737 auid=1002 uid=1002 gid=100 euid=1002 suid=1002 fsuid=1002 egid=100 sgid=100 fsgid=100 tty=(none) ses=1 comm="prelink" exe="/usr/sbin/prelink" subj=unconfined_u:unconfined_r:prelink_t:s0-s0:c0.c1023 key=(null) Hash String generated from catchall,prelink,prelink_t,unconfined_t,fifo_file,setattr audit2allow suggests: #============= prelink_t ============== allow prelink_t unconfined_t:fifo_file setattr;
Fresh install of F13 on an Intel iMac. The only big change so far is that /tmp is a tmpfs, /home is mounted via NFS and the system configured as an NIS client: # egrep 'home|/tmp' /proc/mounts tmpfs /tmp tmpfs rw,rootcontext=system_u:object_r:tmp_t:s0,seclabel,nosuid,relatime 0 0 gate:/home /home nfs rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=10.200.0.10,mountvers=3,mountport=4002,mountproto=udp,fsc,addr=10.200.0.10 0 0
Hm, this looks like #546771 - which said to be "fixed in abrt-1.0.2" (F12/updates-testing), but the bug is still tagged NEW. And rightly so, I guess :-\
No I don't think this is the same. Did you run prelink in a terminal or were you installing some apps which caused prelink to run?
No, I did not use prelink manually. I just "reproduced" this: I'm logging in to Gnome after a fresh reboot, started a terminal, running nothing else. I'm waiting a while for things to calm down. No Yum; PackageKit is uninstalled already. But when I start Firefox I'm presented with the SELinux warning. Running Firefox through strace(1) reveals a few prelink calls: stat("/usr/sbin/prelink", {st_mode=S_IFREG|0755, st_size=1262168, ...}) = 0 execve("/usr/sbin/prelink", ["/usr/sbin/prelink", "-u", "-o", "-", "/usr/lib64/libnssdbm3.so"], [/* 55 vars */]) = 0 open("/tmp/undo.#prelink#.iVmjXE", O_RDWR|O_CREAT|O_EXCL, 0600) = 2 utime("/tmp/undo.#prelink#.iVmjXE", [2010/04/21-17:39:23, 2010/04/15-08:43:28]) = 0 read(0, "unconfined_u:unconfined_r:prelink_t:s0-s0:c0.c1023\0", 4095) = 51 setxattr("/tmp/undo.#prelink#.iVmjXE", "security.selinux", "system_u:object_r:lib_t:s0", 27, 0) = 0 unlink("/tmp/undo.#prelink#.iVmjXE") = 0 execve("/usr/sbin/prelink", ["/usr/sbin/prelink", "-u", "-o", "-", "/usr/lib64/libfreebl3.so"], [/* 55 vars */]) = 0 [...] and so on.
Created attachment 408203 [details] strace -ff -tt -F -s1024 -o /tmp/strace-firefox.log /usr/lib64/firefox-3.6/firefox -P default
Created attachment 408204 [details] strace -ff -tt -F -s1024 -o /tmp/strace-firefox.log /usr/lib64/firefox-3.6/firefox -P tmp
Somehow I cannot reproduce the SELinux warning when I'm starting a pristine Firefox Profile ("tmp") but only when starting Firefox with my "default" profile, where all sorts of things are tuned and stored (esp. password manager, FIPS is enabled). I've created the strace logs, if it is any good....
Ok, I will add a dontaudit in next release. Fixed in selinux-policy-3.7.19-5.fc13.noarch
selinux-policy-3.7.19-6.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-6.fc13
selinux-policy-3.7.19-6.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-6.fc13
selinux-policy-3.7.19-6.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
Hm, strange. I had updates-testing enabled anyway, but even "--enablerepo=updates-testing" did not get me 3.7.19-6. Manually downloading selinux-policy and selinux-policy-targeted, forcefully removing the old packages and installing the new ones fix this issue. Now Firefox starts w/o the SELinux warning. Thanks!
Just means it had not been pushed to your mirror yet.