Bug 584550 - SELinux is preventing /usr/sbin/prelink "setattr" access .
Summary: SELinux is preventing /usr/sbin/prelink "setattr" access .
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 13
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:5563c4ef721...
Depends On:
TreeView+ depends on / blocked
Reported: 2010-04-21 20:27 UTC by Christian Kujau
Modified: 2010-04-29 18:24 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.7.19-6.fc13
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-04-28 03:07:31 UTC
Type: ---

Attachments (Terms of Use)
strace -ff -tt -F -s1024 -o /tmp/strace-firefox.log /usr/lib64/firefox-3.6/firefox -P default (770.44 KB, application/x-bzip)
2010-04-22 01:00 UTC, Christian Kujau
no flags Details
strace -ff -tt -F -s1024 -o /tmp/strace-firefox.log /usr/lib64/firefox-3.6/firefox -P tmp (334.66 KB, application/x-bzip)
2010-04-22 01:01 UTC, Christian Kujau
no flags Details

Description Christian Kujau 2010-04-21 20:27:40 UTC

SELinux is preventing /usr/sbin/prelink "setattr" access .

Detailed Description:

[prelink has a permissive type (prelink_t). This access was not denied.]

SELinux denied access requested by prelink. It is not expected that this access
is required by prelink and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug

Additional Information:

Source Context                unconfined_u:unconfined_r:prelink_t:s0-s0:c0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
Target Objects                 [ fifo_file ]
Source                        prelink
Source Path                   /usr/sbin/prelink
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           prelink-0.4.3-2.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-2.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              #1 SMP Tue Apr 20 08:57:50 UTC 2010 x86_64 x86_64
Alert Count                   3
First Seen                    Wed 21 Apr 2010 01:19:51 PM PDT
Last Seen                     Wed 21 Apr 2010 01:19:51 PM PDT
Local ID                      f0b22177-e13c-4abd-b975-3bfe1a5d546d
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1271881191.790:23515): avc:  denied  { setattr } for  pid=2737 comm="prelink" name="" dev=pipefs ino=174565 scontext=unconfined_u:unconfined_r:prelink_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=fifo_file

node=(removed) type=SYSCALL msg=audit(1271881191.790:23515): arch=c000003e syscall=93 success=yes exit=128 a0=1 a1=0 a2=0 a3=2 items=0 ppid=2426 pid=2737 auid=1002 uid=1002 gid=100 euid=1002 suid=1002 fsuid=1002 egid=100 sgid=100 fsgid=100 tty=(none) ses=1 comm="prelink" exe="/usr/sbin/prelink" subj=unconfined_u:unconfined_r:prelink_t:s0-s0:c0.c1023 key=(null)

Hash String generated from  catchall,prelink,prelink_t,unconfined_t,fifo_file,setattr
audit2allow suggests:

#============= prelink_t ==============
allow prelink_t unconfined_t:fifo_file setattr;

Comment 1 Christian Kujau 2010-04-21 20:33:16 UTC
Fresh install of F13 on an Intel iMac. The only big change so far is that /tmp is a tmpfs, /home is mounted via NFS and the system configured as an NIS client:

# egrep 'home|/tmp' /proc/mounts 
tmpfs /tmp tmpfs rw,rootcontext=system_u:object_r:tmp_t:s0,seclabel,nosuid,relatime 0 0
gate:/home /home nfs rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=,mountvers=3,mountport=4002,mountproto=udp,fsc,addr= 0 0

Comment 2 Christian Kujau 2010-04-21 20:36:45 UTC
Hm, this looks like #546771 - which said to be "fixed in abrt-1.0.2" (F12/updates-testing), but the bug is still tagged NEW. And rightly so, I guess :-\

Comment 3 Daniel Walsh 2010-04-21 20:46:44 UTC
No I don't think this is the same.  Did you run prelink in a terminal or were you installing some apps which caused prelink to run?

Comment 4 Christian Kujau 2010-04-22 00:45:54 UTC
No, I did not use prelink manually. I just "reproduced" this: I'm logging in to Gnome after a fresh reboot, started a terminal, running nothing else. I'm waiting a while for things to calm down. No Yum; PackageKit is uninstalled already. But when I start Firefox I'm presented with the SELinux warning.

Running Firefox through strace(1) reveals a few prelink calls:

stat("/usr/sbin/prelink", {st_mode=S_IFREG|0755, st_size=1262168, ...}) = 0
execve("/usr/sbin/prelink", ["/usr/sbin/prelink", "-u", "-o", "-", "/usr/lib64/libnssdbm3.so"], [/* 55 vars */]) = 0
open("/tmp/undo.#prelink#.iVmjXE", O_RDWR|O_CREAT|O_EXCL, 0600) = 2
utime("/tmp/undo.#prelink#.iVmjXE", [2010/04/21-17:39:23, 2010/04/15-08:43:28]) = 0
read(0, "unconfined_u:unconfined_r:prelink_t:s0-s0:c0.c1023\0", 4095) = 51
setxattr("/tmp/undo.#prelink#.iVmjXE", "security.selinux", "system_u:object_r:lib_t:s0", 27, 0) = 0
unlink("/tmp/undo.#prelink#.iVmjXE")    = 0
execve("/usr/sbin/prelink", ["/usr/sbin/prelink", "-u", "-o", "-", "/usr/lib64/libfreebl3.so"], [/* 55 vars */]) = 0

and so on.

Comment 5 Christian Kujau 2010-04-22 01:00:34 UTC
Created attachment 408203 [details]
strace -ff -tt -F -s1024 -o /tmp/strace-firefox.log /usr/lib64/firefox-3.6/firefox -P default

Comment 6 Christian Kujau 2010-04-22 01:01:32 UTC
Created attachment 408204 [details]
strace -ff -tt -F -s1024 -o /tmp/strace-firefox.log /usr/lib64/firefox-3.6/firefox -P tmp

Comment 7 Christian Kujau 2010-04-22 01:04:28 UTC
Somehow I cannot reproduce the SELinux warning when I'm starting a pristine Firefox Profile ("tmp") but only when starting Firefox with my "default" profile, where all sorts of things are tuned and stored (esp. password manager, FIPS is enabled). I've created the strace logs, if it is any good....

Comment 8 Daniel Walsh 2010-04-22 12:44:21 UTC
Ok, I will add a dontaudit in next release.

Fixed in selinux-policy-3.7.19-5.fc13.noarch

Comment 9 Fedora Update System 2010-04-26 19:52:03 UTC
selinux-policy-3.7.19-6.fc13 has been submitted as an update for Fedora 13.

Comment 10 Fedora Update System 2010-04-27 05:49:16 UTC
selinux-policy-3.7.19-6.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-6.fc13

Comment 11 Fedora Update System 2010-04-28 03:06:41 UTC
selinux-policy-3.7.19-6.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Christian Kujau 2010-04-28 23:15:27 UTC
Hm, strange. I had updates-testing enabled anyway, but even "--enablerepo=updates-testing" did not get me 3.7.19-6. Manually downloading selinux-policy and selinux-policy-targeted, forcefully removing the old packages and installing the new ones fix this issue. Now Firefox starts w/o the SELinux warning.


Comment 13 Daniel Walsh 2010-04-29 18:24:28 UTC
Just means it had not been pushed to your mirror yet.

Note You need to log in before you can comment on or make changes to this bug.