Bug 603606 - SELinux is preventing /usr/sbin/prelink "getattr" access to /usr/libexec/telepathy-sofiasip.
SELinux is preventing /usr/sbin/prelink "getattr" access to /usr/libexec/tele...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.0
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE Security Team
setroubleshoot_trace_hash:85e46c092a3...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-14 01:22 EDT by Matěj Cepl
Modified: 2010-06-14 18:43 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-14 18:43:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matěj Cepl 2010-06-14 01:22:19 EDT
Souhrn:

SELinux is preventing /usr/sbin/prelink "getattr" access to
/usr/libexec/telepathy-sofiasip.

Podrobný popis:

[SELinux je v tolerantním režimu. Přístup byl povolen.]

SELinux denied prelink getattr on /usr/libexec/telepathy-sofiasip. The prelink
program is only allowed to manipulate files that are identified as executables
or shared libraries by SELinux. Libraries that get placed in lib directories get
labeled by default as a shared library. Similarly, executables that get placed
in a bin or sbin directory get labeled as executables by SELinux. However, if
these files get installed in other directories they might not get the correct
label. If prelink is trying to manipulate a file that is not a binary or share
library this may indicate an intrusion attack.

Povolení přístupu:

You can alter the file context by executing "chcon -t bin_t
'/usr/libexec/telepathy-sofiasip'" or "chcon -t lib_t
'/usr/libexec/telepathy-sofiasip'" if it is a shared library. If you want to
make these changes permanent you must execute the semanage command. "semanage
fcontext -a -t bin_t '/usr/libexec/telepathy-sofiasip'" or "semanage fcontext -a
-t lib_t '/usr/libexec/telepathy-sofiasip'". If you feel this executable/shared
library is in the wrong location please file a bug against the package that
includes the file. If you feel that SELinux should know about this file and
label it correctly please file a bug against SELinux policy.

Další informace:

Kontext zdroje                system_u:system_r:prelink_t:s0-s0:c0.c1023
Kontext cíle                 system_u:object_r:unlabeled_t:s0
Objekty cíle                 /usr/libexec/telepathy-sofiasip [ file ]
Zdroj                         prelink
Cesta zdroje                  /usr/sbin/prelink
Port                          <Neznámé>
Počítač                    (removed)
RPM balíčky zdroje          prelink-0.4.3-3.el6
RPM balíčky cíle           telepathy-sofiasip-0.6.2-1.el6
RPM politiky                  selinux-policy-3.7.19-24.el6
Selinux povolen               True
Typ politiky                  targeted
Vynucovací režim            Permissive
Název zásuvného modulu     prelink_mislabled
Název počítače            (removed)
Platforma                     Linux (removed) 2.6.32-33.el6.x86_64 #1
                              SMP Thu Jun 3 13:00:03 EDT 2010 x86_64 x86_64
Počet upozornění           1
Poprvé viděno               Po 14. červen 2010, 03:11:51 CEST
Naposledy viděno             Po 14. červen 2010, 03:11:51 CEST
Místní ID                   c24d1129-a6d7-4417-b808-e8661718a70a
Čísla řádků              

Původní zprávy auditu      

node=(removed) type=AVC msg=audit(1276477911.319:4451): avc:  denied  { getattr } for  pid=6008 comm="prelink" path="/usr/libexec/telepathy-sofiasip" dev=dm-1 ino=533575 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1276477911.319:4451): arch=c000003e syscall=6 success=yes exit=0 a0=a2f790 a1=7fffbad84340 a2=7fffbad84340 a3=1000 items=0 ppid=5999 pid=6008 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=678 comm="prelink" exe="/usr/sbin/prelink" subj=system_u:system_r:prelink_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  prelink_mislabled,prelink,prelink_t,unlabeled_t,file,getattr
audit2allow suggests:

#============= prelink_t ==============
allow prelink_t unlabeled_t:file getattr;
Comment 1 Matěj Cepl 2010-06-14 01:24:43 EDT
Maybe that's just another aspect of my past experimental telepathy-sofiasip module:

johanka:~# restorecon -v -R /usr/libexec/
restorecon reset /usr/libexec/telepathy-sofiasip context system_u:object_r:telepathy_sofiasip_exec_t:s0->system_u:object_r:telepathysofiasip_exec_t:s0
johanka:~#
Comment 3 RHEL Product and Program Management 2010-06-14 01:43:24 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 4 Daniel Walsh 2010-06-14 18:43:49 EDT
This was caused by the bogus telepathy policy this machine had installed.

Note You need to log in before you can comment on or make changes to this bug.