Bug 603606 - SELinux is preventing /usr/sbin/prelink "getattr" access to /usr/libexec/telepathy-sofiasip.
Summary: SELinux is preventing /usr/sbin/prelink "getattr" access to /usr/libexec/tele...
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.0
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: BaseOS QE Security Team
URL:
Whiteboard: setroubleshoot_trace_hash:85e46c092a3...
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-14 05:22 UTC by Matěj Cepl
Modified: 2010-06-14 22:43 UTC (History)
0 users

(edit)
Clone Of:
(edit)
Last Closed: 2010-06-14 22:43:49 UTC


Attachments (Terms of Use)

Description Matěj Cepl 2010-06-14 05:22:19 UTC
Souhrn:

SELinux is preventing /usr/sbin/prelink "getattr" access to
/usr/libexec/telepathy-sofiasip.

Podrobný popis:

[SELinux je v tolerantním režimu. Přístup byl povolen.]

SELinux denied prelink getattr on /usr/libexec/telepathy-sofiasip. The prelink
program is only allowed to manipulate files that are identified as executables
or shared libraries by SELinux. Libraries that get placed in lib directories get
labeled by default as a shared library. Similarly, executables that get placed
in a bin or sbin directory get labeled as executables by SELinux. However, if
these files get installed in other directories they might not get the correct
label. If prelink is trying to manipulate a file that is not a binary or share
library this may indicate an intrusion attack.

Povolení přístupu:

You can alter the file context by executing "chcon -t bin_t
'/usr/libexec/telepathy-sofiasip'" or "chcon -t lib_t
'/usr/libexec/telepathy-sofiasip'" if it is a shared library. If you want to
make these changes permanent you must execute the semanage command. "semanage
fcontext -a -t bin_t '/usr/libexec/telepathy-sofiasip'" or "semanage fcontext -a
-t lib_t '/usr/libexec/telepathy-sofiasip'". If you feel this executable/shared
library is in the wrong location please file a bug against the package that
includes the file. If you feel that SELinux should know about this file and
label it correctly please file a bug against SELinux policy.

Další informace:

Kontext zdroje                system_u:system_r:prelink_t:s0-s0:c0.c1023
Kontext cíle                 system_u:object_r:unlabeled_t:s0
Objekty cíle                 /usr/libexec/telepathy-sofiasip [ file ]
Zdroj                         prelink
Cesta zdroje                  /usr/sbin/prelink
Port                          <Neznámé>
Počítač                    (removed)
RPM balíčky zdroje          prelink-0.4.3-3.el6
RPM balíčky cíle           telepathy-sofiasip-0.6.2-1.el6
RPM politiky                  selinux-policy-3.7.19-24.el6
Selinux povolen               True
Typ politiky                  targeted
Vynucovací režim            Permissive
Název zásuvného modulu     prelink_mislabled
Název počítače            (removed)
Platforma                     Linux (removed) 2.6.32-33.el6.x86_64 #1
                              SMP Thu Jun 3 13:00:03 EDT 2010 x86_64 x86_64
Počet upozornění           1
Poprvé viděno               Po 14. červen 2010, 03:11:51 CEST
Naposledy viděno             Po 14. červen 2010, 03:11:51 CEST
Místní ID                   c24d1129-a6d7-4417-b808-e8661718a70a
Čísla řádků              

Původní zprávy auditu      

node=(removed) type=AVC msg=audit(1276477911.319:4451): avc:  denied  { getattr } for  pid=6008 comm="prelink" path="/usr/libexec/telepathy-sofiasip" dev=dm-1 ino=533575 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1276477911.319:4451): arch=c000003e syscall=6 success=yes exit=0 a0=a2f790 a1=7fffbad84340 a2=7fffbad84340 a3=1000 items=0 ppid=5999 pid=6008 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=678 comm="prelink" exe="/usr/sbin/prelink" subj=system_u:system_r:prelink_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  prelink_mislabled,prelink,prelink_t,unlabeled_t,file,getattr
audit2allow suggests:

#============= prelink_t ==============
allow prelink_t unlabeled_t:file getattr;

Comment 1 Matěj Cepl 2010-06-14 05:24:43 UTC
Maybe that's just another aspect of my past experimental telepathy-sofiasip module:

johanka:~# restorecon -v -R /usr/libexec/
restorecon reset /usr/libexec/telepathy-sofiasip context system_u:object_r:telepathy_sofiasip_exec_t:s0->system_u:object_r:telepathysofiasip_exec_t:s0
johanka:~#

Comment 3 RHEL Product and Program Management 2010-06-14 05:43:24 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.

Comment 4 Daniel Walsh 2010-06-14 22:43:49 UTC
This was caused by the bogus telepathy policy this machine had installed.


Note You need to log in before you can comment on or make changes to this bug.