Summary: SELinux is preventing /sbin/ldconfig "execute" access on /sbin/ldconfig. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by ldconfig. It is not expected that this access is required by ldconfig and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0 .c1023 Target Context system_u:object_r:ldconfig_exec_t:s0 Target Objects /sbin/ldconfig [ file ] Source ldconfig Source Path /sbin/ldconfig Port <Unknown> Host (removed) Source RPM Packages glibc-2.12.90-7 Target RPM Packages glibc-2.12.90-7 Policy RPM selinux-policy-3.8.8-14.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.35.2-9.fc14.x86_64 #1 SMP Tue Aug 17 22:36:15 UTC 2010 x86_64 x86_64 Alert Count 3 First Seen Fri 20 Aug 2010 07:51:12 PM CEST Last Seen Fri 20 Aug 2010 07:51:12 PM CEST Local ID 1929e42d-9de0-4915-a791-e0e10ff1f146 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1282326672.562:39): avc: denied { execute } for pid=2687 comm="sh" name="ldconfig" dev=dm-0 ino=170 scontext=unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file node=(removed) type=AVC msg=audit(1282326672.562:39): avc: denied { read open } for pid=2687 comm="sh" name="ldconfig" dev=dm-0 ino=170 scontext=unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file node=(removed) type=AVC msg=audit(1282326672.562:39): avc: denied { execute_no_trans } for pid=2687 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=170 scontext=unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1282326672.562:39): arch=c000003e syscall=59 success=yes exit=0 a0=15cd3e0 a1=15cc720 a2=15cc010 a3=1 items=0 ppid=2686 pid=2687 auid=501 uid=501 gid=100 euid=501 suid=501 fsuid=501 egid=100 sgid=100 fsgid=100 tty=(none) ses=1 comm="ldconfig" exe="/sbin/ldconfig" subj=unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0.c1023 key=(null) Hash String generated from catchall,ldconfig,telepathy_msn_t,ldconfig_exec_t,file,execute audit2allow suggests: #============= telepathy_msn_t ============== allow telepathy_msn_t ldconfig_exec_t:file { read execute open execute_no_trans };
Anyone have any idea why this tool would be executing ldconfig?
Why this is happening i do not know, and the folk on #telepathy seem to not know either. to quote "dgrift: butterfly is a python app, I don't see why it should run ldconfig" What i do know is that telepathy-butterfly (probably not haze) needs it. I had to add the following to my policy to make this work: libs_run_ldconfig($1_tp_butterfly_t, $2) exec_files_pattern($1_tp_butterfly_t, tp_butterfly_tmp_t, tp_butterfly_tmp_t) please note that in Fedora, telepathy-butterfly runs in the telepathy_msn_t domain.
*** Bug 624763 has been marked as a duplicate of this bug. ***
Wouldn't it be better to just let it execute it and see what access is needed. ldconfig_t is a pretty powerful domain.
Agreed, i will remove that rules, and see if i can reproduce with just execute_no_trans. will report back
Well i loaded it with corecmd_exec_bin commented and with libs_exec_ldconfig. It seems to only run uname so far, and if it runs ldconfig then so far it appears it does not need any permissions it doesnt have already. Note though that i havent been able to test butterfly long and thorougly (i dont have butterfly contacts fortunately) Not sure if you got these already: it manage a dir, file and sock file in /tmp it stream connects to gvfsd (for you thats userdom), plus it also read/write gvfsd inherited stream sockets. I will lets it run for a while , maybe some new issues arise, if so i will report back
I noticed that issue as well, if you need a MSN contact, you could contact me at: mildred.msn<at>free.fr
I cannot reproduce it but it runs ldconfig on its temporary file. (Do not ask me why) So my suggestion is: Allow telepathy_msn_t to execute ldconfig_exec_t (ldconfig_exec(telepathy_msn_t)). Allow telepathy_msn_t to execute its own temporary files (can_exec(telepathy_msn_t, telepathy_msn_tmp_t).
Fixed in selinux-policy-3.9.3-1.fc14
selinux-policy-3.9.3-1.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.3-1.fc14
selinux-policy-3.9.3-1.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.3-1.fc14
selinux-policy-3.9.3-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.