Bugzilla will be upgraded to version 5.0 on December 2, 2018. The outage period for the upgrade will start at 0:00 UTC and have a duration of 12 hours
Bug 625910 - SELinux is preventing /sbin/ldconfig "execute" access on /sbin/ldconfig.
SELinux is preventing /sbin/ldconfig "execute" access on /sbin/ldconfig.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
14
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:fbbdae47167...
:
: 624763 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-20 15:07 EDT by Joachim Frieben
Modified: 2010-09-10 23:42 EDT (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-3.9.3-1.fc14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-09-10 23:42:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Joachim Frieben 2010-08-20 15:07:55 EDT
Summary:

SELinux is preventing /sbin/ldconfig "execute" access on /sbin/ldconfig.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by ldconfig. It is not expected that this access
is required by ldconfig and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0
                              .c1023
Target Context                system_u:object_r:ldconfig_exec_t:s0
Target Objects                /sbin/ldconfig [ file ]
Source                        ldconfig
Source Path                   /sbin/ldconfig
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           glibc-2.12.90-7
Target RPM Packages           glibc-2.12.90-7
Policy RPM                    selinux-policy-3.8.8-14.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.2-9.fc14.x86_64 #1 SMP Tue Aug
                              17 22:36:15 UTC 2010 x86_64 x86_64
Alert Count                   3
First Seen                    Fri 20 Aug 2010 07:51:12 PM CEST
Last Seen                     Fri 20 Aug 2010 07:51:12 PM CEST
Local ID                      1929e42d-9de0-4915-a791-e0e10ff1f146
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1282326672.562:39): avc:  denied  { execute } for  pid=2687 comm="sh" name="ldconfig" dev=dm-0 ino=170 scontext=unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1282326672.562:39): avc:  denied  { read open } for  pid=2687 comm="sh" name="ldconfig" dev=dm-0 ino=170 scontext=unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1282326672.562:39): avc:  denied  { execute_no_trans } for  pid=2687 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=170 scontext=unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1282326672.562:39): arch=c000003e syscall=59 success=yes exit=0 a0=15cd3e0 a1=15cc720 a2=15cc010 a3=1 items=0 ppid=2686 pid=2687 auid=501 uid=501 gid=100 euid=501 suid=501 fsuid=501 egid=100 sgid=100 fsgid=100 tty=(none) ses=1 comm="ldconfig" exe="/sbin/ldconfig" subj=unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,ldconfig,telepathy_msn_t,ldconfig_exec_t,file,execute
audit2allow suggests:

#============= telepathy_msn_t ==============
allow telepathy_msn_t ldconfig_exec_t:file { read execute open execute_no_trans };
Comment 1 Daniel Walsh 2010-08-21 06:59:27 EDT
Anyone have any idea why this tool would be executing ldconfig?
Comment 2 Dominick Grift 2010-08-21 10:19:48 EDT
Why this is happening i do not know, and the folk on #telepathy seem to not know either. 

to quote "dgrift: butterfly is a python app, I don't see why it should run ldconfig"

What i do know is that telepathy-butterfly (probably not haze) needs it. I had to add the following to my policy to make this work:

libs_run_ldconfig($1_tp_butterfly_t, $2)
exec_files_pattern($1_tp_butterfly_t, tp_butterfly_tmp_t, tp_butterfly_tmp_t) 

please note that in Fedora, telepathy-butterfly runs in the telepathy_msn_t domain.
Comment 3 Daniel Walsh 2010-08-23 11:32:27 EDT
*** Bug 624763 has been marked as a duplicate of this bug. ***
Comment 4 Daniel Walsh 2010-08-23 11:36:06 EDT
Wouldn't it be better to just let it execute it and see what access is needed. ldconfig_t is a pretty powerful domain.
Comment 5 Dominick Grift 2010-08-23 11:40:33 EDT
Agreed, i will remove that rules, and see if i can reproduce with just execute_no_trans. will report back
Comment 6 Dominick Grift 2010-08-23 12:15:50 EDT
Well i loaded it with corecmd_exec_bin commented and with libs_exec_ldconfig.

It seems to only run uname so far, and if it runs ldconfig then so far it appears it does not need any permissions it doesnt have already.

Note though that i havent been able to test butterfly long and thorougly (i dont have butterfly contacts fortunately)

Not sure if you got these already:

it manage a dir, file and sock file in /tmp
it stream connects to gvfsd (for you thats userdom), plus it also read/write gvfsd inherited stream sockets.

I will lets it run for a while , maybe some new issues arise, if so i will report back
Comment 7 Mildred 2010-09-04 08:53:59 EDT
I noticed that issue as well, if you need a MSN contact, you could contact me at: mildred.msn<at>free.fr
Comment 8 Dominick Grift 2010-09-04 09:19:20 EDT
I cannot reproduce it but it runs ldconfig on its temporary file. (Do not ask me why)

So my suggestion is:

Allow telepathy_msn_t to execute ldconfig_exec_t (ldconfig_exec(telepathy_msn_t)).
Allow telepathy_msn_t to execute its own temporary files (can_exec(telepathy_msn_t, telepathy_msn_tmp_t).
Comment 9 Daniel Walsh 2010-09-07 16:12:32 EDT
Fixed in selinux-policy-3.9.3-1.fc14
Comment 10 Fedora Update System 2010-09-08 14:41:38 EDT
selinux-policy-3.9.3-1.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.3-1.fc14
Comment 11 Fedora Update System 2010-09-09 00:12:19 EDT
selinux-policy-3.9.3-1.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.3-1.fc14
Comment 12 Fedora Update System 2010-09-10 23:41:05 EDT
selinux-policy-3.9.3-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.