libreport version: 2.0.8 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.1.0-7.fc16.i686 reason: SELinux is preventing /sbin/ldconfig from 'write' accesses on the file /etc/shells. time: Wed 28 Mar 2012 10:03:14 PM WIT description: :SELinux is preventing /sbin/ldconfig from 'write' accesses on the file /etc/shells. : :***** Plugin catchall_labels (71.9 confidence) suggests ******************** : :If you want to allow ldconfig to have write access on the shells file :Then you need to change the label on /etc/shells :Do :# semanage fcontext -a -t FILE_TYPE '/etc/shells' :where FILE_TYPE is one of the following: ldconfig_t, ldconfig_cache_t, user_cron_spool_t, user_tmp_t, rpm_script_tmp_t, afs_cache_t, user_home_t, ld_so_cache_t, puppet_tmp_t, puppet_tmp_t, ldconfig_tmp_t. :Then execute: :restorecon -v '/etc/shells' : : :***** Plugin catchall (14.7 confidence) suggests *************************** : :If you believe that ldconfig should be allowed write access on the shells file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep ldconfig /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :***** Plugin leaks (14.7 confidence) suggests ****************************** : :If you want to ignore ldconfig trying to write access the shells file, because you believe it should not need this access. :Then you should report this as a bug. :You can generate a local policy module to dontaudit this access. :Do :# grep /sbin/ldconfig /var/log/audit/audit.log | audit2allow -D -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context unconfined_u:system_r:ldconfig_t:s0-s0:c0.c1023 :Target Context system_u:object_r:etc_t:s0 :Target Objects /etc/shells [ file ] :Source ldconfig :Source Path /sbin/ldconfig :Port <Unknown> :Host (removed) :Source RPM Packages glibc-2.14.90-24.fc16.6.i686 :Target RPM Packages setup-2.8.36-3.fc16.noarch :Policy RPM selinux-policy-3.10.0-80.fc16.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.1.0-7.fc16.i686 #1 SMP Tue Nov 1 : 21:00:16 UTC 2011 i686 i686 :Alert Count 1 :First Seen Wed 28 Mar 2012 09:56:17 PM WIT :Last Seen Wed 28 Mar 2012 09:56:17 PM WIT :Local ID ede66dfb-87af-46c5-8854-f52eae232935 : :Raw Audit Messages :type=AVC msg=audit(1332946577.810:293): avc: denied { write } for pid=14421 comm="ldconfig" path="/etc/shells" dev=sda8 ino=100 scontext=unconfined_u:system_r:ldconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file : : :type=SYSCALL msg=audit(1332946577.810:293): arch=i386 syscall=execve success=yes exit=0 a0=cb8b7b0 a1=ee82348 a2=bff73b14 a3=bff73b14 items=0 ppid=9518 pid=14421 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm=ldconfig exe=/sbin/ldconfig subj=unconfined_u:system_r:ldconfig_t:s0-s0:c0.c1023 key=(null) : :Hash: ldconfig,ldconfig_t,etc_t,file,write : :audit2allow : :#============= ldconfig_t ============== :allow ldconfig_t etc_t:file write; : :audit2allow -R : :#============= ldconfig_t ============== :allow ldconfig_t etc_t:file write; :
This is a leak. Do you know what you were doing when this hapenned.
Essentially a fresh install and yum update of Fedora 16 32bit. I've attached /var/log/messages from creation until a few minutes after the error - I shut the netbook after the yum install wget that is in the file. I have a broadcom WNIC so I may have been doing some rmmod/modprobes trying to get it working at the time.
Created attachment 573807 [details] /var/log/messages from first boot until a few minutes after the error
I would bet you that something in first boot leaked it, probally opened something in /etc/shells for write, and then never closed the descriptor. It will most likely not happen again.
If either you or we see it again, we will reopen the bug. Thank you.
I have the same issue! The "bug" impossible for me to get by, and allways shows up after the same sequence. 1. Fresh install "Fedora-16-x86_64-Live-Desktop.iso" with sha256=632b2de39033ed1d4a61959c4002e07248793eff828ac5d60edbb7b5dcd7be5c 2. After reboot, started "Software Update" using GUI or terminal "gpk-update-viewer". All 425 updates were DL and installed OK it seemed, immediately therafter the still open "Software Update" app indikated some "cleaning up" aktivities took place lasting about 1 minute. Right at, or after, what seems to be the last update in the long list the error message "GUI popup-message" shows. 3. The popup-warning stated something like SElinux /sbin/idconfig was trying to write to /etc/shell. DENIED ACCESS The warning message dissapeared without user interaction after about 5 seconds. - I have tested ISO-file checksum after DL, and also tested ready-made CD. Several disks, several installs, same result. - I have tested installs with LVM (logical volumes), and also with "regular partitions", not checking LVM during install ov Debian. Same result. - Have tested with and withoUt AHCI-mode in BIOS before installing. Same thing and always problem on same place during update. Please look into this, because I need a stable OS, and I want to leave windows, and Fedora seems to be a more security-concious project than Ubuntu. Am relly hoping for some solution or explanation of how serious this bug is for OS functionality. Thanks for previous posts. ****************************** START FROM MY "LOGFILE" ********************* SELinux is preventing /sbin/ldconfig from write access on the file /etc/shells. ***** Plugin catchall_labels (71.9 confidence) suggests ******************** If you want to allow ldconfig to have write access on the shells file Then you need to change the label on /etc/shells Do # semanage fcontext -a -t FILE_TYPE '/etc/shells' where FILE_TYPE is one of the following: ldconfig_t, ldconfig_cache_t, user_cron_spool_t, user_tmp_t, rpm_script_tmp_t, afs_cache_t, user_home_t, ld_so_cache_t, puppet_tmp_t, puppet_tmp_t, ldconfig_tmp_t. Then execute: restorecon -v '/etc/shells' ***** Plugin catchall (14.7 confidence) suggests *************************** If you believe that ldconfig should be allowed write access on the shells file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep ldconfig /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp ***** Plugin leaks (14.7 confidence) suggests ****************************** If you want to ignore ldconfig trying to write access the shells file, because you believe it should not need this access. Then you should report this as a bug. You can generate a local policy module to dontaudit this access. Do # grep /sbin/ldconfig /var/log/audit/audit.log | audit2allow -D -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ldconfig_t:s0-s0:c0.c1023 Target Context system_u:object_r:etc_t:s0 Target Objects /etc/shells [ file ] Source ldconfig Source Path /sbin/ldconfig Port <Unknown> Host (removed) Source RPM Packages glibc-2.14.90-24.fc16.6.x86_64 Target RPM Packages setup-2.8.36-3.fc16.noarch Policy RPM selinux-policy-3.10.0-80.fc16.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux PhenomX4 3.1.0-7.fc16.x86_64 #1 SMP Tue Nov 1 21:10:48 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Sat 31 Mar 2012 03:50:19 PM CEST Last Seen Sat 31 Mar 2012 03:50:19 PM CEST Local ID 2f60ddfa-0040-4cdf-a2f9-0b5fce421801 Raw Audit Messages type=AVC msg=audit(1333201819.96:132): avc: denied { write } for pid=5447 comm="ldconfig" path="/etc/shells" dev=sda3 ino=131625 scontext=system_u:system_r:ldconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1333201819.96:132): arch=x86_64 syscall=execve success=yes exit=0 a0=f502e58 a1=f4aa250 a2=7fff3fb292c0 a3=7f57b521b9d0 items=0 ppid=1886 pid=5447 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ldconfig exe=/sbin/ldconfig subj=system_u:system_r:ldconfig_t:s0-s0:c0.c1023 key=(null) Hash: ldconfig,ldconfig_t,etc_t,file,write audit2allow #============= ldconfig_t ============== allow ldconfig_t etc_t:file write; audit2allow -R #============= ldconfig_t ============== allow ldconfig_t etc_t:file write; ******************************** END OF MY "LOGFILE" ********************* /end of message
Like Jonathan I got the same SELinux popup warning after doing a harddisk install from Fedora-16-x86_64-Live-Desktop.iso then applying all available software updates.
cat /etc/shells Maybe we can get a clue of the app that added an entry to /etc/shells.
The only shell which is listed is DASH. markand@office:~$ cat /media/_Fedora-16-x86_6/etc/shells /sbin/nologin /bin/dash markand@office:~$
Strange, you are going to have other problems without bash being in the list. cat /etc/shells /bin/sh /bin/bash /sbin/nologin /bin/dash I think it has something to do with bash install. rpm -q --scripts bash Shows bash adding its name to /etc/shells. Add the /bin/sh and /bin/bash line to /etc/shells, and reopen this bug if it happens again.
Fresh install, yum update. Then manually added bash ans sh into shells as adviced. Linux fedora.depot 3.1.0-7.fc16.x86_64 #1 SMP Tue Nov 1 21:10:48 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux SELinux is preventing /sbin/ldconfig from write access on the file /etc/shells. ***** Plugin catchall_labels (71.9 confidence) suggests ******************** If you want to allow ldconfig to have write access on the shells file Then you need to change the label on /etc/shells Do # semanage fcontext -a -t FILE_TYPE '/etc/shells' where FILE_TYPE is one of the following: ldconfig_t, ldconfig_cache_t, user_cron_spool_t, user_tmp_t, rpm_script_tmp_t, afs_cache_t, user_home_t, ld_so_cache_t, puppet_tmp_t, puppet_tmp_t, ldconfig_tmp_t. Then execute: restorecon -v '/etc/shells' ***** Plugin leaks (14.7 confidence) suggests ****************************** If you want to ignore ldconfig trying to write access the shells file, because you believe it should not need this access. Then you should report this as a bug. You can generate a local policy module to dontaudit this access. Do # grep /sbin/ldconfig /var/log/audit/audit.log | audit2allow -D -M mypol # semodule -i mypol.pp ***** Plugin catchall (14.7 confidence) suggests *************************** If you believe that ldconfig should be allowed write access on the shells file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep ldconfig /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:ldconfig_t:s0-s0:c0.c1023 Target Context system_u:object_r:etc_t:s0 Target Objects /etc/shells [ file ] Source ldconfig Source Path /sbin/ldconfig Port <Unknown> Host fedora.depot Source RPM Packages glibc-2.14.90-24.fc16.6.x86_64 Target RPM Packages setup-2.8.36-3.fc16.noarch Policy RPM selinux-policy-3.10.0-80.fc16.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora.depot Platform Linux fedora.depot 3.1.0-7.fc16.x86_64 #1 SMP Tue Nov 1 21:10:48 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Thu 19 Apr 2012 01:01:31 AM EST Last Seen Thu 19 Apr 2012 01:01:31 AM EST Local ID 42d6c56d-b028-4327-950c-15221c9794ce Raw Audit Messages type=AVC msg=audit(1334761291.752:238): avc: denied { write } for pid=6132 comm="ldconfig" path="/etc/shells" dev=dm-1 ino=596 scontext=unconfined_u:system_r:ldconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1334761291.752:238): arch=x86_64 syscall=execve success=yes exit=0 a0=8e8a538 a1=cebfaa0 a2=7fffe9b5cd78 a3=7f33789919d0 items=0 ppid=1916 pid=6132 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm=ldconfig exe=/sbin/ldconfig subj=unconfined_u:system_r:ldconfig_t:s0-s0:c0.c1023 key=(null) Hash: ldconfig,ldconfig_t,etc_t,file,write audit2allow #============= ldconfig_t ============== allow ldconfig_t etc_t:file write; audit2allow -R #============= ldconfig_t ============== allow ldconfig_t etc_t:file write;
Do you install it from LiveCD? Now you need # restorecon -Rv /etc/shells
Yes, I installed from LiveCD. As this is a local-dev machine I disabled selinux. Thanks.
What LiveCD?
Fedora 16 LXDE Spin 64-bit.
(In reply to comment #10) > Strange, you are going to have other problems without bash being in the list. > > cat /etc/shells > /bin/sh > /bin/bash > /sbin/nologin > /bin/dash > > > I think it has something to do with bash install. > > rpm -q --scripts bash > > Shows bash adding its name to /etc/shells. > > Add the /bin/sh and /bin/bash line to /etc/shells, and reopen this bug if it > happens again. This is bug 752827. If you have bash-4.2.10-4 and upgrade it, it will erase /bin/bash and /bin/sh.
I believe the whole problem is cause by bash. The postuninstall lua scriptlet is missing a close and as noted in bug 752827 comment 30, lua is embedded in rpm and the descriptor is open throughout the whole life of the rpm process. Then the /sbin/ldconfig run from some subsequent package (installed in the same transaction) will inherit it. Except, I was not able to reproduce this issue on the command line.