Bug 812100 - SELinux is preventing dmesg from 'read' accesses on the file /etc/ld.so.cache.
SELinux is preventing dmesg from 'read' accesses on the file /etc/ld.so.cache.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
i686 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:09d0c6831594f2b5a34f90dc3d1...
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-12 14:20 EDT by Mikhail
Modified: 2012-04-25 00:59 EDT (History)
9 users (show)

See Also:
Fixed In Version: selinux-policy-3.10.0-118.fc17
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-04-25 00:59:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mikhail 2012-04-12 14:20:37 EDT
libreport version: 2.0.10
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.3.1-3.fc17.i686.PAE
time:           Пт. 13 апр. 2012 00:20:25

description:
:SELinux is preventing dmesg from 'read' accesses on the file /etc/ld.so.cache.
:
:*****  Plugin restorecon (94.8 confidence) suggests  *************************
:
:If you want to fix the label. 
:/etc/ld.so.cache default label should be ld_so_cache_t.
:Then you can run restorecon.
:Do
:# /sbin/restorecon -v /etc/ld.so.cache
:
:*****  Plugin catchall_labels (5.21 confidence) suggests  ********************
:
:If you want to allow dmesg to have read access on the ld.so.cache file
:Then you need to change the label on /etc/ld.so.cache
:Do
:# semanage fcontext -a -t FILE_TYPE '/etc/ld.so.cache'
:where FILE_TYPE is one of the following: locale_t, dmesg_t, proc_t, sysfs_t, abrt_t, lib_t, ld_so_t, cpu_online_t, dmesg_exec_t, afs_cache_t, abrt_helper_exec_t, textrel_shlib_t, rpm_script_tmp_t, ld_so_cache_t, user_cron_spool_t, abrt_var_run_t, udev_var_run_t, abrt_var_run_t, sysctl_kernel_t, puppet_tmp_t, sysctl_crypto_t. 
:Then execute: 
:restorecon -v '/etc/ld.so.cache'
:
:
:*****  Plugin catchall (1.44 confidence) suggests  ***************************
:
:If you believe that dmesg should be allowed read access on the ld.so.cache file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep dmesg /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:dmesg_t:s0
:Target Context                unconfined_u:object_r:etc_t:s0
:Target Objects                /etc/ld.so.cache [ file ]
:Source                        dmesg
:Source Path                   dmesg
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           
:Target RPM Packages           glibc-2.15-32.fc17.i686
:Policy RPM                    selinux-policy-3.10.0-110.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.3.1-3.fc17.i686.PAE #1 SMP Wed Apr 4
:                              18:53:45 UTC 2012 i686 i686
:Alert Count                   1
:First Seen                    Чт. 12 апр. 2012 09:26:19
:Last Seen                     Чт. 12 апр. 2012 09:26:19
:Local ID                      d6d87a03-38f9-4f35-b159-bf0e7c5bc79e
:
:Raw Audit Messages
:type=AVC msg=audit(1334201179.8:6): avc:  denied  { read } for  pid=600 comm="dmesg" name="ld.so.cache" dev="sda2" ino=155329 scontext=system_u:system_r:dmesg_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
:
:
:Hash: dmesg,dmesg_t,etc_t,file,read
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:
Comment 1 Daniel Walsh 2012-04-12 17:14:35 EDT
The alert told you what to do.

restorecon /etc/ld.so.cache
Comment 2 Mikhail 2012-04-16 13:25:24 EDT
restorecon /etc/ld.so.cache not solve problem This alert continues to appear.
Comment 3 Daniel Walsh 2012-04-16 14:28:38 EDT
ls -lZ /etc/ld.so.cache
Comment 4 Mikhail 2012-04-17 11:37:57 EDT
mikhail@p5k:~$ ls -lZ /etc/ld.so.cache
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/ld.so.cache
Comment 5 Daniel Walsh 2012-04-17 16:46:37 EDT
restorecon /etc/ld.so.cache
ls -lZ /etc/ld.so.cache
Comment 6 Mikhail 2012-04-18 16:02:43 EDT
mikhail@p5k:~$ ls -lZ /etc/ld.so.cache
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/ld.so.cache
mikhail@p5k:~$ sudo restorecon /etc/ld.so.cache
mikhail@p5k:~$ ls -lZ /etc/ld.so.cache
-rw-r--r--. root root unconfined_u:object_r:ld_so_cache_t:s0 /etc/ld.so.cache
mikhail@p5k:~$
Comment 7 Miroslav Grepl 2012-04-20 02:31:23 EDT
So you are able to see the /etc/ld.so.cache label is back on etc_t somehow?

log out/in?
Comment 8 Daniel Walsh 2012-04-20 08:37:55 EDT
Somehow /etc/ld.so.cache file got mislabeled?  Was this an initial install?  Install from livecd?  Running restorecon on /etc/ld.so.cache will fix the label, as the setroubleshoot tells you.   Does the file become mislabeled again?  


If we could figure out how it got mislabeled we would gladly fixed it, if we get one bug from one person reporting a file is mislabeled, and do not hear about it from others, we assume it is a one off and tell the user to follow what setroubleshoot told them to do.  If we see it repeatedly or from multiple users we will do our best to investigate what is going on.

We have a rule in policy now that says if any unconfined domain creates this file it will get labeled correctly,  This include unconfined_t, initrc_t, rpm_t, rpm_script_t.  So I do not know how it got mislabeled.  Does the file first get created with a different name and then renamed to /etc/ld.so.cache_t?
Comment 9 Edward Sheldrake 2012-04-20 14:20:22 EDT
(In reply to comment #8)
> We have a rule in policy now that says if any unconfined domain creates this
> file it will get labeled correctly,  This include unconfined_t, initrc_t,
> rpm_t, rpm_script_t.  So I do not know how it got mislabeled.  Does the file
> first get created with a different name and then renamed to /etc/ld.so.cache_t?

According to the output of "strace ldconfig", the file is created as "/etc/ld.so.cache~" then renamed to "/etc/ld.so.cache".
Comment 10 Mikhail 2012-04-21 14:30:16 EDT
> So you are able to see the /etc/ld.so.cache label is back on etc_t somehow?
Yes
> log out/in?
I don't know reason why label is back on etc. I don't know when it occurs. I try reproduce it with log out/in and switch user, but still can not get the exact sequence of steps to reproduce the problem.
Comment 11 Daniel Walsh 2012-04-22 07:44:03 EDT
/etc/ld.so.cache~ is also created with the correct label.
rm -f /etc/ld.so.cache~
touch /etc/ld.so.cache~
ls -lZ /etc/ld.so.cache~
-rw-r--r--. root root staff_u:object_r:ld_so_cache_t:s0 /etc/ld.so.cache~
rm -f /etc/ld.so.cache~

 rpm -q selinux-policy
selinux-policy-3.10.0-116.fc17.noarch

Are you running in permissive mode?

Mikhail can you fix the label, then log out and back in and see if it is still correct?   If it is can you reboot and see if it is still correct?  We are just trying to figure out which app is recreating the file with the wrong label.
Comment 12 Mikhail 2012-04-22 08:20:53 EDT
mikhail@p5k:~$ sudo ls -lZ /etc/ld.so.cache~
ls: cannot access /etc/ld.so.cache~: No such file or directory
mikhail@p5k:~$ sudo touch /etc/ld.so.cache~
mikhail@p5k:~$ sudo ls -lZ /etc/ld.so.cache~
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/ld.so.cache~
mikhail@p5k:~$ sudo rm -f /etc/ld.so.cache~
mikhail@p5k:~$ rpm -q selinux-policy
selinux-policy-3.10.0-116.fc17.noarch

> Are you running in permissive mode?

mikhail@p5k:~$ sudo getenforce
Enforcing

> Mikhail can you fix the label, then log out and back in and see if it is still
correct?   If it is can you reboot and see if it is still correct?  We are just
trying to figure out which app is recreating the file with the wrong label.


Seems ldconfig recreating the file with the wrong label.

mikhail@p5k:~$ sudo ls -lZ /etc/ld.so.cache
-rw-r--r--. root root unconfined_u:object_r:ld_so_cache_t:s0 /etc/ld.so.cache
mikhail@p5k:~$ sudo /sbin/ldconfig
mikhail@p5k:~$ sudo ls -lZ /etc/ld.so.cache
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/ld.so.cache
mikhail@p5k:~$ sudo restorecon /etc/ld.so.cache
mikhail@p5k:~$ sudo ls -lZ /etc/ld.so.cache
-rw-r--r--. root root unconfined_u:object_r:ld_so_cache_t:s0 /etc/ld.so.cache
mikhail@p5k:~$
Comment 13 Miroslav Grepl 2012-04-23 08:46:44 EDT
Does 

$ yum reinstall selinux-policy-targeted

blow-up?
Comment 14 Mikhail 2012-04-23 08:59:35 EDT
mikhail@ao521:~$ sudo yum reinstall selinux-policy-targeted
[sudo] password for mikhail: 
Loaded plugins: langpacks, presto, priorities, refresh-packagekit
60 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy-targeted.noarch 0:3.10.0-116.fc17 will be reinstalled
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================================================
 Package                             Arch               Version                        Repository          Size
================================================================================================================
Reinstalling:
 selinux-policy-targeted             noarch             3.10.0-116.fc17                fedora             3.6 M

Transaction Summary
================================================================================================================
Reinstall  1 Package

Total download size: 3.6 M
Installed size: 13 M
Is this ok [y/N]: y
Downloading Packages:
selinux-policy-targeted-3.10.0-116.fc17.noarch.rpm                                       | 3.6 MB     00:17     
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : selinux-policy-targeted-3.10.0-116.fc17.noarch                                               1/1 
  Verifying  : selinux-policy-targeted-3.10.0-116.fc17.noarch                                               1/1 

Installed:
  selinux-policy-targeted.noarch 0:3.10.0-116.fc17                                                              

Complete!
mikhail@ao521:~$ sudo ls -lZ /etc/ld.so.cache~
ls: cannot access /etc/ld.so.cache~: No such file or directory
mikhail@ao521:~$ sudo touch /etc/ld.so.cache~
mikhail@ao521:~$ sudo ls -lZ /etc/ld.so.cache~
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/ld.so.cache~
mikhail@ao521:~$ sudo rm -f /etc/ld.so.cache~
mikhail@ao521:~$ 

Seems it not help...
Comment 15 Daniel Walsh 2012-04-23 11:18:19 EDT
Strange this works on my two machines.  

Can you try 
sudo sh
id -Z
touch /etc/ld.so.cache~
ls -lZ /etc/ld.so.cache~

sesearch -T -s unconfined_t | grep ld.so.cache~

If you don't have sesearch, you can get it with 
yum install setools-console
Comment 16 Pedro Francisco 2012-04-23 11:50:28 EDT
I have the same problem; F17 installed from preupgrade from F16, x86.

sh-4.2# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh-4.2# touch /etc/ld.so.cache~
sh-4.2# ls -lZ /etc/ld.so.cache~
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/ld.so.cache~
sh-4.2# sesearch -T -s unconfined_t | grep ld.so.cache~
WARNING: Policy would be downgraded from version 27 to 26.
type_transition unconfined_t etc_t : file ld_so_cache_t "ld.so.cache~!"; 
sh-4.2#
Comment 17 Daniel Walsh 2012-04-23 12:18:16 EDT
Strange.  I do not see the exclamation point on my machine.

rpm -q selinux-policy libsemanage libsepol checkpolicy
Comment 18 Daniel Walsh 2012-04-23 12:20:02 EDT
 sesearch -T -s unconfined_t | grep ld.so.cache~
type_transition unconfined_t etc_t : file ld_so_cache_t "ld.so.cache~"; 

rpm -q selinux-policy libsemanage libsepol checkpolicy
selinux-policy-3.10.0-116.fc17.noarch
libsemanage-2.1.6-3.fc17.x86_64
libsepol-2.1.5-2.fc17.x86_64
checkpolicy-2.1.9-2.fc17.x86_64
Comment 19 Pedro Francisco 2012-04-23 12:27:43 EDT
Same versions, except I'm on i686.

$ sudo rpm -q selinux-policy libsemanage libsepol checkpolicy
selinux-policy-3.10.0-116.fc17.noarch
libsemanage-2.1.6-3.fc17.i686
libsepol-2.1.5-2.fc17.i686
checkpolicy-2.1.9-2.fc17.i686
Comment 20 Miroslav Grepl 2012-04-23 13:13:58 EDT
This also works on my machines.
Comment 21 Daniel Walsh 2012-04-23 13:40:17 EDT
Mikhail 

Are you also seeing "ld.so.cache~!"
Comment 22 Mikhail 2012-04-23 13:47:05 EDT
mikhail@p5k:~$ sudo sh
sh-4.2# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh-4.2# touch /etc/ld.so.cache~
sh-4.2# ls -lZ /etc/ld.so.cache~
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/ld.so.cache~
sh-4.2# sesearch -T -s unconfined_t | grep ld.so.cache~
sh: sesearch: command not found
sh-4.2# yum install setools-console
Loaded plugins: langpacks, presto, priorities, refresh-packagekit
citrus-it-fedora                                         | 2.9 kB     00:00 ... 
fedora/metalink                                          |  17 kB     00:00     
fedora                                                   | 4.2 kB     00:00     
fedora/primary_db                                        |  12 MB     00:14     
fedora/group_gz                                          | 434 kB     00:01     
google-chrome                                            |  951 B     00:00     
google-talkplugin                                        |  951 B     00:00     
rpmfusion-free                                           | 3.3 kB     00:00     
rpmfusion-free-updates                                   | 1.2 kB     00:00     
rpmfusion-free-updates-testing                           | 3.3 kB     00:00     
rpmfusion-free-updates-testing/primary_db                |  49 kB     00:00     
rpmfusion-nonfree                                        | 3.3 kB     00:00     
rpmfusion-nonfree-updates                                | 1.2 kB     00:00     
rpmfusion-nonfree-updates-testing                        | 3.3 kB     00:00     
rpmfusion-nonfree-updates-testing/primary_db             | 7.8 kB     00:00     
updates/metalink                                         |  28 kB     00:00     
updates-testing/metalink                                 |  22 kB     00:00     
updates-testing                                          | 4.5 kB     00:00     
updates-testing/primary_db                               | 4.5 MB     00:16     
updates-testing/group_gz                                 | 434 kB     00:02     
60 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package setools-console.i686 0:3.3.7-21.fc17 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                Arch        Version                 Repository     Size
================================================================================
Installing:
 setools-console        i686        3.3.7-21.fc17           fedora        326 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 326 k
Installed size: 891 k
Is this ok [y/N]: y
Downloading Packages:
setools-console-3.3.7-21.fc17.i686.rpm                   | 326 kB     00:00     
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : setools-console-3.3.7-21.fc17.i686                           1/1 
  Verifying  : setools-console-3.3.7-21.fc17.i686                           1/1 

Installed:
  setools-console.i686 0:3.3.7-21.fc17                                          

Complete!
sh-4.2# sesearch -T -s unconfined_t | grep ld.so.cache~
WARNING: Policy would be downgraded from version 27 to 26.
type_transition unconfined_t etc_t : file ld_so_cache_t "ld.so.cache~!"; 
sh-4.2# rpm -q selinux-policy libsemanage libsepol checkpolicy
selinux-policy-3.10.0-116.fc17.noarch
libsemanage-2.1.6-3.fc17.i686
libsepol-2.1.5-2.fc17.i686
checkpolicy-2.1.9-2.fc17.i686
sh-4.2#
Comment 23 Daniel Walsh 2012-04-23 13:59:12 EDT
Looks like we might have an i686 versus x86_64 problem.
Comment 24 Eric Paris 2012-04-23 16:28:55 EDT
Took some hunting, but it looks like we found the bug.  I'm sure Dan will keep you updated as new packages are available, however the fix it going to require changes to libsepol and a rebuild of checkpolicy and selinux-policy-targeted with the fix the libsepol.
Comment 25 Daniel Walsh 2012-04-23 20:57:31 EDT
Fixed in selinux-policy-3.10.0-118.fc17
Comment 26 Fedora Update System 2012-04-23 21:03:05 EDT
selinux-policy-3.10.0-118.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-118.fc17
Comment 27 Fedora Update System 2012-04-23 23:15:15 EDT
Package selinux-policy-3.10.0-118.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-118.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-6452/selinux-policy-3.10.0-118.fc17
then log in and leave karma (feedback).
Comment 28 Mikhail 2012-04-24 05:06:31 EDT
mikhail@ao521:~$ sudo ls -lZ /etc/ld.so.cache~                     
ls: cannot access /etc/ld.so.cache~: No such file or directory
mikhail@ao521:~$ sudo touch /etc/ld.so.cache~                     
mikhail@ao521:~$ sudo ls -lZ /etc/ld.so.cache~                     
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/ld.so.cache~
mikhail@ao521:~$ sudo rm -f /etc/ld.so.cache~                     
mikhail@ao521:~$ sudo rpm -q selinux-policy
selinux-policy-3.10.0-118.fc17.noarch
mikhail@ao521:~$ 

It's normal??
Comment 29 Mikhail 2012-04-24 05:17:27 EDT
mikhail@ao521:~$ ls -lZ /etc/ld.so.cache
-rw-r--r--. root root unconfined_u:object_r:ld_so_cache_t:s0 /etc/ld.so.cache
mikhail@ao521:~$ sudo /sbin/ldconfig 
[sudo] password for mikhail: 
mikhail@ao521:~$ ls -lZ /etc/ld.so.cache
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/ld.so.cache
mikhail@ao521:~$ sudo restorecon -v /etc/ld.so.cache
restorecon reset /etc/ld.so.cache context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:ld_so_cache_t:s0
mikhail@ao521:~$ ls -lZ /etc/ld.so.cache
-rw-r--r--. root root unconfined_u:object_r:ld_so_cache_t:s0 /etc/ld.so.cache
mikhail@ao521:~$ sudo rpm -q selinux-policy
selinux-policy-3.10.0-118.fc17.noarch
mikhail@ao521:~$
Comment 30 Pedro Francisco 2012-04-24 06:02:55 EDT
I can't apply karma (I have to sign the thingie; will do it some other day).

# rpm -q selinux-policy libsemanage libsepol checkpolicy selinux-policy-3.10.0-118.fc17.noarch
libsemanage-2.1.6-3.fc17.i686
libsepol-2.1.5-3.fc17.i686
checkpolicy-2.1.9-4.fc17.i686
# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# rm /etc/ld.so.cache~
rm: cannot remove `/etc/ld.so.cache~': No such file or directory
# touch /etc/ld.so.cache~
# ls -lZ /etc/ld.so.cache~
-rw-r--r--. root root unconfined_u:object_r:ld_so_cache_t:s0 /etc/ld.so.cache~
# sesearch -T -s unconfined_t | grep ld.so.cache~
ERROR: policydb magic number 0x000008 does not match expected magic number 0xf97cff8c or 0xf97cff8d
ERROR: Unable to open policy /sys/fs/selinux/policy.
ERROR: Success

(?????)
Comment 31 Mikhail 2012-04-24 06:25:32 EDT
[root@ao521 ~]# rpm -q selinux-policy libsemanage libsepol checkpolicy
selinux-policy-3.10.0-118.fc17.noarch
libsemanage-2.1.6-3.fc17.i686
libsepol-2.1.5-2.fc17.i686
checkpolicy-2.1.9-4.fc17.i686
[root@ao521 ~]# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@ao521 ~]# rm /etc/ld.so.cache~
rm: cannot remove `/etc/ld.so.cache~': No such file or directory
[root@ao521 ~]# touch /etc/ld.so.cache~
[root@ao521 ~]# ls -lZ /etc/ld.so.cache~
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/ld.so.cache~
[root@ao521 ~]# sesearch -T -s unconfined_t | grep ld.so.cache~
ERROR: policydb magic number 0x000008 does not match expected magic number 0xf97cff8c or 0xf97cff8d
ERROR: Unable to open policy /sys/fs/selinux/policy.
ERROR: Success

Why patch not working for me?
Comment 32 Mikhail 2012-04-24 16:00:32 EDT
mikhail@ao521:~$ sudo /sbin/ldconfig 
mikhail@ao521:~$ ls -lZ /etc/ld.so.cache
-rw-r--r--. root root unconfined_u:object_r:ld_so_cache_t:s0 /etc/ld.so.cache
mikhail@ao521:~$ 

I do not understand what happened. But now it seems patch working. Thanks...
Comment 33 Fedora Update System 2012-04-25 00:59:26 EDT
selinux-policy-3.10.0-118.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.