libreport version: 2.0.10 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.3.1-3.fc17.i686.PAE time: Пт. 13 апр. 2012 00:20:25 description: :SELinux is preventing dmesg from 'read' accesses on the file /etc/ld.so.cache. : :***** Plugin restorecon (94.8 confidence) suggests ************************* : :If you want to fix the label. :/etc/ld.so.cache default label should be ld_so_cache_t. :Then you can run restorecon. :Do :# /sbin/restorecon -v /etc/ld.so.cache : :***** Plugin catchall_labels (5.21 confidence) suggests ******************** : :If you want to allow dmesg to have read access on the ld.so.cache file :Then you need to change the label on /etc/ld.so.cache :Do :# semanage fcontext -a -t FILE_TYPE '/etc/ld.so.cache' :where FILE_TYPE is one of the following: locale_t, dmesg_t, proc_t, sysfs_t, abrt_t, lib_t, ld_so_t, cpu_online_t, dmesg_exec_t, afs_cache_t, abrt_helper_exec_t, textrel_shlib_t, rpm_script_tmp_t, ld_so_cache_t, user_cron_spool_t, abrt_var_run_t, udev_var_run_t, abrt_var_run_t, sysctl_kernel_t, puppet_tmp_t, sysctl_crypto_t. :Then execute: :restorecon -v '/etc/ld.so.cache' : : :***** Plugin catchall (1.44 confidence) suggests *************************** : :If you believe that dmesg should be allowed read access on the ld.so.cache file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep dmesg /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:dmesg_t:s0 :Target Context unconfined_u:object_r:etc_t:s0 :Target Objects /etc/ld.so.cache [ file ] :Source dmesg :Source Path dmesg :Port <Unknown> :Host (removed) :Source RPM Packages :Target RPM Packages glibc-2.15-32.fc17.i686 :Policy RPM selinux-policy-3.10.0-110.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.3.1-3.fc17.i686.PAE #1 SMP Wed Apr 4 : 18:53:45 UTC 2012 i686 i686 :Alert Count 1 :First Seen Чт. 12 апр. 2012 09:26:19 :Last Seen Чт. 12 апр. 2012 09:26:19 :Local ID d6d87a03-38f9-4f35-b159-bf0e7c5bc79e : :Raw Audit Messages :type=AVC msg=audit(1334201179.8:6): avc: denied { read } for pid=600 comm="dmesg" name="ld.so.cache" dev="sda2" ino=155329 scontext=system_u:system_r:dmesg_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file : : :Hash: dmesg,dmesg_t,etc_t,file,read : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :
The alert told you what to do. restorecon /etc/ld.so.cache
restorecon /etc/ld.so.cache not solve problem This alert continues to appear.
ls -lZ /etc/ld.so.cache
mikhail@p5k:~$ ls -lZ /etc/ld.so.cache -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/ld.so.cache
restorecon /etc/ld.so.cache ls -lZ /etc/ld.so.cache
mikhail@p5k:~$ ls -lZ /etc/ld.so.cache -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/ld.so.cache mikhail@p5k:~$ sudo restorecon /etc/ld.so.cache mikhail@p5k:~$ ls -lZ /etc/ld.so.cache -rw-r--r--. root root unconfined_u:object_r:ld_so_cache_t:s0 /etc/ld.so.cache mikhail@p5k:~$
So you are able to see the /etc/ld.so.cache label is back on etc_t somehow? log out/in?
Somehow /etc/ld.so.cache file got mislabeled? Was this an initial install? Install from livecd? Running restorecon on /etc/ld.so.cache will fix the label, as the setroubleshoot tells you. Does the file become mislabeled again? If we could figure out how it got mislabeled we would gladly fixed it, if we get one bug from one person reporting a file is mislabeled, and do not hear about it from others, we assume it is a one off and tell the user to follow what setroubleshoot told them to do. If we see it repeatedly or from multiple users we will do our best to investigate what is going on. We have a rule in policy now that says if any unconfined domain creates this file it will get labeled correctly, This include unconfined_t, initrc_t, rpm_t, rpm_script_t. So I do not know how it got mislabeled. Does the file first get created with a different name and then renamed to /etc/ld.so.cache_t?
(In reply to comment #8) > We have a rule in policy now that says if any unconfined domain creates this > file it will get labeled correctly, This include unconfined_t, initrc_t, > rpm_t, rpm_script_t. So I do not know how it got mislabeled. Does the file > first get created with a different name and then renamed to /etc/ld.so.cache_t? According to the output of "strace ldconfig", the file is created as "/etc/ld.so.cache~" then renamed to "/etc/ld.so.cache".
> So you are able to see the /etc/ld.so.cache label is back on etc_t somehow? Yes > log out/in? I don't know reason why label is back on etc. I don't know when it occurs. I try reproduce it with log out/in and switch user, but still can not get the exact sequence of steps to reproduce the problem.
/etc/ld.so.cache~ is also created with the correct label. rm -f /etc/ld.so.cache~ touch /etc/ld.so.cache~ ls -lZ /etc/ld.so.cache~ -rw-r--r--. root root staff_u:object_r:ld_so_cache_t:s0 /etc/ld.so.cache~ rm -f /etc/ld.so.cache~ rpm -q selinux-policy selinux-policy-3.10.0-116.fc17.noarch Are you running in permissive mode? Mikhail can you fix the label, then log out and back in and see if it is still correct? If it is can you reboot and see if it is still correct? We are just trying to figure out which app is recreating the file with the wrong label.
mikhail@p5k:~$ sudo ls -lZ /etc/ld.so.cache~ ls: cannot access /etc/ld.so.cache~: No such file or directory mikhail@p5k:~$ sudo touch /etc/ld.so.cache~ mikhail@p5k:~$ sudo ls -lZ /etc/ld.so.cache~ -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/ld.so.cache~ mikhail@p5k:~$ sudo rm -f /etc/ld.so.cache~ mikhail@p5k:~$ rpm -q selinux-policy selinux-policy-3.10.0-116.fc17.noarch > Are you running in permissive mode? mikhail@p5k:~$ sudo getenforce Enforcing > Mikhail can you fix the label, then log out and back in and see if it is still correct? If it is can you reboot and see if it is still correct? We are just trying to figure out which app is recreating the file with the wrong label. Seems ldconfig recreating the file with the wrong label. mikhail@p5k:~$ sudo ls -lZ /etc/ld.so.cache -rw-r--r--. root root unconfined_u:object_r:ld_so_cache_t:s0 /etc/ld.so.cache mikhail@p5k:~$ sudo /sbin/ldconfig mikhail@p5k:~$ sudo ls -lZ /etc/ld.so.cache -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/ld.so.cache mikhail@p5k:~$ sudo restorecon /etc/ld.so.cache mikhail@p5k:~$ sudo ls -lZ /etc/ld.so.cache -rw-r--r--. root root unconfined_u:object_r:ld_so_cache_t:s0 /etc/ld.so.cache mikhail@p5k:~$
Does $ yum reinstall selinux-policy-targeted blow-up?
mikhail@ao521:~$ sudo yum reinstall selinux-policy-targeted [sudo] password for mikhail: Loaded plugins: langpacks, presto, priorities, refresh-packagekit 60 packages excluded due to repository priority protections Resolving Dependencies --> Running transaction check ---> Package selinux-policy-targeted.noarch 0:3.10.0-116.fc17 will be reinstalled --> Finished Dependency Resolution Dependencies Resolved ================================================================================================================ Package Arch Version Repository Size ================================================================================================================ Reinstalling: selinux-policy-targeted noarch 3.10.0-116.fc17 fedora 3.6 M Transaction Summary ================================================================================================================ Reinstall 1 Package Total download size: 3.6 M Installed size: 13 M Is this ok [y/N]: y Downloading Packages: selinux-policy-targeted-3.10.0-116.fc17.noarch.rpm | 3.6 MB 00:17 Running Transaction Check Running Transaction Test Transaction Test Succeeded Running Transaction Installing : selinux-policy-targeted-3.10.0-116.fc17.noarch 1/1 Verifying : selinux-policy-targeted-3.10.0-116.fc17.noarch 1/1 Installed: selinux-policy-targeted.noarch 0:3.10.0-116.fc17 Complete! mikhail@ao521:~$ sudo ls -lZ /etc/ld.so.cache~ ls: cannot access /etc/ld.so.cache~: No such file or directory mikhail@ao521:~$ sudo touch /etc/ld.so.cache~ mikhail@ao521:~$ sudo ls -lZ /etc/ld.so.cache~ -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/ld.so.cache~ mikhail@ao521:~$ sudo rm -f /etc/ld.so.cache~ mikhail@ao521:~$ Seems it not help...
Strange this works on my two machines. Can you try sudo sh id -Z touch /etc/ld.so.cache~ ls -lZ /etc/ld.so.cache~ sesearch -T -s unconfined_t | grep ld.so.cache~ If you don't have sesearch, you can get it with yum install setools-console
I have the same problem; F17 installed from preupgrade from F16, x86. sh-4.2# id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 sh-4.2# touch /etc/ld.so.cache~ sh-4.2# ls -lZ /etc/ld.so.cache~ -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/ld.so.cache~ sh-4.2# sesearch -T -s unconfined_t | grep ld.so.cache~ WARNING: Policy would be downgraded from version 27 to 26. type_transition unconfined_t etc_t : file ld_so_cache_t "ld.so.cache~!"; sh-4.2#
Strange. I do not see the exclamation point on my machine. rpm -q selinux-policy libsemanage libsepol checkpolicy
sesearch -T -s unconfined_t | grep ld.so.cache~ type_transition unconfined_t etc_t : file ld_so_cache_t "ld.so.cache~"; rpm -q selinux-policy libsemanage libsepol checkpolicy selinux-policy-3.10.0-116.fc17.noarch libsemanage-2.1.6-3.fc17.x86_64 libsepol-2.1.5-2.fc17.x86_64 checkpolicy-2.1.9-2.fc17.x86_64
Same versions, except I'm on i686. $ sudo rpm -q selinux-policy libsemanage libsepol checkpolicy selinux-policy-3.10.0-116.fc17.noarch libsemanage-2.1.6-3.fc17.i686 libsepol-2.1.5-2.fc17.i686 checkpolicy-2.1.9-2.fc17.i686
This also works on my machines.
Mikhail Are you also seeing "ld.so.cache~!"
mikhail@p5k:~$ sudo sh sh-4.2# id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 sh-4.2# touch /etc/ld.so.cache~ sh-4.2# ls -lZ /etc/ld.so.cache~ -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/ld.so.cache~ sh-4.2# sesearch -T -s unconfined_t | grep ld.so.cache~ sh: sesearch: command not found sh-4.2# yum install setools-console Loaded plugins: langpacks, presto, priorities, refresh-packagekit citrus-it-fedora | 2.9 kB 00:00 ... fedora/metalink | 17 kB 00:00 fedora | 4.2 kB 00:00 fedora/primary_db | 12 MB 00:14 fedora/group_gz | 434 kB 00:01 google-chrome | 951 B 00:00 google-talkplugin | 951 B 00:00 rpmfusion-free | 3.3 kB 00:00 rpmfusion-free-updates | 1.2 kB 00:00 rpmfusion-free-updates-testing | 3.3 kB 00:00 rpmfusion-free-updates-testing/primary_db | 49 kB 00:00 rpmfusion-nonfree | 3.3 kB 00:00 rpmfusion-nonfree-updates | 1.2 kB 00:00 rpmfusion-nonfree-updates-testing | 3.3 kB 00:00 rpmfusion-nonfree-updates-testing/primary_db | 7.8 kB 00:00 updates/metalink | 28 kB 00:00 updates-testing/metalink | 22 kB 00:00 updates-testing | 4.5 kB 00:00 updates-testing/primary_db | 4.5 MB 00:16 updates-testing/group_gz | 434 kB 00:02 60 packages excluded due to repository priority protections Resolving Dependencies --> Running transaction check ---> Package setools-console.i686 0:3.3.7-21.fc17 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: setools-console i686 3.3.7-21.fc17 fedora 326 k Transaction Summary ================================================================================ Install 1 Package Total download size: 326 k Installed size: 891 k Is this ok [y/N]: y Downloading Packages: setools-console-3.3.7-21.fc17.i686.rpm | 326 kB 00:00 Running Transaction Check Running Transaction Test Transaction Test Succeeded Running Transaction Installing : setools-console-3.3.7-21.fc17.i686 1/1 Verifying : setools-console-3.3.7-21.fc17.i686 1/1 Installed: setools-console.i686 0:3.3.7-21.fc17 Complete! sh-4.2# sesearch -T -s unconfined_t | grep ld.so.cache~ WARNING: Policy would be downgraded from version 27 to 26. type_transition unconfined_t etc_t : file ld_so_cache_t "ld.so.cache~!"; sh-4.2# rpm -q selinux-policy libsemanage libsepol checkpolicy selinux-policy-3.10.0-116.fc17.noarch libsemanage-2.1.6-3.fc17.i686 libsepol-2.1.5-2.fc17.i686 checkpolicy-2.1.9-2.fc17.i686 sh-4.2#
Looks like we might have an i686 versus x86_64 problem.
Took some hunting, but it looks like we found the bug. I'm sure Dan will keep you updated as new packages are available, however the fix it going to require changes to libsepol and a rebuild of checkpolicy and selinux-policy-targeted with the fix the libsepol.
Fixed in selinux-policy-3.10.0-118.fc17
selinux-policy-3.10.0-118.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-118.fc17
Package selinux-policy-3.10.0-118.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-118.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-6452/selinux-policy-3.10.0-118.fc17 then log in and leave karma (feedback).
mikhail@ao521:~$ sudo ls -lZ /etc/ld.so.cache~ ls: cannot access /etc/ld.so.cache~: No such file or directory mikhail@ao521:~$ sudo touch /etc/ld.so.cache~ mikhail@ao521:~$ sudo ls -lZ /etc/ld.so.cache~ -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/ld.so.cache~ mikhail@ao521:~$ sudo rm -f /etc/ld.so.cache~ mikhail@ao521:~$ sudo rpm -q selinux-policy selinux-policy-3.10.0-118.fc17.noarch mikhail@ao521:~$ It's normal??
mikhail@ao521:~$ ls -lZ /etc/ld.so.cache -rw-r--r--. root root unconfined_u:object_r:ld_so_cache_t:s0 /etc/ld.so.cache mikhail@ao521:~$ sudo /sbin/ldconfig [sudo] password for mikhail: mikhail@ao521:~$ ls -lZ /etc/ld.so.cache -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/ld.so.cache mikhail@ao521:~$ sudo restorecon -v /etc/ld.so.cache restorecon reset /etc/ld.so.cache context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:ld_so_cache_t:s0 mikhail@ao521:~$ ls -lZ /etc/ld.so.cache -rw-r--r--. root root unconfined_u:object_r:ld_so_cache_t:s0 /etc/ld.so.cache mikhail@ao521:~$ sudo rpm -q selinux-policy selinux-policy-3.10.0-118.fc17.noarch mikhail@ao521:~$
I can't apply karma (I have to sign the thingie; will do it some other day). # rpm -q selinux-policy libsemanage libsepol checkpolicy selinux-policy-3.10.0-118.fc17.noarch libsemanage-2.1.6-3.fc17.i686 libsepol-2.1.5-3.fc17.i686 checkpolicy-2.1.9-4.fc17.i686 # id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 # rm /etc/ld.so.cache~ rm: cannot remove `/etc/ld.so.cache~': No such file or directory # touch /etc/ld.so.cache~ # ls -lZ /etc/ld.so.cache~ -rw-r--r--. root root unconfined_u:object_r:ld_so_cache_t:s0 /etc/ld.so.cache~ # sesearch -T -s unconfined_t | grep ld.so.cache~ ERROR: policydb magic number 0x000008 does not match expected magic number 0xf97cff8c or 0xf97cff8d ERROR: Unable to open policy /sys/fs/selinux/policy. ERROR: Success (?????)
[root@ao521 ~]# rpm -q selinux-policy libsemanage libsepol checkpolicy selinux-policy-3.10.0-118.fc17.noarch libsemanage-2.1.6-3.fc17.i686 libsepol-2.1.5-2.fc17.i686 checkpolicy-2.1.9-4.fc17.i686 [root@ao521 ~]# id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [root@ao521 ~]# rm /etc/ld.so.cache~ rm: cannot remove `/etc/ld.so.cache~': No such file or directory [root@ao521 ~]# touch /etc/ld.so.cache~ [root@ao521 ~]# ls -lZ /etc/ld.so.cache~ -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/ld.so.cache~ [root@ao521 ~]# sesearch -T -s unconfined_t | grep ld.so.cache~ ERROR: policydb magic number 0x000008 does not match expected magic number 0xf97cff8c or 0xf97cff8d ERROR: Unable to open policy /sys/fs/selinux/policy. ERROR: Success Why patch not working for me?
mikhail@ao521:~$ sudo /sbin/ldconfig mikhail@ao521:~$ ls -lZ /etc/ld.so.cache -rw-r--r--. root root unconfined_u:object_r:ld_so_cache_t:s0 /etc/ld.so.cache mikhail@ao521:~$ I do not understand what happened. But now it seems patch working. Thanks...
selinux-policy-3.10.0-118.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.