Red Hat Bugzilla – Bug 820763
SELinux is preventing /usr/sbin/prelink (prelink_t) "read" on prelink.conf (tmp_t).
Last modified: 2012-05-11 01:17:34 EDT
Description of problem: SELinux prevents prelink from reading its own config file, /etc/prelink.conf (who's relation to prelink is documented in prelink's man page) because it is not an executable or shared library. Version-Release number of selected component (if applicable): setroubleshoot 1.9.4 prelink 1.0 Linux localhost.localdomain 2.6.23.17-88.fc7 #1 SMP Thu May 15 00:35:10 EDT 2008 i686 i686 i386 GNU/Linux How reproducible: It happened at least twice (maybe 6 times) within 37 days. The last time was after I used the workaround recommended in the error message. Steps to Reproduce: 1. Uncertain. It may be associated with installing software via the Add/Remove Software utility. 2. According to its man page, many options of /usr/sbin/prelink should access that file. 3. Actual results: A star appears on the menu bar at the top of the screen. Clicking the star opens SE Troubleshoot. The last message is as shown in Additional Info, below. Expected results: None. Additional info: Error message verbatim: Summary SELinux is preventing /usr/sbin/prelink (prelink_t) "read" on prelink.conf (tmp_t). Detailed Description SELinux denied prelink read on prelink.conf. The prelink program is only allowed to manipulate files that are identified as executables or shared librares by SELinux. Libraries that get placed in lib directories get labeled by default as a shared library. Similarly executables that get placed in a bin or sbin directory get labeled as executables by SELinux. However, if these files get installed in other directories they might not get the correct label. If prelink is trying to manipulate a file that is not a binary or share library this may indicate an intrusion attack. Allowing Access You can alter the file context by executing chcon -t bin_t prelink.conf or chcon -t lib_t prelink.conf if it is a shared library. If you want to make these changes permanant you must execute the semanage command. semanage fcontext -a -t bin_t prelink.conf or semanage fcontext -a -t shlib_t prelink.conf. If you feel this executable/shared library is in the wrong location please file a bug against the package that includes the file, if you feel that SELinux should know about this file and label it correctly please file a bug against SELinux policy. Additional Information Source Context: system_u:system_r:prelink_t Target Context: user_u:object_r:tmp_t Target Objects: prelink.conf [ file ] Affected RPM Packages: prelink-0.3.10-1 [application] Policy RPM: selinux-policy-2.6.4-70.fc7 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.prelink_mislabled Host Name: localhost.localdomain Platform: Linux localhost.localdomain 2.6.23.17-88.fc7 #1 SMP Thu May 15 00:35:10 EDT 2008 i686 i686 Alert Count: 6 First Seen: Wed 04 Apr 2012 11:41:59 AM CDT Last Seen: Thu 10 May 2012 12:17:26 PM CDT Local ID: d98ec444-f258-413b-a7e7-574ca2e9fa22 Line Numbers: Raw Audit Messages :avc: denied { read } for comm="prelink" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/prelink" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="prelink.conf" pid=5268 scontext=system_u:system_r:prelink_t:s0 sgid=0 subj=system_u:system_r:prelink_t:s0 suid=0 tclass=file tcontext=user_u:object_r:tmp_t:s0 tty=(none) uid=0
Please update to a newer version of Fedora which is supported. Fedora 7 is no longer supported.