Bug 820763 - SELinux is preventing /usr/sbin/prelink (prelink_t) "read" on prelink.conf (tmp_t).
Summary: SELinux is preventing /usr/sbin/prelink (prelink_t) "read" on prelink.conf (t...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 7
Hardware: i386
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-05-10 22:19 UTC by nemo.anome
Modified: 2012-05-11 05:17 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-05-11 05:17:34 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description nemo.anome 2012-05-10 22:19:28 UTC
Description of problem:
SELinux prevents prelink from reading its own config file, /etc/prelink.conf (who's relation to prelink is documented in prelink's man page) because it is not an executable or shared library.

Version-Release number of selected component (if applicable):
setroubleshoot 1.9.4
prelink 1.0
Linux localhost.localdomain 2.6.23.17-88.fc7 #1 SMP Thu May 15 00:35:10 EDT 2008 i686 i686 i386 GNU/Linux

How reproducible:
It happened at least twice (maybe 6 times) within 37 days.  The last time was after I used the workaround recommended in the error message.

Steps to Reproduce:
1. Uncertain. It may be associated with installing software via the Add/Remove Software utility.
2. According to its man page, many options of /usr/sbin/prelink should access that file.
3.
  
Actual results:
A star appears on the menu bar at the top of the screen.  Clicking the star opens SE Troubleshoot.  The last message is as shown in Additional Info, below.

Expected results:
None.

Additional info:
Error message verbatim:
Summary
SELinux is preventing /usr/sbin/prelink (prelink_t) "read" on prelink.conf (tmp_t).
Detailed Description
SELinux denied prelink read on prelink.conf. The prelink program is only allowed to manipulate files that are identified as executables or shared librares by SELinux. Libraries that get placed in lib directories get labeled by default as a shared library. Similarly executables that get placed in a bin or sbin directory get labeled as executables by SELinux. However, if these files get installed in other directories they might not get the correct label. If prelink is trying to manipulate a file that is not a binary or share library this may indicate an intrusion attack.
Allowing Access
You can alter the file context by executing chcon -t bin_t prelink.conf or chcon -t lib_t prelink.conf if it is a shared library. If you want to make these changes permanant you must execute the semanage command. semanage fcontext -a -t bin_t prelink.conf or semanage fcontext -a -t shlib_t prelink.conf. If you feel this executable/shared library is in the wrong location please file a bug against the package that includes the file, if you feel that SELinux should know about this file and label it correctly please file a bug against SELinux policy.
Additional Information
Source Context:  system_u:system_r:prelink_t
Target Context:  user_u:object_r:tmp_t
Target Objects:  prelink.conf [ file ]
Affected RPM Packages:  prelink-0.3.10-1 [application]
Policy RPM:  selinux-policy-2.6.4-70.fc7
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.prelink_mislabled
Host Name:  localhost.localdomain
Platform:  Linux localhost.localdomain 2.6.23.17-88.fc7 #1 SMP Thu May 15 00:35:10 EDT 2008 i686 i686
Alert Count:  6
First Seen:  Wed 04 Apr 2012 11:41:59 AM CDT
Last Seen:  Thu 10 May 2012 12:17:26 PM CDT
Local ID:  d98ec444-f258-413b-a7e7-574ca2e9fa22
Line Numbers:  
Raw Audit Messages
 :avc: denied { read } for comm="prelink" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/prelink" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="prelink.conf" pid=5268 scontext=system_u:system_r:prelink_t:s0 sgid=0 subj=system_u:system_r:prelink_t:s0 suid=0 tclass=file tcontext=user_u:object_r:tmp_t:s0 tty=(none) uid=0

Comment 1 Miroslav Grepl 2012-05-11 05:17:34 UTC
Please update to a newer version of Fedora which is supported. Fedora 7 is no longer supported.


Note You need to log in before you can comment on or make changes to this bug.