Bug 827905 - SELinux is preventing /usr/bin/bash from 'getattr' accesses on the file /usr/sbin/ldconfig.
SELinux is preventing /usr/bin/bash from 'getattr' accesses on the file /usr/...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: 827904 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2012-06-03 11:50 EDT by Jake Jackson
Modified: 2013-06-23 23:27 EDT (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-3.10.0-170.fc17
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-06-23 23:27:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jake Jackson 2012-06-03 11:50:29 EDT
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.3.7-1.fc17.x86_64
time:           Sun 03 Jun 2012 05:50:15 PM CEST

:SELinux is preventing /usr/bin/bash from 'getattr' accesses on the file /usr/sbin/ldconfig.
:*****  Plugin catchall (100. confidence) suggests  ***************************
:If you believe that bash should be allowed getattr access on the ldconfig file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:allow this access for now by executing:
:# grep sh /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:Additional Information:
:Source Context                system_u:system_r:NetworkManager_t:s0
:Target Context                system_u:object_r:ldconfig_exec_t:s0
:Target Objects                /usr/sbin/ldconfig [ file ]
:Source                        sh
:Source Path                   /usr/bin/bash
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           bash-4.2.28-1.fc17.x86_64
:Target RPM Packages           glibc-2.15-37.fc17.x86_64 glibc-2.15-37.fc17.i686
:Policy RPM                    selinux-policy-3.10.0-125.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.3.7-1.fc17.x86_64 #1 SMP Mon May 21
:                              22:32:19 UTC 2012 x86_64 x86_64
:Alert Count                   2
:First Seen                    Sun 03 Jun 2012 05:46:26 PM CEST
:Last Seen                     Sun 03 Jun 2012 05:46:27 PM CEST
:Local ID                      d7ebcdb7-6e76-463f-aa10-4a5ff58b0976
:Raw Audit Messages
:type=AVC msg=audit(1338738387.1:394): avc:  denied  { getattr } for  pid=30389 comm="sh" path="/usr/sbin/ldconfig" dev="sda1" ino=135330 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
:type=SYSCALL msg=audit(1338738387.1:394): arch=x86_64 syscall=stat success=no exit=EACCES a0=eb6e20 a1=7fff876c3a40 a2=7fff876c3a40 a3=18 items=0 ppid=30388 pid=30389 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sh exe=/usr/bin/bash subj=system_u:system_r:NetworkManager_t:s0 key=(null)
:Hash: sh,NetworkManager_t,ldconfig_exec_t,file,getattr
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
Comment 1 Miroslav Grepl 2012-06-04 06:40:16 EDT
Are you using wicd?
Comment 2 Miroslav Grepl 2012-06-04 06:51:31 EDT
*** Bug 827904 has been marked as a duplicate of this bug. ***
Comment 3 Piruthiviraj Natarajan 2012-06-20 12:54:57 EDT
Yes. I 'm using Wicd and I get this error and sometimes my network gets disconnected too.

But If I use network manager the network gets disconnected too, but I dont see this error.

If you need anymore details. I am here.
Comment 4 David Cantrell 2012-08-02 10:18:33 EDT

Any idea what's happening here?
Comment 5 Daniel Walsh 2012-08-02 16:09:34 EDT
We should just add ldconfig_exec(NetworkManager_t).

Not sure this is causing your "disconnections" though, I think it is just a read herring.  No idea why a wicd script would be running ldconfig.
Comment 6 David Cantrell 2012-10-23 10:26:02 EDT
wicd seems to be the incorrect component.  I'm sending this over to selinux-policy.

Also, for the record, wicd doesn't run ldconfig:

dcantrel@dado wicd- (master)$ find . -type f | xargs grep ldconfig
dcantrel@dado wicd- (master)$
Comment 7 Daniel Walsh 2012-10-24 15:20:51 EDT
Jake any chance you have ldconfig in /etc/profiles.d/*  Or in ~/.bash_profile?
Comment 8 Hans de Goede 2013-04-12 04:01:01 EDT
I'm seeing this too with a fully up2date F-19:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:ldconfig_exec_t:s0
Target Objects                ldconfig [ file ]
Source                        sh
Source Path                   /usr/bin/bash

type=AVC msg=audit(1365192482.263:412): avc:  denied  { execute } for  pid=1522 comm="sh" name="ldconfig" dev="sda1" ino=2507756 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file

type=SYSCALL msg=audit(1365192482.263:412): arch=x86_64 syscall=execve success=no exit=EACCES a0=16e7120 a1=16e7220 a2=16e5b60 a3=7fff046f3590 items=0 ppid=1521 pid=1522 auid=4294967295 uid=480 gid=461 euid=480 suid=480 fsuid=480 egid=461 sgid=461 fsgid=461 ses=4294967295 tty=(none) comm=sh exe=/usr/bin/bash subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

No idea where this is coming from though :|  Note I do *not* have ldconfig in /etc/profiles.d/*  Or in ~/.bash_profile or in /var/lib/gdm/.bash_profile
Comment 9 Hans de Goede 2013-04-12 04:37:04 EDT
Ok, so I've been grepping my entire fs for ldconfig, possible candidates are:

1) sos, which has a call to ldconfig in /usr/lib/python2.7/site-packages/sos/plugins/libraries.py.
Which ends up going through: subprocess.Popen(command, shell=True, stdout=PIPE, stderr=STDOUT, bufsize=-1)
Notice the shell=True

And sosreport gets called from:
Oh wait, that is commented out

2) python ctypes calls ldconfig, through os.popen, which also always uses a shell

So any ctypes using python program may trigger this...

3) /usr/share/hplip/installer/dcheck.py also calls ldconfig, did not check it it uses a method which goes through the shell
Comment 10 Miroslav Grepl 2013-04-12 04:45:04 EDT
cat /tmp/log |audit2allow

#============= xdm_t ==============

#!!!! This avc is allowed in the current policy
allow xdm_t ldconfig_exec_t:file execute;

Should be fixed in the latest f19 build.
Comment 11 Hans de Goede 2013-04-12 05:42:45 EDT

(In reply to comment #10)
> cat /tmp/log |audit2allow
> #============= xdm_t ==============
> #!!!! This avc is allowed in the current policy
> allow xdm_t ldconfig_exec_t:file execute;
> Should be fixed in the latest f19 build.

Good, I guess my fully up2date F-19 remark was a bit misleading since the AVC was about 10 days old, I saw it while looking in sealert at a new AVC from today (which was already filed). So at least my incarnation of this bug seems to be fixed.
Comment 12 Miroslav Grepl 2013-04-15 01:46:14 EDT
Ok. The fix has been also added to F17.
Comment 13 Fedora Update System 2013-06-07 02:59:33 EDT
selinux-policy-3.10.0-170.fc17 has been submitted as an update for Fedora 17.
Comment 14 Fedora Update System 2013-06-07 19:26:34 EDT
Package selinux-policy-3.10.0-170.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-170.fc17'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 15 Fedora Update System 2013-06-23 23:27:26 EDT
selinux-policy-3.10.0-170.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.