Bug 840032 - selinux is preventing rm from unlinking prelink.cache
selinux is preventing rm from unlinking prelink.cache
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
Depends On:
  Show dependency treegraph
Reported: 2012-07-13 09:46 EDT by Ondrej Moriš
Modified: 2013-02-15 03:48 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-07-23 13:32:41 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ondrej Moriš 2012-07-13 09:46:17 EDT
Gnutls contains a self-test which runs under root priviligues, it contains calling 'rm' (I guess), during the test AVC appers:

Info: Searching AVC errors produced since 1341847120.51 (Mon Jul  9 11:18:40 2012)
Searching logs...
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 07/09/2012 11:18:40 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.7DLP0C 2>&1'
time->Mon Jul  9 11:23:26 2012
type=AVC msg=audit(1341847406.271:2709): avc:  denied  { unlink } for  pid=50541 comm="rm" name="prelink.cache" dev="dm-2" ino=924345 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.7DLP0C | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.7_eFYk 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      26
Running 'rpm -q selinux-policy || true'

Version-Release number of selected component (if applicable):


Steps to Reproduce: 

1. download gnutls source rpm, build it and run its self-test (make check)
Comment 1 Miroslav Grepl 2012-07-17 03:34:29 EDT
prelink.cache should be labeled as prelink_cache_t. Is this file create by a test somehow?
Comment 2 Milos Malik 2012-07-17 04:04:38 EDT
Following commands were executed on x86_64 machine where RHEL-7.0-20120711.2 is installed:

# rpm -ivh gnutls-2.12.18-1.el7.src.rpm
# yum -y install guile-devel libtool lzo-devel libtasn1-devel readline-devel zlib-devel p11-kit-devel libgcrypt-devel
# rpmbuild -bc rpmbuild/SPECS/gnutls.spec
# cd rpmbuild/BUILD/gnutls-2.12.18/
# make check
# ausearch -m avc -ts today
<no matches>
Comment 3 Daniel Walsh 2012-07-23 13:32:41 EDT
I guess this is either fixed or is not a bug.

Note You need to log in before you can comment on or make changes to this bug.