Bug 995876 - cron reports "failed to issue method call: Access denied" from prelink daily job
cron reports "failed to issue method call: Access denied" from prelink daily job
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-11 14:20 EDT by Paul DeStefano
Modified: 2013-08-21 20:54 EDT (History)
10 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-71.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-21 20:54:28 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Paul DeStefano 2013-08-11 14:20:27 EDT
Description of problem:
Cron reports the following (after reboot, not every day):
                                                                               
/etc/cron.daily/prelink:

Failed to issue method call: Access denied

prelink.log shows this:

/usr/sbin/prelink -av -mR -q
/usr/sbin/prelink: /usr/lib64/gnucash/libgnc-core-utils.so.0: Could not find one of the dependencies
Assigned virtual address space slots for 64-bit x86-64 ELF libraries:
/usr/lib64/libaio.so.1.0.1                                   00000039b7600000-00000039b7801050
...

Version-Release number of selected component (if applicable):

prelink-0.5.0-1.fc19.x86_64
gnucash-2.4.13-1.fc19.x86_64

How reproducible:
Happens after reboot.

Steps to Reproduce:
1. Reboot
2. wait for cron to to run prelink
3.

Actual results:
Cron reports the following (after reboot, not every day):
                                                                               
/etc/cron.daily/prelink:

Failed to issue method call: Access denied

Expected results:
no errors reported

Additional info:
Comment 1 John Florian 2013-08-12 18:58:04 EDT
I see something almost just like this, but I don't think gnucash is to blame (although I do have it installed).  Here's what I found in prelink.log:

/usr/sbin/prelink -av -mR
/usr/sbin/prelink: /usr/lib64/gnucash/libgnc-core-utils.so.0: Could not find one of the dependencies
/usr/sbin/prelink: /usr/lib64/thunderbird/plugin-container: Could not find one of the dependencies
Laying out 40 libraries in virtual address space 0000003000000000-0000004000000000


I too have prelink-0.5.0-1.fc19.x86_64.
Comment 2 Paul DeStefano 2013-08-13 01:53:38 EDT
Hmm, okay, you could be right.  I rebooted yesterday and didn't get the error reported by cron, despite the fact that the prelink.log shows the same error line.

Sounds like they could be two unrelated errors.

And, mabye the prelink error from cron is fixed, now?  Are you still getting errors reported from cron?
Comment 3 John Florian 2013-08-13 11:08:40 EDT
I got one again this morning.  With a little more investigating, I'm now mostly convinced this is a SELinux policy problem.  I assume you have SEL enabled too?

$ sudo grep prelink /var/log/audit/audit.log
type=USER_AVC msg=audit(1375478420.341:116): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  denied  { reload } for auid=0 uid=0 gid=0 cmdline="/sbin/telinit u" scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=system  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1376378479.284:474): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  denied  { reload } for auid=0 uid=0 gid=0 cmdline="/sbin/telinit u" scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=system  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Paul, can you change the Component this bug is filed for?

BTW, I have:

$ rpm -qa selinux-policy\*
selinux-policy-targeted-3.12.1-69.fc19.noarch
selinux-policy-3.12.1-69.fc19.noarch
selinux-policy-devel-3.12.1-69.fc19.noarch
Comment 4 Paul DeStefano 2013-08-13 17:57:04 EDT
Hmm, I do have SELinux enabled.  But I don't have any SELinux warnings showing up in the troubleshooter applet.  I have that audit message, too:

type=USER_AVC msg=audit(1376129768.248:4962): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  denie
d  { reload } for auid=0 uid=0 gid=0 cmdline="/sbin/telinit u" scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=sys
tem_u:system_r:init_t:s0 tclass=system  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

But, it's for telinit, not prelink.  I agree, the prelink_cron_system_t bit is suspicious, but even then, I doubt it is related to the error regarding the gnucash library.  The times match my e-mails, so these AVC events are clearly caused by the cron job.  But, it's not clear than the library error is related to that.  The fact that SETroubleshooter isn't reporting the violation makes me think that's a known issue, at least.

How about this...Let's leave this bug for "/usr/sbin/prelink: /usr/lib64/gnucash/libgnc-core-utils.so.0: Could not find one of the dependencies".  Do you want to start a new bug for the AVC message we are both getting?  We can link the two bugs together.
Comment 5 Mark Wielaard 2013-08-15 15:26:07 EDT
I think this isn't prelink, but systemd. It is systemd that reports the error message "failed to issue method call: Access denied" not prelink.
Comment 6 Paul DeStefano 2013-08-15 15:43:50 EDT
But, I filed this bug against gnucash, not prelink.  John and I figured that the two messages were unrelated.  I think John opened a new bug for the "Access denied" message.

John, can you link that bug to this one?
Comment 7 John Florian 2013-08-15 16:50:11 EDT
I haven't had a chance to file another bug yet.  I *do* think that the messages are related though.  My impression is that SELinux policy is affecting systemd's telinit.  It looks like the prelink task calls "telinit u" when done, which hardly seems surprising.
Comment 8 Bill Nottingham 2013-08-15 16:51:41 EDT
Actually, in reading some more, pretty sure it's just a policy bug. Moving to selinux policy.
Comment 9 Mark Wielaard 2013-08-15 16:56:30 EDT
(In reply to John Florian from comment #7)
> My impression is that SELinux policy is
> affecting systemd's telinit.  It looks like the prelink task calls "telinit
> u" when done, which hardly seems surprising.

Indeed it does at the very end of /etc/cron.daily/prelink:

# Restart init if needed
[ -n "$(find `ldd /sbin/init | awk 'NF == 4 { print $3 }'` /sbin/init -ctime -1 2>/dev/null )" ] && /sbin/telinit u

exit 0
Comment 10 Paul DeStefano 2013-08-15 17:30:33 EDT
Hehehe.  Okay okay, I give.  I clearly have lost this bug.

When I posted this bug, I was reporting the message from prelink about a problem with the gnucash library.  That has nothing to do with telinit which occurs, conditionally, at the end of the script.

message "failed to issue method call: Access denied" is *not* related to message "/usr/sbin/prelink: /usr/lib64/gnucash/libgnc-core-utils.so.0: Could not find one of the dependencies"

I guess this is my punishment for trying to write a more complete bug title.  I should have changed it.  I will open a new bug.
Comment 11 John Florian 2013-08-16 08:58:02 EDT
Paul, I'm sorry.  My intention was never to hijack a bug report.  I assure you my actions weren't out of laziness but merely a desire for an efficient resolution to a bug whose only downside I'm aware of was annoying/concerning system generated email alerts.

I do think your gnucash issue is related, I just don't think it's gnucash at fault here.  As we've already seen prelink is calling telinit -u when this happens.  Reading the man page for telinit's -u option makes me believe that every/any running process *might* look like a victim if there were a SEL policy issue with respect to systemd.  I'm guessing you had gnucash running at the time.  I know I had thunderbird running.

In other words, I think this particular bug is one of those that make us look the wrong way first, but the ultimate correction yields improvements all over the place.  I could be entirely wrong though.  If I know how to consistently reproduce this issue, I'd simply do so with SEL disabled temporarily to see the effect.
Comment 12 Daniel Walsh 2013-08-16 13:51:12 EDT
394fa1cc64c9c47d5c5976664a3d080d907fe194 fixes the prelink problem in git.
Comment 13 Fedora Update System 2013-08-20 04:27:41 EDT
selinux-policy-3.12.1-71.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-71.fc19
Comment 14 Paul DeStefano 2013-08-20 17:28:35 EDT
John, no worries, the error is mine; I didn't (still don't really) understand the connection.  But, I finally recognize what you are getting at.

The mesg regarding gnucash libs seems to occur before the 'telinit -u' command, though, right?  That was my main reason for assuming it couldn't be related.  I'm still not sure under what conditions 'telinit' is issued, but that's not important.  I also don't understand what systemd is doing, either; what does it mean to "re-serialize" in this context?  But that's probably not for this bug.

In any case, you are obviously right.  Thanks to all for getting it fixed.
Comment 15 Fedora Update System 2013-08-20 20:16:35 EDT
Package selinux-policy-3.12.1-71.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-71.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15088/selinux-policy-3.12.1-71.fc19
then log in and leave karma (feedback).
Comment 16 Fedora Update System 2013-08-21 20:54:28 EDT
selinux-policy-3.12.1-71.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.