Jason L Tibbitts III wrote:
>>>>>>"MWC" == Michael W Carney <michael.es.carney@xxxxxxxxxxxxx> writes:
>
>
> MWC> Jul 1 07:40:13 lucy-01 kernel: audit(1120228813.336:0): avc:
> MWC> denied { execmod } for pid=5567 comm=gpg path=/usr/bin/gpg
> MWC> dev=sdb5 ino=67343 scontext=user_u:system_r:unconfined_t
> MWC> tcontext=system_u:object_r:bin_t tclass=file
>
> I'm seeing the same thing. If I do
>
> chcon system_u:object_r:shlib_t /usr/bin/gpg
>
> then things work again, but that's probably the wrong thing to do.
That is an acceptable workaround. /usr/bin/gpg from FC3 has two relocations
to .text, which targeted policy does not allow.
-----selected lines from: readelf --all /usr/bin/gpg
LOAD 0x000000 0x00000000 0x00000000 0xa1920 0xa1920 R E 0x1000
LOAD 0x0a2000 0x000a2000 0x000a2000 0x031e4 0x04768 RW 0x1000
0x00000016 (TEXTREL) 0x0 ## the clue
Relocation section '.rel.dyn' at offset 0x2194 contains 794 entries:
Offset Info Type Sym.Value Sym. Name
0007922e 00000008 R_386_RELATIVE ## 0x7933e < 0xa1920
000792be 00000008 R_386_RELATIVE
000a20fc 00000008 R_386_RELATIVE
-----
Those .text relocations are not present in FC4.
It is possible to find all such cases of brokenness by using
readelf --dynamic main_or_.so | grep TEXTREL
for all executable modules (main programs, shared libraries, dynamic modules).
The maintainers of selinux-policy-targeted should have done so,
and warned in the changelog.
--
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
