Re: selinux prelink avc's (broken paths in policy?)

[dragoran <dragoran@xxxxxxxxxxxxxxx>]

dragoran wrote:
> dragoran wrote:
> > Paul Howarth wrote:
> > > On Tue, 2006-05-23 at 16:28 +0200, dragoran wrote:
> > >  
> > > > dragoran wrote:
> > > >   
> > > > > dragoran wrote:
> > > > >     
> > > > > > audit(1147793154.831:353): avc:  denied  { execute_no_trans } 
> > > > > > for  pid=5195 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163 
> > > > > > scontext=system_u:system_r:prelink_t:s0 
> > > > > > tcontext=system_u:object_r:lib_t:s0 tclass=file
> > > > > > audit(1147793154.831:354): avc:  denied  { execute_no_trans } 
> > > > > > for  pid=5196 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163 
> > > > > > scontext=system_u:system_r:prelink_t:s0 
> > > > > > tcontext=system_u:object_r:lib_t:s0 tclass=file
> > > > > > audit(1147793155.019:355): avc:  denied  { execute_no_trans } 
> > > > > > for  pid=5197 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163 
> > > > > > scontext=system_u:system_r:prelink_t:s0 
> > > > > > tcontext=system_u:object_r:lib_t:s0 tclass=file
> > > > > > audit(1147793155.447:356): avc:  denied  { execute_no_trans } 
> > > > > > for  pid=5198 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163 
> > > > > > scontext=system_u:system_r:prelink_t:s0 
> > > > > > tcontext=system_u:object_r:lib_t:s0 tclass=file
> > > > > > audit(1147793156.255:357): avc:  denied  { execute_no_trans } 
> > > > > > for  pid=5199 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163 
> > > > > > scontext=system_u:system_r:prelink_t:s0 
> > > > > > tcontext=system_u:object_r:lib_t:s0 tclass=file
> > > > > > I am using FC5 with selinux-policy-targeted-2.2.36-2.fc5
> > > > > > whats gonig on? is a file misslabeled or is this a policy bug?
> > > > > >
> > > > > > --
> > > > > > fedora-selinux-list mailing list
> > > > > > fedora-selinux-list@xxxxxxxxxx
> > > > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > > > > >
> > > > > >
> > > > > >         
> > > > > hello?
> > > > > any solution for this problem?
> > > > >
> > > > >
> > > > >       
> > > > it happend again...
> > > > am I the only  one seeing this?
> > > > audit(1148393411.538:2907): avc:  denied  { execute_no_trans } for  
> > > > pid=16856 comm="prelink" name="ld-2.4.so" dev=md0 ino=8060939 
> > > > scontext=system_u:system_r:prelink_t:s0 
> > > > tcontext=system_u:object_r:lib_t:s0 tclass=file
> > > > audit(1148393411.794:2908): avc:  denied  { execmod } for  
> > > > pid=16859 comm="ld-linux.so.2" name="libGLcore.so.1.0.8762" dev=md0 
> > > > ino=29797475 scontext=system_u:system_r:prelink_t:s0 
> > > > tcontext=root:object_r:lib_t:s0 tclass=file
> > > > audit(1148393411.814:2909): avc:  denied  { execmod } for  
> > > > pid=16860 comm="ld-linux.so.2" name="libnvidia-tls.so.1.0.8762" 
> > > > dev=md0 ino=30869146 scontext=system_u:system_r:prelink_t:s0 
> > > > tcontext=root:object_r:lib_t:s0 tclass=file
> > > > audit(1148393412.438:2910): avc:  denied  { unlink } for  pid=13702 
> > > > comm="prelink" name="prelink.cache" dev=md0 ino=7012828 
> > > > scontext=system_u:system_r:prelink_t:s0 
> > > > tcontext=user_u:object_r:etc_t:s0 tclass=file
> > > > prelink seems to be completly broken and nobody seems to notice it?
> > > >     
> > >
> > > I'm not seeing this anywhere.
> > >
> > > Perhaps it's because /lib/ld-2.4.so is lib_t rather than ld_so_t on 
> > > your
> > > system?
> > >
> > > Paul.
> > >
> > >
> > >
> > >   
> > ls -Z /lib/ld-2.4.so
> > -rwxr-xr-x  root     root     system_u:object_r:ld_so_t        
> > /lib/ld-2.4.so
> > ls -Z /lib64/ld-2.4.so
> > -rwxr-xr-x  root     root     system_u:object_r:lib_t
> > seems that you are correct lets hope that this wont happen again.
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> this *is* a bug
> restorecon /lib64/ld-2.4.so
> does not change it to ld_so_t (had to do a chcon)

I did a complete relabel and the result is
ls -Z /lib64/ld-2.4.so
-rwxr-xr-x  root     root     system_u:object_r:lib_t          
/lib64/ld-2.4.so
I also noticed this:
drwxr-xr-x  root     root     system_u:object_r:bin_t          bin
drwxr-xr-x  root     root     system_u:object_r:boot_t         boot
drwxr-xr-x  root     root     system_u:object_r:device_t       dev
drwxr-xr-x  root     root     system_u:object_r:etc_t          etc
drwxr-xr-x  root     root     system_u:object_r:home_root_t    home
drwxr-xr-x  root     root     system_u:object_r:lib_t          lib
drwxr-xr-x  root     root     system_u:object_r:lib_t          lib64
drwx------  root     root     system_u:object_r:lost_found_t   lost+found
drwxr-xr-x  root     root     system_u:object_r:mnt_t          media
drwxr-xr-x  root     root     system_u:object_r:mnt_t          misc
drwxr-xr-x  root     root     system_u:object_r:mnt_t          mnt
dr-xr-xr-x  root     root     system_u:object_r:mnt_t          net
drwxr-xr-x  root     root     system_u:object_r:usr_t          opt
dr-xr-xr-x  root     root     system_u:object_r:proc_t         proc
drwxr-x---  root     root     root:object_r:user_home_dir_t    root
drwxr-xr-x  root     root     system_u:object_r:sbin_t         sbin
drwxr-xr-x  root     root     system_u:object_r:security_t     selinux
drwxr-xr-x  root     root     system_u:object_r:var_t          srv
drwxr-xr-x  root     root     system_u:object_r:sysfs_t        sys
drwxrwxrwt  root     root     system_u:object_r:tmp_t          tmp
drwxr-xr-x  root     root     system_u:object_r:usr_t          usr
drwxr-xr-x  root     root     system_u:object_r:var_t          var
looks incorrect too whats going on here?

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list