Re: Rawhide SE Linux targeted policy warning !!!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2004-12-24 at 12:19 -0800, Ulrich Drepper wrote:
> Paul wrote:

> > glibc is also knackered (fails to map correctly).
> 
> That is extremely unlikely, especially since I run it (and the latest 
> policy as well).
> 
> Since nobody has posted any actual information I must guess that some 
> files are mislabeled.  E.g., ldconfig for some reason creates updated 
> glibc DOSs with
> 
>    system_u:object_r:lib_t
> 
> instead of
> 
>    system_u:object_r:shlib_t
> 
> This difference is crucial since the policy now is restrictive when it 
> comes to mapping files for execution.  So, take a look at the output of
> 
>    ls -lZ /lib /lib/tls /usr/lib
> 
> (and for related directories).  If any DSO uses lib_t instead of 
> shlib_t, fix the label.  The easiest way to do this is to relabel the 
> entire filesystem.  More info at

  Except for one thing.  At least in my case, I *have* relabeled the
filesystem.  Twice.  But since you asked, here is some actual
information:

===
ws187:root:493)# slogin iadonisi@ws187
iadonisi@ws187's password:
Last login: Fri Dec 24 15:58:18 2004 from ws187.local.linuxlobbyist.org
audit(1103921912.627:0): avc:  denied  { transition } for  pid=5909
exe=/usr/sbin/sshd path=/bin/bash dev=dm-0 ino=588724
scontext=root:system_r:initrc_t tcontext=user_u:system_r:unconfined_t
tclass=process
/bin/bash: Permission denied
Connection to ws187 closed.
ws187:root:494)#
===

  And even after relabeling, ls -lZ does in fact show DSOs with lib_t
instead of shlib_t.  I could try relabeling these DSOs manually, though
it does make me a little nervous, but it does seem to indicate there
might something wrong with selinux-policy-targeted.
  FYI, this is a fully updated rawhide system, minus the swig and xfce4
packages due to some dependency problems.

-- 
-Paul Iadonisi
 Senior System Administrator
 Red Hat Certified Engineer / Local Linux Lobbyist
 Ever see a penguin fly?  --  Try Linux.
 GPL all the way: Sell services, don't lease secrets


[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]