selinux-policy-targeted update is dangerous

Daniel J Walsh dwalsh at redhat.com
Wed Jun 29 19:09:14 UTC 2005 

Arthur Pemberton wrote:

>
> From /var/log/yum.log:
>
> Jun 27 04:25:18 Updated: selinux-policy-targeted.noarch 1.17.30-3.13
> Jun 27 04:26:21 Updated: selinux-policy-targeted-sources.noarch 
> 1.17.30-3.13
> ------------------------------------------------
>
> Since then things have come tumbling down here are samples of the errors:
>
> Jun 27 04:25:27 Romeo kernel: audit(1119860727.362:0): avc:  denied  { 
> execmod } for  pid=6990 comm=sendmail path=/lib/tls/libm-2.3.5.so 
> dev=dm-0 ino=5455897 scontext=user_u:system_r:unconfined_t 
> tcontext=system_u:object_r:lib_t tclass=file
>
> Jun 27 04:30:01 Romeo kernel: audit(1119861001.392:0): avc:  denied  { 
> execmod } for  pid=6994 comm=crond path=/lib/libnsl-2.3.5.so dev=dm-0 
> ino=5455874 scontext=user_u:system_r:unconfined_t 
> tcontext=system_u:object_r:lib_t tclass=file
>
> Jun 27 04:30:01 Romeo kernel: audit(1119861001.413:0): avc:  denied  { 
> execmod } for  pid=6994 
> comm=crondpath=/lib/libcrypt-2.3.5.sodev=dm-0ino=5455909 
> scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t 
> tclass=file
>
> Jun 27 04:53:38 Romeo kernel: audit(1119862418.204:0): avc:  denied  { 
> execmem } for  pid=4238 comm=mysqld scontext=user_u:system_r:mysqld_t 
> tcontext=user_u:system_r:mysqld_t tclass=process
>
> Jun 27 08:22:09 Romeo kernel: audit(1119874929.566:0): avc:  denied  { 
> connect } for  pid=4251 exe=/usr/sbin/httpd 
> scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:httpd_t 
> tclass=tcp_socket
> -------------------------------------------------------------
>
> The most noticeable result of all this is that mysql has died:
>
> 050627 07:19:27  mysqld started
> 050627  7:19:28 [Warning] Asked for 196608 thread stack, but got 126976
> 050627  7:19:28 [ERROR] Fatal error: Can't change to run as user 
> 'mysql' ;  Please check that the user exists!
>
> ( I still have not been able to figure out where the mysql user 
> dissappeared to )
>
> Since mysql has been killed by this prob, it has taken down my smtp 
> and imap server with it, along with two of my database driven 
> websites. Currently, php claims to not even know about the function 
> mysql_connect()
>
> I am going to attempt to recitify the issues with audit2allow. My 
> system was working properly when I went to be , ie. pre yum update.
>
>
>
>
>
>

selinux-policy-targeted-1.17.30-3.15 fixes this problem.  Coming in 
tonights updates.

ftp://people.redhat.com/dwalsh/SELinux/FC3/selinux-policy-targeted-1.17.30-3.16 
is also available now.


--

More information about the fedora-list mailing list