selinux-policy-targeted update is dangerous
Daniel J Walsh
dwalsh at redhat.com
Wed Jun 29 19:09:14 UTC 2005
Arthur Pemberton wrote:
>
> From /var/log/yum.log:
>
> Jun 27 04:25:18 Updated: selinux-policy-targeted.noarch 1.17.30-3.13
> Jun 27 04:26:21 Updated: selinux-policy-targeted-sources.noarch
> 1.17.30-3.13
> ------------------------------------------------
>
> Since then things have come tumbling down here are samples of the errors:
>
> Jun 27 04:25:27 Romeo kernel: audit(1119860727.362:0): avc: denied {
> execmod } for pid=6990 comm=sendmail path=/lib/tls/libm-2.3.5.so
> dev=dm-0 ino=5455897 scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:lib_t tclass=file
>
> Jun 27 04:30:01 Romeo kernel: audit(1119861001.392:0): avc: denied {
> execmod } for pid=6994 comm=crond path=/lib/libnsl-2.3.5.so dev=dm-0
> ino=5455874 scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:lib_t tclass=file
>
> Jun 27 04:30:01 Romeo kernel: audit(1119861001.413:0): avc: denied {
> execmod } for pid=6994
> comm=crondpath=/lib/libcrypt-2.3.5.sodev=dm-0ino=5455909
> scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t
> tclass=file
>
> Jun 27 04:53:38 Romeo kernel: audit(1119862418.204:0): avc: denied {
> execmem } for pid=4238 comm=mysqld scontext=user_u:system_r:mysqld_t
> tcontext=user_u:system_r:mysqld_t tclass=process
>
> Jun 27 08:22:09 Romeo kernel: audit(1119874929.566:0): avc: denied {
> connect } for pid=4251 exe=/usr/sbin/httpd
> scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:httpd_t
> tclass=tcp_socket
> -------------------------------------------------------------
>
> The most noticeable result of all this is that mysql has died:
>
> 050627 07:19:27 mysqld started
> 050627 7:19:28 [Warning] Asked for 196608 thread stack, but got 126976
> 050627 7:19:28 [ERROR] Fatal error: Can't change to run as user
> 'mysql' ; Please check that the user exists!
>
> ( I still have not been able to figure out where the mysql user
> dissappeared to )
>
> Since mysql has been killed by this prob, it has taken down my smtp
> and imap server with it, along with two of my database driven
> websites. Currently, php claims to not even know about the function
> mysql_connect()
>
> I am going to attempt to recitify the issues with audit2allow. My
> system was working properly when I went to be , ie. pre yum update.
>
>
>
>
>
>
selinux-policy-targeted-1.17.30-3.15 fixes this problem. Coming in
tonights updates.
ftp://people.redhat.com/dwalsh/SELinux/FC3/selinux-policy-targeted-1.17.30-3.16
is also available now.
--
More information about the fedora-list
mailing list