Selinux and K9copy
Daniel J Walsh
dwalsh at redhat.com
Fri Dec 8 20:07:24 UTC 2006
Rick Stevens wrote:
> On Thu, 2006-12-07 at 16:21 -0500, jim tate wrote:
>
>> Running tail -f /var/log/messages
>> When I execute "k9copy" w/o quotes , I get the log in /var/log/messages.
>> Same happens when running
>> as SU or user.
>> From What I can see , I'm having problems with Selinux. How do I fix
>> it? Relabel etc etc
>>
>> Dec 7 12:22:35 sysresccd kernel: audit(1165512155.670:17): avc: denied {
>> execmod } for pid=32642 comm="k9copy" name="libk9copy.so.0.0.0" dev=hda1
>> ino=3892747 scontext=user_u:system_r:unconfined_t:s0
>> tcontext=system_ubject_r:lib_t:s0 tclass=file
>> Dec 7 12:22:36 sysresccd kernel: pci_set_power_state(): 0000:02:08.0:
>> state=3, current state=5
>>
>
> If you save the relative entries to a text file somewhere and run
> "audit2why <name-of-text-file", it'll give you some suggestions.
>
Actually that will not tell you much. A much better solution would be
to run setroubleshootd. This would translate that error message to
something like the following:
Summary
SELinux is preventing k9copy from loading libk9copy.so.0.0.0 which
requires
text relocation.
Detailed Description
The k9copy application attempted to load libk9copy.so.0.0.0 which
requires
text relocation. This is a potential security problem. Most
libraries do
not need this permission. Libraries are sometimes coded incorrectly and
request this permission. The http://people.redhat.com/drepper/selinux-
mem.html web page explains how to remove this requirement. You can
configure SELinux temporarily to allow libk9copy.so.0.0.0 to use
relocation
as a workaround, until the library is fixed. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Allowing Access
If you trust libk9copy.so.0.0.0 to run correctly, you can change the
file
context to textrel_shlib_t. "chcon -t textrel_shlib_t
libk9copy.so.0.0.0"
The following command will allow this access:
chcon -t textrel_shlib_t libk9copy.so.0.0.0
Additional Information
Source Context user_u:system_r:unconfined_t
Target Context system_u:object_r:lib_t
Target Objects libk9copy.so.0.0.0 [ file ]
Affected RPM Packages
Policy RPM
Selinux Enabled
Policy Type
MLS Enabled
Enforcing Mode
Plugin Name plugins.allow_execmod
Host Name
Platform
Alert Count 1
Line Numbers 1
Raw Audit Messages
avc: denied { execmod } for comm="k9copy" dev=hda1 name="libk9copy.so.0.0.0"
pid=32642 scontext=user_u:system_r:unconfined_t:s0 tclass=file
tcontext=system_u:object_r:lib_t:s0
>> Jim
>>
>>
> ----------------------------------------------------------------------
> - Rick Stevens, Senior Systems Engineer rstevens at vitalstream.com -
> - VitalStream, Inc. http://www.vitalstream.com -
> - -
> - "OK, so you're a Ph.D. Just don't TOUCH anything!" -
> ----------------------------------------------------------------------
>
>
More information about the fedora-list
mailing list