Selinux and K9copy

Daniel J Walsh dwalsh at redhat.com
Fri Dec 8 20:07:24 UTC 2006 

Rick Stevens wrote:
> On Thu, 2006-12-07 at 16:21 -0500, jim tate wrote:
>   
>> Running tail -f /var/log/messages
>> When I execute "k9copy" w/o quotes , I get the log in /var/log/messages. 
>> Same happens when running
>> as SU or user.
>>  From What I can see , I'm having problems with Selinux. How do I fix 
>> it? Relabel etc etc
>>
>> Dec 7 12:22:35 sysresccd kernel: audit(1165512155.670:17): avc: denied { 
>> execmod } for pid=32642 comm="k9copy" name="libk9copy.so.0.0.0" dev=hda1 
>> ino=3892747 scontext=user_u:system_r:unconfined_t:s0 
>> tcontext=system_ubject_r:lib_t:s0 tclass=file
>> Dec 7 12:22:36 sysresccd kernel: pci_set_power_state(): 0000:02:08.0: 
>> state=3, current state=5
>>     
>
> If you save the relative entries to a text file somewhere and run
> "audit2why <name-of-text-file", it'll give you some suggestions.
>   
Actually that will not tell you much.  A much better solution would be 
to run setroubleshootd.  This would translate that error message to 
something like the following:



Summary
    SELinux is preventing k9copy from loading libk9copy.so.0.0.0 which 
requires
    text relocation.

Detailed Description
    The k9copy application attempted to load libk9copy.so.0.0.0 which 
requires
    text relocation.  This is a potential security problem. Most 
libraries do
    not need this permission. Libraries are sometimes coded incorrectly and
    request this permission.  The http://people.redhat.com/drepper/selinux-
    mem.html web page explains how to remove this requirement.  You can
    configure SELinux temporarily to allow libk9copy.so.0.0.0 to use 
relocation
    as a workaround, until the library is fixed. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Allowing Access
    If you trust libk9copy.so.0.0.0 to run correctly, you can change the 
file
    context to textrel_shlib_t. "chcon -t textrel_shlib_t 
libk9copy.so.0.0.0"

    The following command will allow this access:
    chcon -t textrel_shlib_t libk9copy.so.0.0.0

Additional Information       

Source Context                user_u:system_r:unconfined_t
Target Context                system_u:object_r:lib_t
Target Objects                libk9copy.so.0.0.0 [ file ]
Affected RPM Packages        
Policy RPM                   
Selinux Enabled              
Policy Type                  
MLS Enabled                  
Enforcing Mode               
Plugin Name                   plugins.allow_execmod
Host Name                    
Platform                     
Alert Count                   1
Line Numbers                  1

Raw Audit Messages           

avc: denied { execmod } for comm="k9copy" dev=hda1 name="libk9copy.so.0.0.0"
pid=32642 scontext=user_u:system_r:unconfined_t:s0 tclass=file
tcontext=system_u:object_r:lib_t:s0


>> Jim
>>
>>     
> ----------------------------------------------------------------------
> - Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
> - VitalStream, Inc.                       http://www.vitalstream.com -
> -                                                                    -
> -         "OK, so you're a Ph.D. Just don't TOUCH anything!"         -
> ----------------------------------------------------------------------
>
>

More information about the fedora-list mailing list