Selinux and K9copy

jim tate mickeyboa at sbcglobal.net
Sat Dec 9 01:37:21 UTC 2006 

Daniel J Walsh wrote:
> Rick Stevens wrote:
>> On Thu, 2006-12-07 at 16:21 -0500, jim tate wrote:
>>  
>>> Running tail -f /var/log/messages
>>> When I execute "k9copy" w/o quotes , I get the log in 
>>> /var/log/messages. Same happens when running
>>> as SU or user.
>>>  From What I can see , I'm having problems with Selinux. How do I 
>>> fix it? Relabel etc etc
>>>
>>> Dec 7 12:22:35 sysresccd kernel: audit(1165512155.670:17): avc: 
>>> denied { execmod } for pid=32642 comm="k9copy" 
>>> name="libk9copy.so.0.0.0" dev=hda1 ino=3892747 
>>> scontext=user_u:system_r:unconfined_t:s0 
>>> tcontext=system_ubject_r:lib_t:s0 tclass=file
>>> Dec 7 12:22:36 sysresccd kernel: pci_set_power_state(): 
>>> 0000:02:08.0: state=3, current state=5
>>>     
>>
>> If you save the relative entries to a text file somewhere and run
>> "audit2why <name-of-text-file", it'll give you some suggestions.
>>   
> Actually that will not tell you much.  A much better solution would be 
> to run setroubleshootd.  This would translate that error message to 
> something like the following:
>
>
>
> Summary
>    SELinux is preventing k9copy from loading libk9copy.so.0.0.0 which 
> requires
>    text relocation.
>
> Detailed Description
>    The k9copy application attempted to load libk9copy.so.0.0.0 which 
> requires
>    text relocation.  This is a potential security problem. Most 
> libraries do
>    not need this permission. Libraries are sometimes coded incorrectly 
> and
>    request this permission.  The 
> http://people.redhat.com/drepper/selinux-
>    mem.html web page explains how to remove this requirement.  You can
>    configure SELinux temporarily to allow libk9copy.so.0.0.0 to use 
> relocation
>    as a workaround, until the library is fixed. Please file a
>    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this 
> package.
>
> Allowing Access
>    If you trust libk9copy.so.0.0.0 to run correctly, you can change 
> the file
>    context to textrel_shlib_t. "chcon -t textrel_shlib_t 
> libk9copy.so.0.0.0"
>
>    The following command will allow this access:
>    chcon -t textrel_shlib_t libk9copy.so.0.0.0
>
> Additional Information      
> Source Context                user_u:system_r:unconfined_t
> Target Context                system_u:object_r:lib_t
> Target Objects                libk9copy.so.0.0.0 [ file ]
> Affected RPM Packages        Policy RPM                   Selinux 
> Enabled              Policy Type                  MLS 
> Enabled                  Enforcing Mode               Plugin 
> Name                   plugins.allow_execmod
> Host Name                    Platform                     Alert 
> Count                   1
> Line Numbers                  1
>
> Raw Audit Messages          
> avc: denied { execmod } for comm="k9copy" dev=hda1 
> name="libk9copy.so.0.0.0"
> pid=32642 scontext=user_u:system_r:unconfined_t:s0 tclass=file
> tcontext=system_u:object_r:lib_t:s0
>
>
>>> Jim
>>>
>>>     
>> ----------------------------------------------------------------------
>> - Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
>> - VitalStream, Inc.                       http://www.vitalstream.com -
>> -                                                                    -
>> -         "OK, so you're a Ph.D. Just don't TOUCH anything!"         -
>> ----------------------------------------------------------------------
>>
>>   
>
Thank you , the chcon command did the job.


Jim

More information about the fedora-list mailing list