Selinux and K9copy
jim tate
mickeyboa at sbcglobal.net
Sat Dec 9 01:37:21 UTC 2006
Daniel J Walsh wrote:
> Rick Stevens wrote:
>> On Thu, 2006-12-07 at 16:21 -0500, jim tate wrote:
>>
>>> Running tail -f /var/log/messages
>>> When I execute "k9copy" w/o quotes , I get the log in
>>> /var/log/messages. Same happens when running
>>> as SU or user.
>>> From What I can see , I'm having problems with Selinux. How do I
>>> fix it? Relabel etc etc
>>>
>>> Dec 7 12:22:35 sysresccd kernel: audit(1165512155.670:17): avc:
>>> denied { execmod } for pid=32642 comm="k9copy"
>>> name="libk9copy.so.0.0.0" dev=hda1 ino=3892747
>>> scontext=user_u:system_r:unconfined_t:s0
>>> tcontext=system_ubject_r:lib_t:s0 tclass=file
>>> Dec 7 12:22:36 sysresccd kernel: pci_set_power_state():
>>> 0000:02:08.0: state=3, current state=5
>>>
>>
>> If you save the relative entries to a text file somewhere and run
>> "audit2why <name-of-text-file", it'll give you some suggestions.
>>
> Actually that will not tell you much. A much better solution would be
> to run setroubleshootd. This would translate that error message to
> something like the following:
>
>
>
> Summary
> SELinux is preventing k9copy from loading libk9copy.so.0.0.0 which
> requires
> text relocation.
>
> Detailed Description
> The k9copy application attempted to load libk9copy.so.0.0.0 which
> requires
> text relocation. This is a potential security problem. Most
> libraries do
> not need this permission. Libraries are sometimes coded incorrectly
> and
> request this permission. The
> http://people.redhat.com/drepper/selinux-
> mem.html web page explains how to remove this requirement. You can
> configure SELinux temporarily to allow libk9copy.so.0.0.0 to use
> relocation
> as a workaround, until the library is fixed. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
> package.
>
> Allowing Access
> If you trust libk9copy.so.0.0.0 to run correctly, you can change
> the file
> context to textrel_shlib_t. "chcon -t textrel_shlib_t
> libk9copy.so.0.0.0"
>
> The following command will allow this access:
> chcon -t textrel_shlib_t libk9copy.so.0.0.0
>
> Additional Information
> Source Context user_u:system_r:unconfined_t
> Target Context system_u:object_r:lib_t
> Target Objects libk9copy.so.0.0.0 [ file ]
> Affected RPM Packages Policy RPM Selinux
> Enabled Policy Type MLS
> Enabled Enforcing Mode Plugin
> Name plugins.allow_execmod
> Host Name Platform Alert
> Count 1
> Line Numbers 1
>
> Raw Audit Messages
> avc: denied { execmod } for comm="k9copy" dev=hda1
> name="libk9copy.so.0.0.0"
> pid=32642 scontext=user_u:system_r:unconfined_t:s0 tclass=file
> tcontext=system_u:object_r:lib_t:s0
>
>
>>> Jim
>>>
>>>
>> ----------------------------------------------------------------------
>> - Rick Stevens, Senior Systems Engineer rstevens at vitalstream.com -
>> - VitalStream, Inc. http://www.vitalstream.com -
>> - -
>> - "OK, so you're a Ph.D. Just don't TOUCH anything!" -
>> ----------------------------------------------------------------------
>>
>>
>
Thank you , the chcon command did the job.
Jim
More information about the fedora-list
mailing list