package selinux-policy-2.6.4-35.fc7 link

Daniel J Walsh dwalsh at redhat.com
Wed Aug 15 11:08:16 UTC 2007 

Garry T. Williams wrote:
> On Monday 13 August 2007 07:24:23 Daniel J Walsh wrote:
>   
>> I will put it in fedora-testing today along with fixes for your problem.
>>     
>
> Thanks.  I just installed it but afterwards, I still see these when I
> run "sudo ldconfig" with setenforce 0:
>
>     type=AVC msg=audit(1187043238.692:2616): avc:  denied  { dac_override } for  pid=15479 comm="ldconfig" capability=1 scontext=user_u:system_r:ldconfig_t:s0 tcontext=user_u:system_r:ldconfig_t:s0 tclass=capability
>     type=SYSCALL msg=audit(1187043238.692:2616): arch=40000003 syscall=195 success=yes exit=0 a0=89c1c08 a1=bf8b83e0 a2=89bf801 a3=89bf801 items=0 ppid=15457 pid=15479 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="ldconfig" exe="/sbin/ldconfig" subj=user_u:system_r:ldconfig_t:s0 key=(null)
>     type=AVC msg=audit(1187043239.334:2617): avc:  denied  { search } for  pid=15479 comm="ldconfig" name="/" dev=dm-1 ino=2 scontext=user_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
>     type=SYSCALL msg=audit(1187043239.334:2617): arch=40000003 syscall=195 success=yes exit=0 a0=bf8b7460 a1=bf8b84bc a2=a000 a3=89c0a88 items=0 ppid=15457 pid=15479 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="ldconfig" exe="/sbin/ldconfig" subj=user_u:system_r:ldconfig_t:s0 key=(null)
>
>   
>> You can always modify selinux policy by executing
>>
>> grep ldconfig /var/log/audit/audit.log | audit2allow -M myldconfig
>> semodule -i myldconfig.pp
>>     
>
> Yes, it produces:
>
>     module myldconfig 1.0;
>
>     require {
> 	    type home_root_t;
> 	    type ldconfig_t;
> 	    class capability dac_override;
> 	    class dir search;
>     }
>
>     #============= ldconfig_t ==============
>     allow ldconfig_t home_root_t:dir search;
>     allow ldconfig_t self:capability dac_override;
>
> I can't help but think that the AVCs are due to something I did
> instead of ldconfig or its shipped policy.  Any thoughts?
>
>   

No this is because you are running ldconfig on files in your homedir, 
and we have not seen this before.  See if selinux-policy-2.6.4-38 fixes 
your problem

More information about the fedora-list mailing list