Prelink fails under strict/enforcing
Daniel J Walsh
dwalsh at redhat.com
Fri Apr 15 21:06:32 UTC 2005
David Hampton wrote:
>I'm having problems with the prelink command on my system running the
>latest FC3/strict/1.23.11-1 policy.
>
>Running in enforcing mode, when I run 'prelink -a' after updating glibc,
>I get a single "avc: denied { relabelto }" error message and prelink
>bails out. Running tripwire immediately before and after the prelink
>command show no changes to any files on the system.
>
>Running the same scenario in permissive mode, I get a series of 100 or
>more relabelto denied error messages. The tripwire runs show over 1000
>modified files, which is par for the course after updating glibc.
>Here's one of the error messages in full:
>
> Apr 15 10:36:08 starfury kernel: audit(1113575768.487:0): avc:
> denied { relabelto } for pid=22291 exe=/usr/sbin/prelink
> name=refer.#prelink#.SULAFf dev=dm-0 ino=13717061
> scontext=root:system_r:prelink_t tcontext=system_u:object_r:bin_t
> tclass=file
>
>As far as I can tell from looking at the policy sources, I shouldn't be
>getting any of these errors. There is a (long) line in prelink.te that
>explicitly allows relabelto. Wrapped for clarity, it is:
>
> allow prelink_t {
> ifdef(`amanda.te', `amanda_usr_lib_t')
> admin_passwd_exec_t
> ifdef(`apache.te', `httpd_modules_t')
> ifdef(`xserver.te', `xkb_var_lib_t')
> ld_so_t su_exec_t texrel_shlib_t
> shlib_t sbin_t bin_t lib_t exec_type
> }:file { create_file_perms execute relabelto relabelfrom };
>
>This line explicitly allows prelink the relabelto permission for bin_t
>files, which is what the avc message I copied is complaining about.
>I've spot checked some of the other 100 error messages. The majority of
>them have a target context of xxx_exec_t and the declaration of the
>xxx_exec_t type includes the exec_type attribute, which means the
>operation should be allowed based on the policy line above.
>
>Any suggestions on where to go from here to track down this problem?
>
>David
>
>
>
>
This is a bug. I have no idea why it is happening.
Steven do you know why?
Dan
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
--
More information about the fedora-selinux-list
mailing list