FC3: selinux-policy-targeted-1.17.30-3.15 seems to have broken gpg...
Michael W. Carney
michael.es.carney at sbcglobal.net
Fri Jul 1 18:48:51 UTC 2005
John Reiser wrote:
> Jason L Tibbitts III wrote:
>>>>>>>"MWC" == Michael W Carney <michael.es.carney at sbcglobal.net> writes:
>>
>>
>> MWC> Jul 1 07:40:13 lucy-01 kernel: audit(1120228813.336:0): avc:
>> MWC> denied { execmod } for pid=5567 comm=gpg path=/usr/bin/gpg
>> MWC> dev=sdb5 ino=67343 scontext=user_u:system_r:unconfined_t
>> MWC> tcontext=system_u:object_r:bin_t tclass=file
>>
>> I'm seeing the same thing. If I do
>>
>> chcon system_u:object_r:shlib_t /usr/bin/gpg
>>
>> then things work again, but that's probably the wrong thing to do.
>
> That is an acceptable workaround. /usr/bin/gpg from FC3 has two
> relocations to .text, which targeted policy does not allow.
>
> -----selected lines from: readelf --all /usr/bin/gpg
> LOAD 0x000000 0x00000000 0x00000000 0xa1920 0xa1920 R E 0x1000
> LOAD 0x0a2000 0x000a2000 0x000a2000 0x031e4 0x04768 RW 0x1000
>
> 0x00000016 (TEXTREL) 0x0 ## the clue
>
> Relocation section '.rel.dyn' at offset 0x2194 contains 794 entries:
> Offset Info Type Sym.Value Sym. Name
> 0007922e 00000008 R_386_RELATIVE ## 0x7933e < 0xa1920
> 000792be 00000008 R_386_RELATIVE
> 000a20fc 00000008 R_386_RELATIVE
> -----
>
> Those .text relocations are not present in FC4.
> It is possible to find all such cases of brokenness by using
> readelf --dynamic main_or_.so | grep TEXTREL
> for all executable modules (main programs, shared libraries, dynamic
> modules). The maintainers of selinux-policy-targeted should have done so,
> and warned in the changelog.
>
> --
Hi John,
Thanks for the explanation and workaround.
More information about the fedora-selinux-list
mailing list