Rawhide SE Linux targeted policy warning !!!
Paul Iadonisi
pri.rhl3 at iadonisi.to
Fri Dec 24 21:18:01 UTC 2004
On Fri, 2004-12-24 at 12:19 -0800, Ulrich Drepper wrote:
> Paul wrote:
> > glibc is also knackered (fails to map correctly).
>
> That is extremely unlikely, especially since I run it (and the latest
> policy as well).
>
> Since nobody has posted any actual information I must guess that some
> files are mislabeled. E.g., ldconfig for some reason creates updated
> glibc DOSs with
>
> system_u:object_r:lib_t
>
> instead of
>
> system_u:object_r:shlib_t
>
> This difference is crucial since the policy now is restrictive when it
> comes to mapping files for execution. So, take a look at the output of
>
> ls -lZ /lib /lib/tls /usr/lib
>
> (and for related directories). If any DSO uses lib_t instead of
> shlib_t, fix the label. The easiest way to do this is to relabel the
> entire filesystem. More info at
Except for one thing. At least in my case, I *have* relabeled the
filesystem. Twice. But since you asked, here is some actual
information:
===
ws187:root:493)# slogin iadonisi at ws187
iadonisi at ws187's password:
Last login: Fri Dec 24 15:58:18 2004 from ws187.local.linuxlobbyist.org
audit(1103921912.627:0): avc: denied { transition } for pid=5909
exe=/usr/sbin/sshd path=/bin/bash dev=dm-0 ino=588724
scontext=root:system_r:initrc_t tcontext=user_u:system_r:unconfined_t
tclass=process
/bin/bash: Permission denied
Connection to ws187 closed.
ws187:root:494)#
===
And even after relabeling, ls -lZ does in fact show DSOs with lib_t
instead of shlib_t. I could try relabeling these DSOs manually, though
it does make me a little nervous, but it does seem to indicate there
might something wrong with selinux-policy-targeted.
FYI, this is a fully updated rawhide system, minus the swig and xfce4
packages due to some dependency problems.
--
-Paul Iadonisi
Senior System Administrator
Red Hat Certified Engineer / Local Linux Lobbyist
Ever see a penguin fly? -- Try Linux.
GPL all the way: Sell services, don't lease secrets
More information about the fedora-test-list
mailing list