selinux prelink avc's

dragoran dragoran at feuerpokemon.de
Tue May 23 15:08:40 UTC 2006 

dragoran wrote:
> Paul Howarth wrote:
>> On Tue, 2006-05-23 at 16:28 +0200, dragoran wrote:
>>  
>>> dragoran wrote:
>>>    
>>>> dragoran wrote:
>>>>      
>>>>> audit(1147793154.831:353): avc:  denied  { execute_no_trans } for  
>>>>> pid=5195 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163 
>>>>> scontext=system_u:system_r:prelink_t:s0 
>>>>> tcontext=system_u:object_r:lib_t:s0 tclass=file
>>>>> audit(1147793154.831:354): avc:  denied  { execute_no_trans } for  
>>>>> pid=5196 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163 
>>>>> scontext=system_u:system_r:prelink_t:s0 
>>>>> tcontext=system_u:object_r:lib_t:s0 tclass=file
>>>>> audit(1147793155.019:355): avc:  denied  { execute_no_trans } for  
>>>>> pid=5197 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163 
>>>>> scontext=system_u:system_r:prelink_t:s0 
>>>>> tcontext=system_u:object_r:lib_t:s0 tclass=file
>>>>> audit(1147793155.447:356): avc:  denied  { execute_no_trans } for  
>>>>> pid=5198 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163 
>>>>> scontext=system_u:system_r:prelink_t:s0 
>>>>> tcontext=system_u:object_r:lib_t:s0 tclass=file
>>>>> audit(1147793156.255:357): avc:  denied  { execute_no_trans } for  
>>>>> pid=5199 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163 
>>>>> scontext=system_u:system_r:prelink_t:s0 
>>>>> tcontext=system_u:object_r:lib_t:s0 tclass=file
>>>>> I am using FC5 with selinux-policy-targeted-2.2.36-2.fc5
>>>>> whats gonig on? is a file misslabeled or is this a policy bug?
>>>>>
>>>>> -- 
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>>
>>>>>
>>>>>         
>>>> hello?
>>>> any solution for this problem?
>>>>
>>>>
>>>>       
>>> it happend again...
>>> am I the only  one seeing this?
>>> audit(1148393411.538:2907): avc:  denied  { execute_no_trans } for  
>>> pid=16856 comm="prelink" name="ld-2.4.so" dev=md0 ino=8060939 
>>> scontext=system_u:system_r:prelink_t:s0 
>>> tcontext=system_u:object_r:lib_t:s0 tclass=file
>>> audit(1148393411.794:2908): avc:  denied  { execmod } for  pid=16859 
>>> comm="ld-linux.so.2" name="libGLcore.so.1.0.8762" dev=md0 
>>> ino=29797475 scontext=system_u:system_r:prelink_t:s0 
>>> tcontext=root:object_r:lib_t:s0 tclass=file
>>> audit(1148393411.814:2909): avc:  denied  { execmod } for  pid=16860 
>>> comm="ld-linux.so.2" name="libnvidia-tls.so.1.0.8762" dev=md0 
>>> ino=30869146 scontext=system_u:system_r:prelink_t:s0 
>>> tcontext=root:object_r:lib_t:s0 tclass=file
>>> audit(1148393412.438:2910): avc:  denied  { unlink } for  pid=13702 
>>> comm="prelink" name="prelink.cache" dev=md0 ino=7012828 
>>> scontext=system_u:system_r:prelink_t:s0 
>>> tcontext=user_u:object_r:etc_t:s0 tclass=file
>>> prelink seems to be completly broken and nobody seems to notice it?
>>>     
>>
>> I'm not seeing this anywhere.
>>
>> Perhaps it's because /lib/ld-2.4.so is lib_t rather than ld_so_t on your
>> system?
>>
>> Paul.
>>
>>
>>
>>   
> ls -Z /lib/ld-2.4.so
> -rwxr-xr-x  root     root     system_u:object_r:ld_so_t        
> /lib/ld-2.4.so
> ls -Z /lib64/ld-2.4.so
> -rwxr-xr-x  root     root     system_u:object_r:lib_t
> seems that you are correct lets hope that this wont happen again.
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
this *is* a bug
restorecon /lib64/ld-2.4.so
does not change it to ld_so_t (had to do a chcon)

More information about the fedora-selinux-list mailing list