Re: ldconfig silent output

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sunday 12 August 2007 02:27:03 Mohammed El-Afifi wrote:
> Just one last question: is there a way to make ldconfig work with
> SELinux in the enforcing mode, for example by updating the glibc
> package(which provides ldconfig) or alternatively updating SELinux
> packages? I'm currently having version 2.6-3 of glibc installed on
> my system.

Here's what I've done in an attempt to resolve the AVCs so far on my
own system:

I have a directory that contains shared libraries that I want ldconfig
to know about.  It and the files in it originally had this selinux
context:

    user_u:object_r:user_home_t

I changed that to:

    system_u:object_r:lib_t

using this command:

    sudo chcon -R system_u:object_r:lib_t /home/depot/collections/tora-1.3.21/lib

This eliminated all but one of my failures in selinux.  (Some time
ago, I changed the context of my $ORACLE_HOME/lib directory to
eliminate similar errors.)  But I still see this:

    type=AVC msg=audit(1186928212.253:1139): avc:  denied  { dac_override } for  pid=5782 comm="ldconfig" capability=1 scontext=user_u:system_r:ldconfig_t:s0 tcontext=user_u:system_r:ldconfig_t:s0 tclass=capability
    type=SYSCALL msg=audit(1186928212.253:1139): arch=40000003 syscall=195 success=yes exit=0 a0=8bbdc08 a1=bfc4bb80 a2=8bbb801 a3=8bbb801 items=0 ppid=5590 pid=5782 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="ldconfig" exe="/sbin/ldconfig" subj=user_u:system_r:ldconfig_t:s0 key=(null)
    type=AVC msg=audit(1186928212.255:1140): avc:  denied  { search } for  pid=5782 comm="ldconfig" name="/" dev=dm-1 ino=2 scontext=user_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
    type=SYSCALL msg=audit(1186928212.255:1140): arch=40000003 syscall=195 success=yes exit=0 a0=bfc4ac00 a1=bfc4bc5c a2=a000 a3=8bbca88 items=0 ppid=5590 pid=5782 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="ldconfig" exe="/sbin/ldconfig" subj=user_u:system_r:ldconfig_t:s0 key=(null)

I believe these failures are an error in the shipped policy for
ldconfig.  But I'm not sure.  My reasoning is that ldconfig should be
able to search and/or read the root directory.  I believe that both of
those failures are happening in a stat64() system call.

At this point, I don't know what to do about this.  I see that Daniel
Walsh recommends trying selinux-policy-2.6.4-35.fc7 in bug #248703,
but I only see -33.fc7 in updates-testing.  I wonder where I could get
the newer package?

-- 
Garry T. Williams --- +1 678 656-4579
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux