Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 156696 - Syslogd refuses to start, claiming that libc has a permission denied error
Summary: Syslogd refuses to start, claiming that libc has a permission denied error
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted
Version: 4.0
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
: ---
Assignee: Jakub Jelinek
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-05-03 14:08 UTC by Christian Rose
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version: 1.25.4-10.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-09-15 16:00:10 UTC


Attachments (Terms of Use)

Description Christian Rose 2005-05-03 14:08:26 UTC
Since bug 146892 relates to FC3, I thought a seperate bug report about what
appears to be the same problem in RHEL4 might be appropriate.

The problem is that syslog won't start (or restart). The machine is a RHEL3 WS
machine upgraded to RHEL4 WS through anaconda, and where SELinux with the
default policy was later manually enabled.

Versions:
# rpm -q glibc sysklogd
glibc-2.3.4-2
sysklogd-1.4.1-26_EL

Symptoms:
# /sbin/service syslog restart
Shutting down kernel logger:                               [  OK  ]
Shutting down system logger:                               [FAILED]
Starting system logger: syslogd: error while loading shared libraries:
libc.so.6: cannot open shared object file: Permission denied
                                                           [FAILED]
Starting kernel logger:                                    [  OK  ]

But the security contexts appear to be correct:
# ls -lZ /lib/tls/lib*.so
-rwxr-xr-x  root     root     system_u:object_r:shlib_t       
/lib/tls/libc-2.3.4.so
-rwxr-xr-x  root     root     system_u:object_r:shlib_t       
/lib/tls/libm-2.3.4.so
-rwxr-xr-x  root     root     system_u:object_r:shlib_t       
/lib/tls/libpthread-2.3.4.so
-rwxr-xr-x  root     root     system_u:object_r:shlib_t       
/lib/tls/librt-2.3.4.so
-rwxr-xr-x  root     root     system_u:object_r:shlib_t       
/lib/tls/libthread_db-1.0.so

Comment 1 Jakub Jelinek 2005-05-03 15:06:36 UTC
Any audit messages in dmesg?

Comment 2 Christian Rose 2005-05-03 21:04:36 UTC
Yes, it seems so. Below are some possibly relevant pieces from dmesg:

[....]
apm: BIOS version 1.2 Flags 0x03 (Driver version 1.16ac)
apm: overridden by ACPI.
audit: initializing netlink socket (disabled)
audit(1115160882.003:0): initialized
Total HugeTLB memory allocated, 0
VFS: Disk quotas dquot_6.5.1
Dquot-cache hash table entries: 1024 (order 0, 4096 bytes)
SELinux:  Registering netfilter hooks
Initializing Cryptographic API
[...]
Freeing unused kernel memory: 140k freed
kjournald starting.  Commit interval 5 seconds
EXT3-fs: mounted filesystem with ordered data mode.
security:  3 users, 4 roles, 316 types, 20 bools
security:  53 classes, 9815 rules
SELinux:  Completing initialization.
SELinux:  Setting up existing superblocks.
SELinux: initialized (dev hda3, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), not configured for labeling
SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for labeling
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
inserting floppy driver for 2.6.9-5.0.5.EL
[...]
cdrom: open failed.
kjournald starting.  Commit interval 5 seconds
EXT3 FS on hdb2, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev hdb2, type ext3), uses xattr
kjournald starting.  Commit interval 5 seconds
EXT3 FS on hda1, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev hda1, type ext3), uses xattr
kjournald starting.  Commit interval 5 seconds
EXT3 FS on hda7, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev hda7, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
kjournald starting.  Commit interval 5 seconds
EXT3 FS on hda6, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev hda6, type ext3), uses xattr
kjournald starting.  Commit interval 5 seconds
EXT3 FS on hda2, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev hda2, type ext3), uses xattr
[...]
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
parport0: PC-style at 0x378 (0x778) [PCSPP,TRISTATE]
parport0: irq 7 detected
ip_tables: (C) 2000-2002 Netfilter core team
ip_conntrack version 2.1 (3839 buckets, 30712 max) - 356 bytes per conntrack
eth0: Media Link On 100mbps full-duplex
i2c /dev entries driver
NET: Registered protocol family 10
Disabled Privacy Extensions on device c03670a0(lo)
IPv6 over IPv4 tunneling driver
divert: not allocating divert_blk for non-ethernet device sit0
audit(1115153718.384:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.385:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.385:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.385:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.385:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.385:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.385:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.385:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.385:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.386:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.386:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.386:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.386:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.386:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.386:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.386:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.386:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.386:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.386:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.387:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.387:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.387:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.387:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.387:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.387:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.387:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.387:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.387:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.388:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.388:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.388:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.388:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.388:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.388:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
eth0: no IPv6 routers present

Comment 3 Christian Rose 2005-05-03 21:08:55 UTC
Furthermore:

# /sbin/service ntpd status
ntpd is stopped
# /sbin/service ntpd restart
Shutting down ntpd:                                        [FAILED]
Starting ntpd: ntpd: error while loading shared libraries: libm.so.6: cannot
open shared object file: Permission denied
                                                           [FAILED]
# ls -lZ /lib/libm.so.6 /lib/libm-2.3.4.so
-rwxr-xr-x  root     root     system_u:object_r:shlib_t        /lib/libm-2.3.4.so
lrwxrwxrwx  root     root     system_u:object_r:lib_t          /lib/libm.so.6 ->
libm-2.3.4.so

Comment 5 Colin Walters 2005-05-03 21:15:44 UTC
Hmmm....it looks like some of your filesystem is labeled, since you have shlib_t
and lib_t.  Is /dev/hda3 a separate filesystem?  Is it labeled?

Can you give us the avc denial messages associated with the service restart?

Comment 6 Christian Rose 2005-05-04 22:03:41 UTC
Thanks, the solution in comment #4 seems to have solved the problem.
Yes, /dev/hda3 is a seperate file system. It's the root file system on this machine.


Note You need to log in before you can comment on or make changes to this bug.