Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 160147 - Wrong context of /opt, not working '--'
Summary: Wrong context of /opt, not working '--'
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 3
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-11 20:15 UTC by František Dvořák
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-06-28 19:01:48 UTC


Attachments (Terms of Use)

Description František Dvořák 2005-06-11 20:15:32 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
After upgrade selinux-policy-targeted from 1.17.30-2.96 to 1.17.30-3.2, so-plugins (shared libraries) in /opt/lib/* can't be loaded (and my xine crashes :-().

Also I found all entries with '--' in sources never match!

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-3.2

How reproducible:
Always

Steps to Reproduce:
0. have some libraries in /opt/lib
1. install selinux-policy-targeted-1.17.30-3.2
2. enable selinux, targeted policy (it's default, I guess)
3. a) setfiles -n -d -W -vv /etc/selinux/targeted/contexts/files/file_contexts /opt/lib | less
   b) setfiles -n -d -W -vv /etc/selinux/targeted/contexts/files/file_contexts /usr/bin | grep bash

Actual Results:  a) 'root:object_r:usr_t' context on all shared libraries
b) setfiles:  Warning!  No matches for (/bin/bash, --, system_u:object_r:shell_exec_t)

Expected Results:  a) 'system_u:object_r:shlib_t' context on all shared libraries
b) 'system_u:object_r:shell_exec_t' context on /usr/bin/bash

Additional info:

I don't know about '--'-problem.

The opt-problem I fixed by using similar entries as for /usr:
  # with workaround here unlike to /usr: removed the '--'
  /opt(/.*)?                      system_u:object_r:usr_t
  /opt(/.*)?/lib(64)?(/.*)?                               system_u:object_r:lib_t
  /opt(/.*)?/lib(64)?/.*\.so(\.[^/]*)*    system_u:object_r:shlib_t

Comment 1 Boris Glawe 2005-06-12 12:43:59 UTC
I can confirm this. I've installed both openenoffice 1.1.4 and 2.0-beta in /opt.
Both version won't start anymore, while causing "avc denied" messages. 
In addition the flash plugin installed in my home directory
(~/.mozilla/plugins/) won't start while causing "avc denied" messages.

I've already extecuted "fixfiles relabel" and I've rebooted.

The severity of this bug is very high!

Comment 2 Boris Glawe 2005-06-12 19:53:01 UTC
I can't even load shared libraries from subfolders of my home directory !!

I hope there's a fix soon !!

Comment 3 Daniel Walsh 2005-06-12 20:14:33 UTC
What errors are you seeing?  What are the AVC messages?

Dan

Comment 4 Boris Glawe 2005-06-13 09:26:41 UTC
I wiped out some sensible data:

This message is the result when trying to load a shared library in my home
directory. LD_LIBRARY_PATH is set correctly and it worked before the latest
selinux-policy-targeted update.

Jun 13 11:17:03 mymachine kernel: audit(1118654223.196:0): avc:  denied  {
execmod } for  pid=6155 comm=testprog path=/home/user/workspace/prog/libprog.so
dev=hda5 ino=1458690 scontext=user_u:system_r:unconfined_t
tcontext=user_u:object_r:user_home_t tclass=file


This message appears thousands of times, caused by mozilla's flashplayer:

Jun 13 11:13:59 mymachine kernel: audit(1118654039.474:0): avc:  denied  {
execmod } for  pid=4663 comm=firefox-bin
path=/home/user/.mozilla/plugins/libflashplayer.so dev=hda5 ino=1409670
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:user_home_t
tclass=file


This message appears, when trying to start openoffice. I've installed the
openoffice version from openoffice.org.

Jun 13 11:21:52 mymachine kernel: audit(1118654512.067:0): avc:  denied  {
execmod } for  pid=6188 comm=soffice.bin
path=/opt/openoffice.org1.9.104/program/libicudata.so.26.0.1 dev=hda6 ino=54865
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file

the same happens with the current stable openoffice version:

Jun 13 11:22:53 mymachine kernel: audit(1118654573.135:0): avc:  denied  {
execmod } for  pid=6215 comm=soffice.bin
path=/opt/OpenOffice.org/program/libicudata.so.22.0 dev=hda6 ino=51385
scontext=user_u:system_r:unconfined_t tcontext=root:object_r:usr_t tclass=file

The system itself is stable, but these few examples show, that there's something
wrong !!

If I knew how to configure this big selinux monster, I'd try to find the bug
myself. Do you have any comprehensible tutorials?

Comment 5 František Dvořák 2005-06-13 18:11:52 UTC
http://fedora.redhat.com/docs/selinux-faq-fc3/

In short: 
  - directory /etc/selinux/targeted/src/policy
  - do 'make install' after policy change
  - do 'fixlabels restore' to set context in whole filesystem,
    or read 'man setfiles' if you want change just one dir/file or test

I guess the bug is somewhere in selinux binary. Try remove all '--' and all
should work again. I see in previous release '--' was used too, but not so much,
so no error was visible (lib_t is enough for libraries, but desired idea was to
use shlib_t in /usr/lib, for example).

Comment 6 František Dvořák 2005-06-13 18:16:36 UTC
(should work again except the /opt/.*lib dir, of course)

Comment 7 Boris Glawe 2005-06-13 19:46:01 UTC
"I guess the bug is somewhere in selinux binary. Try remove all '--' and all
should work again. I see in previous release '--' was used too, but not so much,
so no error was visible (lib_t is enough for libraries, but desired idea was to
use shlib_t in /usr/lib, for example)."

Sorry, but I didn't understand you.
What do you mean by "removing all '--' " ?? Could you please explain it again?

Comment 8 František Dvořák 2005-06-14 09:39:36 UTC
I mean remove all '--' from configuration file /etc/selinux/targeted/src/policy/
file_contexts/types.fc.

So commands like this:
  cd /etc/selinux/targeted/src/policy/
  # correct '--'
  cp file_contexts/types.fc file_contexts/types.fc.orig
  cat file_contexts/types.fc.orig | sed -e 's/--//' > file_contexts/types.fc
  # corect there /opt/lib too, according to my previous mail
  (vi file_contexts/types.fc)
  make install
  fixlabels restore

PS: I'm just bug reporter. I wasn't so active to explore selinux sources...

Comment 9 Boris Glawe 2005-06-14 20:11:55 UTC
I've followed your hint, but it didn't help, sorry.

Am I the only one who has this problem? I am wondering, why there are so few bug
reports about this issue.

Where could be the reason?

I've got the same selinux-policy as other users, and I've done "filfiles
relabel" dozens of times the last days...

Comment 10 František Dvořák 2005-06-14 21:48:35 UTC
Hmm, I checked the 1.17.30-3.9 version in testing updates of FC3 and the
opt-problem wasn't fixed yet. :-(

Good message: '--' was fixed. :-)

I think developers was notified about this bug, so if previous selinux policy
was OK for you, I advice you downgrade back to version 1.17.30-2.96 for now
(remove and install old, maybe '--force' would work too...) and relabel again.

Comment 11 Daniel Walsh 2005-06-15 14:56:43 UTC
If you install 1.17.30-3.9 and 

setsebool -P allow_execmod=1

Does this fix the problem?

I have no idea why downgrading to previous policy would fix this problem.  This
problem comes because of the new kernel.  Basically the kernel update contains
new AVC checks execmod/execmem, and policy did not handle it in the past.

Dan

Comment 12 Daniel Walsh 2005-06-15 18:41:46 UTC
Fixed in selinux-policy-targeted-1.17.30-3.9

Comment 13 František Dvořák 2005-06-16 12:51:49 UTC
Yes, you're right. It's fixed. 

Now there remains only minor bug (it hasn't effect to functionality):

[valtri@funus ~]$ ls -lZ /opt/lib/*.so | head -1
lrwxrwxrwx  root     root     system_u:object_r:usr_t         
/opt/lib/libavcodec.so

I think desired is:

lrwxrwxrwx  root     root     system_u:object_r:shlib_t         
/opt/lib/libavcodec.so


Anyway it works nice on my system, now. Thank you.

Comment 14 Daniel Walsh 2005-06-16 20:33:18 UTC
Does restorecon -R -v /opt fix the labeling?



Comment 15 František Dvořák 2005-06-25 12:49:56 UTC
No, it doesn't.

[root@funus valtri]# restorecon -R -v /opt
[root@funus valtri]# ls -Z /opt/lib/*.so | tail -1
lrwxrwxrwx  root     root     system_u:object_r:usr_t          /opt/lib/libxine.so

Comment 16 Daniel Walsh 2005-06-25 20:23:52 UTC
What version of policy do you have installed?



Comment 17 František Dvořák 2005-06-25 20:54:39 UTC
1.17.30-3.9 - the latest from FC3 updates.

Btw. look at /etc/selinux/targeted/src/policy/file_contexts/types.fc. There is:

/opt/.*/lib(64)?(/.*)?

shouldn't it be:

/opt/lib(64)?(/.*)?

?

Comment 18 Daniel Walsh 2005-06-26 11:25:39 UTC
Not quite but it is broken.

/opt(/.*)?/lib(64)?(/.*)?

Is in the next test release.

selinux-policy-targeted-1.17.30-3.15

Comment 19 František Dvořák 2005-06-28 19:01:48 UTC
Installed selinux-policy-targeted-1.17.30-3.13 from FC3 and all is OK now.

Thank you.


Note You need to log in before you can comment on or make changes to this bug.