Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 161859 - selinux-policy-targeted-1.17.30-3.13 breaks gpg
Summary: selinux-policy-targeted-1.17.30-3.13 breaks gpg
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 3
Hardware: i386
OS: Linux
medium
high
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
: 162397 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-27 21:27 UTC by David Baron
Modified: 2007-11-30 22:11 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-07-06 21:54:55 UTC


Attachments (Terms of Use)

Description David Baron 2005-06-27 21:27:13 UTC
Description of problem:  Upgrading to selinux-policy-targeted-1.17.30-3.13 from 
1.17.30-3.9 (both in updates-released for FC3) breaks gpg.  gpg-signing a
message in mutt (or just running /usr/bin/gpg) gives the error:

/usr/bin/gpg: error while loading shared libraries: cannot restore segment prot
after reloc: Permission denied

and /var/log/messages contains the error:

Jun 27 21:24:14 ridley kernel: audit(1119907454.786:0): avc:  denied  { execmod
} for  pid=12571 comm=gpg path=/usr/bin/gpg dev=hda3 ino=888767
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:bin_t tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-3.13

How reproducible: Always

Steps to Reproduce:
1. Run /usr/bin/gpg
  
Actual results: Error messages above

Expected results: runs

Additional info: "chcon -t texrel_shlib_t /usr/bin/gpg" works around the problem
for me, although using something with "shlib" in it for a binary seems a bit odd

Comment 1 Aleksey Nogin 2005-06-29 17:15:41 UTC
Actually, this is not just signing - it breaks gpg completely:

% gpg --help
gpg: error while loading shared libraries: cannot restore segment prot after
reloc: Permission denied

P.S. CC'ing gnupg package owner.

Comment 2 Daniel Walsh 2005-06-29 17:26:47 UTC
Please try selinux-policy-targeted-1.17.30-3.16

Available on ftp://people.redhat.com/dwalsh/SELinux/FC3

Should be in fedora-testing tonight.

Comment 3 Greg Metcalfe 2005-06-29 18:01:43 UTC
I can verify Aleksey's comment regarding a complete breakage of pgp. I've jsut 
seen it in Kmail, and at the commandline. 
 
I've updated 3.13 to 3.16 and found that to be a fix. On one hand, I'm not 
happy about having to grab a policy that's not even in testing. On the other 
hand, thanks for the fast turnaround. On the gripping hand, SELinux policy 
testing is clearly in a Bad Place.  
  
I'll try to reboot in a few minutes, and see if 3.16 breaks anything.  

Comment 4 Greg Metcalfe 2005-06-29 18:15:10 UTC
After reboot: 
An error occurred while loading or saving configuration information for 
Nautilus. Some of your configuration settings may not work properly. 
 
With the old policy, I got 62 lines from 'dmesg |grep 'avc:  denied' | wc -l' 
I have this in a text file, if anyone wants it. Shoot me a mail. 
 
With 3.16, the same grep returns nothing. Definitely making progress, Daniel! 
If I can provide any other information to help you out, please let me know. 
 
 

Comment 5 Daniel Walsh 2005-06-29 18:29:59 UTC
16 was just announced in testing.  Basically a minor fix from FC4 targeted policy

allow unconfined_domains file_type:file execmod;

Which allows all unconfined domains to execute apps like gpg, which currently
require execmod.

Comment 6 Greg Metcalfe 2005-06-29 18:34:48 UTC
Forgot to add details of the Nautilus error:  
Failed to contact configuration server; some possible causes are that you need  
to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a  
system crash. See http://www.gnome.org/projects/gconf/ for information.  
(Details -  1: IOR file '/tmp/gconfd-gregm/lock/ior' not opened successfully,  
no gconfd located: No such file or directory 2: Failed to convert IOR '' to an  
object reference)  
Failed to contact configuration server; some possible causes are that you need  
to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a  
system crash. See http://www.gnome.org/projects/gconf/ for information.  
(Details -  1: Failed to convert IOR '' to an object reference 2: Failed to  
convert IOR '' to an object reference)  
  
I'm not a Gnome user. I've no idea what all this means. But I have rebooted  
via ssh because a KDE launch 'show details' screen became unresponsive during  
the 3.13 problems, and I couldn't call another virtual terminal. That  
generates unclean filesystem stuff at restart, so in some ways, at least, it's  
interpreted as a crash. Though this should not happen, IMHO. I do not run NFS. 

Comment 7 Daniel Hammer 2005-07-01 12:35:10 UTC
In FC3 the current selinux-policy-targeted-1.17.30-3.15 also breaks gpg:

Jul  1 14:29:37 tunix kernel: audit(1120220977.153:0): avc:  denied  { execmod }
for  pid=5921 comm=gpg path=/usr/bin/gpg dev=sda2 ino=5792403
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:bin_t tclass=file

All versions before worked fine for me.

Comment 8 Daniel Walsh 2005-07-02 20:01:08 UTC
Fixed in selinux-policy-targeted-1.17.30-3.16

Comment 9 Kevin Hart 2005-07-06 17:52:04 UTC
I had a similar problem, and the upgrade to 1.17.30-3.16 worked for me.

Comment 10 Kevin Hart 2005-07-06 17:53:31 UTC
*** Bug 162397 has been marked as a duplicate of this bug. ***

Comment 11 Greg Metcalfe 2005-07-06 17:59:17 UTC
1.17.30-3.16 seems to have worked for me as well, over a timeframe where I'm  
pretty confident that I would have seen the problem, if it were still present.  
  
If original reporter David Baron and the rest buy in, I'm fine with you 
closing this ticket. 


Note You need to log in before you can comment on or make changes to this bug.