49# uname -a Linux lucy-01 2.6.11-1.35_FC3smp #1 SMP Mon Jun 13 01:17:35 EDT 2005 i686 i686 i386 GNU/Linux 50#
45# gpg --list-keys gpg: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied 46#
Jul 1 07:40:13 lucy-01 kernel: audit(1120228813.336:0): avc: denied { execmod } for pid=5567 comm=gpg path=/usr/bin/gpg dev=sdb5 ino=67343 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:bin_t tclass=file
Any suggestions?
"MWC" == Michael W Carney michael.es.carney@sbcglobal.net writes:
MWC> Jul 1 07:40:13 lucy-01 kernel: audit(1120228813.336:0): avc: MWC> denied { execmod } for pid=5567 comm=gpg path=/usr/bin/gpg MWC> dev=sdb5 ino=67343 scontext=user_u:system_r:unconfined_t MWC> tcontext=system_u:object_r:bin_t tclass=file
I'm seeing the same thing. If I do
chcon system_u:object_r:shlib_t /usr/bin/gpg
then things work again, but that's probably the wrong thing to do.
Here's an strace of a failing call:
strace gpg
execve("/usr/bin/gpg", ["gpg"], [/* 44 vars */]) = 0 uname({sys="Linux", node="ld83.math.uh.edu", ...}) = 0 brk(0) = 0x9798000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=88038, ...}) = 0 old_mmap(NULL, 88038, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f53000 close(3) = 0 open("/usr/lib/libz.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260\245"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=63528, ...}) = 0 old_mmap(NULL, 65028, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb8a000 old_mmap(0xb99000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xe000) = 0xb99000 close(3) = 0 open("/usr/lib/libbz2.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\3000\205"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=71724, ...}) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f52000 old_mmap(NULL, 69220, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x1c7000 old_mmap(0x1d7000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x10000) = 0x1d7000 close(3) = 0 open("/lib/libdl.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260+@\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=16816, ...}) = 0 old_mmap(NULL, 12388, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xef8000 old_mmap(0xefa000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0xefa000 close(3) = 0 open("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20_,\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1521500, ...}) = 0 old_mmap(NULL, 1219740, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x1d8000 mprotect(0x2fb000, 27804, PROT_NONE) = 0 old_mmap(0x2fc000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x123000) = 0x2fc000 old_mmap(0x300000, 7324, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x300000 close(3) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f51000 mprotect(0x2fc000, 8192, PROT_READ) = 0 mprotect(0xefa000, 4096, PROT_READ) = 0 mprotect(0x4d7000, 663552, PROT_READ|PROT_WRITE) = 0 mprotect(0x4d7000, 663552, PROT_READ|PROT_EXEC) = -1 EACCES (Permission denied) writev(2, [{"gpg", 3}, {": ", 2}, {"error while loading shared libra"..., 36}, {": ", 2}, {"", 0}, {"", 0}, {"cannot restore segment prot afte"..., 39}, {": ", 2}, {"Permission denied", 17}, {"\n", 1}], 10gpg: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied ) = 102 exit_group(127)
Jason L Tibbitts III wrote:
"MWC" == Michael W Carney michael.es.carney@sbcglobal.net writes:
MWC> Jul 1 07:40:13 lucy-01 kernel: audit(1120228813.336:0): avc: MWC> denied { execmod } for pid=5567 comm=gpg path=/usr/bin/gpg MWC> dev=sdb5 ino=67343 scontext=user_u:system_r:unconfined_t MWC> tcontext=system_u:object_r:bin_t tclass=file
I'm seeing the same thing. If I do
chcon system_u:object_r:shlib_t /usr/bin/gpg
then things work again, but that's probably the wrong thing to do.
That is an acceptable workaround. /usr/bin/gpg from FC3 has two relocations to .text, which targeted policy does not allow.
-----selected lines from: readelf --all /usr/bin/gpg LOAD 0x000000 0x00000000 0x00000000 0xa1920 0xa1920 R E 0x1000 LOAD 0x0a2000 0x000a2000 0x000a2000 0x031e4 0x04768 RW 0x1000
0x00000016 (TEXTREL) 0x0 ## the clue
Relocation section '.rel.dyn' at offset 0x2194 contains 794 entries: Offset Info Type Sym.Value Sym. Name 0007922e 00000008 R_386_RELATIVE ## 0x7933e < 0xa1920 000792be 00000008 R_386_RELATIVE 000a20fc 00000008 R_386_RELATIVE -----
Those .text relocations are not present in FC4. It is possible to find all such cases of brokenness by using readelf --dynamic main_or_.so | grep TEXTREL for all executable modules (main programs, shared libraries, dynamic modules). The maintainers of selinux-policy-targeted should have done so, and warned in the changelog.
John Reiser wrote:
Jason L Tibbitts III wrote:
>"MWC" == Michael W Carney michael.es.carney@sbcglobal.net writes:
MWC> Jul 1 07:40:13 lucy-01 kernel: audit(1120228813.336:0): avc: MWC> denied { execmod } for pid=5567 comm=gpg path=/usr/bin/gpg MWC> dev=sdb5 ino=67343 scontext=user_u:system_r:unconfined_t MWC> tcontext=system_u:object_r:bin_t tclass=file
I'm seeing the same thing. If I do
chcon system_u:object_r:shlib_t /usr/bin/gpg
then things work again, but that's probably the wrong thing to do.
That is an acceptable workaround. /usr/bin/gpg from FC3 has two relocations to .text, which targeted policy does not allow.
-----selected lines from: readelf --all /usr/bin/gpg LOAD 0x000000 0x00000000 0x00000000 0xa1920 0xa1920 R E 0x1000 LOAD 0x0a2000 0x000a2000 0x000a2000 0x031e4 0x04768 RW 0x1000
0x00000016 (TEXTREL) 0x0 ## the clue
Relocation section '.rel.dyn' at offset 0x2194 contains 794 entries: Offset Info Type Sym.Value Sym. Name 0007922e 00000008 R_386_RELATIVE ## 0x7933e < 0xa1920 000792be 00000008 R_386_RELATIVE 000a20fc 00000008 R_386_RELATIVE
Those .text relocations are not present in FC4. It is possible to find all such cases of brokenness by using readelf --dynamic main_or_.so | grep TEXTREL for all executable modules (main programs, shared libraries, dynamic modules). The maintainers of selinux-policy-targeted should have done so, and warned in the changelog.
--
Hi John,
Thanks for the explanation and workaround.
selinux@lists.fedoraproject.org