package selinux-policy-2.6.4-35.fc7 link

Mon Aug 13 11:24:23 UTC 2007

Mohammed El-Afifi wrote:
> > On Sunday 12 August 2007 02:27:03 Mohammed El-Afifi wrote:
> > > Just one last question: is there a way to make ldconfig work with
> > > SELinux in the enforcing mode, for example by updating the glibc
> > > package(which provides ldconfig) or alternatively updating SELinux
> > > packages? I'm currently having version 2.6-3 of glibc installed on
> > > my system.
> >
> > Here's what I've done in an attempt to resolve the AVCs so far on my
> > own system:
> >
> > I have a directory that contains shared libraries that I want ldconfig
> > to know about. It and the files in it originally had this selinux
> > context:
> >
> > user_u:object_r:user_home_t
> >
> > I changed that to:
> >
> > system_u:object_r:lib_t
> >
> > using this command:
> >
> > sudo chcon -R system_u:object_r:lib_t 
> /home/depot/collections/tora-1.3.21/lib
> >
> > This eliminated all but one of my failures in selinux. (Some time
> > ago, I changed the context of my $ORACLE_HOME/lib directory to
> > eliminate similar errors.) But I still see this:
> >
> > type=AVC msg=audit(1186928212.253:1139): avc: denied { dac_override 
> } for pid=5782 comm="ldconfig" capability=1 
> scontext=user_u:system_r:ldconfig_t:s0 
> tcontext=user_u:system_r:ldconfig_t:s0 tclass=capability
> > type=SYSCALL msg=audit(1186928212.253:1139): arch=40000003 
> syscall=195 success=yes exit=0 a0=8bbdc08 a1=bfc4bb80 a2=8bbb801 
> a3=8bbb801 items=0 ppid=5590 pid=5782 auid=500 uid=0 gid=0 euid=0 
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="ldconfig" 
> exe="/sbin/ldconfig" subj=user_u:system_r:ldconfig_t:s0 key=(null)
> > type=AVC msg=audit(1186928212.255:1140): avc: denied { search } for 
> pid=5782 comm="ldconfig" name="/" dev=dm-1 ino=2 
> scontext=user_u:system_r:ldconfig_t:s0 
> tcontext=system_u:object_r:home_root_t:s0 tclass=dir
> > type=SYSCALL msg=audit(1186928212.255:1140): arch=40000003 
> syscall=195 success=yes exit=0 a0=bfc4ac00 a1=bfc4bc5c a2=a000 
> a3=8bbca88 items=0 ppid=5590 pid=5782 auid=500 uid=0 gid=0 euid=0 
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="ldconfig" 
> exe="/sbin/ldconfig" subj=user_u:system_r:ldconfig_t:s0 key=(null)
> >
> > I believe these failures are an error in the shipped policy for
> > ldconfig. But I'm not sure. My reasoning is that ldconfig should be
> > able to search and/or read the root directory. I believe that both of
> > those failures are happening in a stat64() system call.
> >
> > At this point, I don't know what to do about this. I see that Daniel
> > Walsh recommends trying selinux-policy-2.6.4-35.fc7 in bug #248703,
> > but I only see -33.fc7 in updates-testing. I wonder where I could get
> > the newer package?
> >
> > --
> > Garry T. Williams --- +1 678 656-4579
> The package selinux-policy-2.6.4-35.fc7 is available for download at 
> the link 
> http://koji.fedoraproject.org/packages/selinux-policy/2.6.4/35.fc7/noarch/selinux-policy-2.6.4-35.fc7.noarch.rpm.
> I've just found this link and downloaded the package, but I haven't 
> installed it yet. However, the topmost changelog at the package info 
> page http://koji.fedoraproject.org/koji/buildinfo?buildID=13386 for 
> this specific release of the package tells that it fixed the problem 
> of ldconfig with the terminal specifically. I hope it works as stated.
>
> ------------------------------------------------------------------------
> Looking for a deal? Find great prices on flights and hotels 
> <http://us.rd.yahoo.com/evt=47094/*http://farechase.yahoo.com/;_ylc=X3oDMTFicDJoNDllBF9TAzk3NDA3NTg5BHBvcwMxMwRzZWMDZ3JvdXBzBHNsawNlbWFpbC1uY20-> 
> with Yahoo! FareChase.
I will put it in fedora-testing today along with fixes for your problem.

You can always modify selinux policy by executing

grep ldconfig /var/log/audit/audit.log | audit2allow -M myldconfig
semodule -i myldconfig.pp