Re: Selinux and K9copy

From: jim tate <mickeyboa@xxxxxxxxxxxxx>
Date: Fri, 08 Dec 2006 20:37:21 -0500

Daniel J Walsh wrote:

Rick Stevens wrote:
On Thu, 2006-12-07 at 16:21 -0500, jim tate wrote:

Running tail -f /var/log/messages
When I execute "k9copy" w/o quotes , I get the log in /var/log/messages. Same happens when running
as SU or user.
From What I can see , I'm having problems with Selinux. How do I fix it? Relabel etc etc

Dec 7 12:22:35 sysresccd kernel: audit(1165512155.670:17): avc: denied { execmod } for pid=32642 comm="k9copy" name="libk9copy.so.0.0.0" dev=hda1 ino=3892747 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_ubject_r:lib_t:s0 tclass=file
Dec 7 12:22:36 sysresccd kernel: pci_set_power_state(): 0000:02:08.0: state=3, current state=5

If you save the relative entries to a text file somewhere and run
"audit2why <name-of-text-file", it'll give you some suggestions.

Actually that will not tell you much. A much better solution would be to run setroubleshootd. This would translate that error message to something like the following:

Summary
SELinux is preventing k9copy from loading libk9copy.so.0.0.0 which requires
text relocation.

Detailed Description
The k9copy application attempted to load libk9copy.so.0.0.0 which requires
text relocation. This is a potential security problem. Most libraries do
not need this permission. Libraries are sometimes coded incorrectly and
request this permission. The http://people.redhat.com/drepper/selinux-
mem.html web page explains how to remove this requirement. You can
configure SELinux temporarily to allow libk9copy.so.0.0.0 to use relocation
as a workaround, until the library is fixed. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Allowing Access
If you trust libk9copy.so.0.0.0 to run correctly, you can change the file
context to textrel_shlib_t. "chcon -t textrel_shlib_t libk9copy.so.0.0.0"

The following command will allow this access:
chcon -t textrel_shlib_t libk9copy.so.0.0.0

Additional Information Source Context user_u:system_r:unconfined_t
Target Context system_u:object_r:lib_t
Target Objects libk9copy.so.0.0.0 [ file ]
Affected RPM Packages Policy RPM Selinux Enabled Policy Type MLS Enabled Enforcing Mode Plugin Name plugins.allow_execmod
Host Name Platform Alert Count 1
Line Numbers 1

Raw Audit Messages avc: denied { execmod } for comm="k9copy" dev=hda1 name="libk9copy.so.0.0.0"
pid=32642 scontext=user_u:system_r:unconfined_t:s0 tclass=file
tcontext=system_u:object_r:lib_t:s0

Jim

----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer rstevens@xxxxxxxxxxxxxxx -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- "OK, so you're a Ph.D. Just don't TOUCH anything!" -
----------------------------------------------------------------------

Thank you , the chcon command did the job.

Jim

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

References:
- Selinux and K9copy
  - From: jim tate
- Re: Selinux and K9copy
  - From: Rick Stevens
- Re: Selinux and K9copy
  - From: Daniel J Walsh

Prev by Date: Re: Re: Re: A question about VIM
Next by Date: Re: Raid
Previous by thread: Re: Selinux and K9copy
Next by thread: problems accessing cvs
Index(es):
- Date
- Thread

Relevant Pages

Re: Selinux and K9copy
... I'm having problems with Selinux. ... text relocation. ... Most libraries do ... - Rick Stevens, ...
(Fedora)
Re: [not sure if OT] empty DVD menus with k9copy and devede
... version of k9copy. ... Again that's why I suspect libraries or "helper"-programs. ... libxml2, mencoder, ... Have you considering upgrading, instead? ...
(Debian-User)