Re: need advice for ld_so_cache_t errors

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: Greg Norris <haphazard@kc.rr.com>, SE-Linux <selinux@tycho.nsa.gov>
Subject: Re: need advice for ld_so_cache_t errors
Date: Fri, 08 Oct 2004 17:02:57 -0400	[thread overview]
Message-ID: <41670081.1010506@redhat.com> (raw)
In-Reply-To: <1097250170.16641.138.camel@moss-spartans.epoch.ncsc.mil>

[-- Attachment #1: Type: text/plain, Size: 1561 bytes --]

Stephen Smalley wrote:

>On Mon, 2004-10-04 at 21:00, Greg Norris wrote:
>  
>
>>Ok, I've (finally) figured out what's actually failing.  When I strace a 
>>tail command on my selinux box, the following entries seem of interest:
>>
>>   open("/etc/ld.so.cache", O_RDONLY)      = 3
>>   fstat64(3, {st_mode=S_IFREG|0644, st_size=11997, ...}) = 0
>>   old_mmap(NULL, 11997, PROT_READ, MAP_PRIVATE, 3, 0) = -1 EACCES (Permission denied)
>>   close(3)                                = 0
>>
>>   open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3
>>   fstat64(3, {st_mode=S_IFREG|0644, st_size=1589840, ...}) = 0
>>   mmap2(NULL, 1589840, PROT_READ, MAP_PRIVATE, 3, 0) = -1 EACCES (Permission denied)
>>   close(3)                                = 0
>>
>>When I strace the same command on my non-selinux box (also running
>>Debian sid), both of the mmaps are successful.  So I guess I need to
>>figure out why the the mmaps are being blocked.
>>
>>I'm not sure why selinux would log that as a denied execute, tho.
>>    
>>
>
>Legacy binary?  Read-only mmap/mprotect requests are now automatically
>translated to read-execute for backward compatibility when executing
>legacy binaries due to the NX support that was added to the upstream
>kernel.  That translation happens before the SELinux hooks are
>encountered, so SELinux just sees it as a read/execute request.
>
>  
>
Ok I am seeing this stuff alot right now.  Mainly when running mozilla 
with java. 

Seems there is a problem with either glib or m_protect.

kernel-2.6.8-1.603
glibc-2.3.3-66


[-- Attachment #2: execute --]
[-- Type: text/plain, Size: 1242 bytes --]

Oct  8 16:57:13 celtics kernel: audit(1097269033.954:10750480): avc:  denied  { execute } for  pid=22541 path=/etc/ld.so.cache dev=dm-0 ino=624955 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:ld_so_cache_t tclass=file
Oct  8 16:57:13 celtics kernel: audit(1097269033.967:10750749): avc:  denied  { execute } for  pid=22541 path=/tmp/hsperfdata_dwalsh/22541 dev=dm-0 ino=3118259 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:object_r:user_tmp_t tclass=file
Oct  8 16:57:14 celtics kernel: audit(1097269034.118:10751092): avc:  denied  { execute } for  pid=22541 path=/usr/java/jre1.5.0/lib/i386/client/classes.jsa dev=dm-0 ino=2380505 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:usr_t tclass=file
Oct  8 16:57:14 celtics kernel: audit(1097269034.172:10752097): avc:  denied  { execute } for  pid=22541 path=/usr/lib/locale/locale-archive dev=dm-0 ino=1786056 scontext=user_u:user_r:user_mozilla_t tcontext=root:object_r:locale_t tclass=file
Oct  8 16:57:14 celtics kernel: audit(1097269034.173:10752118): avc:  denied  { execute } for  pid=22541 path=/usr/lib/locale/en_US.utf8/LC_CTYPE dev=dm-0 ino=2032775 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:locale_t tclass=file

next prev parent reply	other threads:[~2004-10-08 21:03 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-10-01 23:35 need advice for ld_so_cache_t errors Greg Norris
2004-10-02  0:59 ` Russell Coker
2004-10-02  1:26   ` Greg Norris
2004-10-02  3:09 ` Russell Coker
2004-10-02  4:37   ` Greg Norris
2004-10-02 16:50     ` Greg Norris
2004-10-03 15:08       ` Russell Coker
2004-10-04  1:48         ` Greg Norris
2004-10-05  0:30           ` Greg Norris
2004-10-05  1:00             ` Greg Norris
2004-10-05  3:45               ` Tom London
2004-10-05 21:51                 ` Greg Norris
2004-10-08 15:42               ` Stephen Smalley
2004-10-08 21:02                 ` Daniel J Walsh [this message]
2004-10-12 13:39                   ` Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=41670081.1010506@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=haphazard@kc.rr.com \
    --cc=sds@epoch.ncsc.mil \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.