New subject: Funny stuff in SELinux -- /usr/lib/libGL.so.1.2.#prelink#.4GxqM1

20 Aug 2009


      Received this SELinux warning:
Summary:
SELinux is preventing ld-linux.so.2 from loading
/usr/lib/libGL.so.1.2.#prelink#.4GxqM1 which requires text relocation.
Detailed Description:
The ld-linux.so.2 application attempted to load
/usr/lib/libGL.so.1.2.#prelink#.4GxqM1 which requires text relocation.
This is a
potential security problem. Most libraries do not need this permission.
Libraries are sometimes coded incorrectly and request this permission.
The
SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains
how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/libGL.so.1.2.#prelink#.4GxqM1 to use relocation as a
workaround, until
the library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this
package.
Allowing Access:
If you trust /usr/lib/libGL.so.1.2.#prelink#.4GxqM1 to run correctly,
you can
change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/usr/lib/libGL.so.1.2.#prelink#.4GxqM1'" You must also change the
default file
context files on the system in order to preserve them even on a full
relabel.
"semanage fcontext -a -t textrel_shlib_t
'/usr/lib/libGL.so.1.2.#prelink#.4GxqM1'"
Fix Command:
chcon -t textrel_shlib_t '/usr/lib/libGL.so.1.2.#prelink#.4GxqM1'
Additional Information:
Source Context                unconfined_u:system_r:prelink_t:s0
Target Context                unconfined_u:object_r:lib_t:s0
Target Objects                /usr/lib/libGL.so.1.2.#prelink#.4GxqM1
[ file ]
Source                        ld-linux.so.2
Source Path                   /lib/ld-2.9.so
Port                          <Unknown>
Host                          desk.mcguffeyfamily.net
Source RPM Packages           glibc-2.9-3
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-68.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execmod
Host Name                     desk.mcguffeyfamily.net
Platform                      Linux desk.mcguffeyfamily.net
                              2.6.27.29-170.2.79.fc10.i686 #1 SMP Fri
Aug 14
                              21:11:41 EDT 2009 i686 i686
Alert Count                   1
First Seen                    Wed 19 Aug 2009 08:43:01 PM EDT
Last Seen                     Wed 19 Aug 2009 08:43:01 PM EDT
Local ID                      194f2933-b29d-4605-9248-a056af793e4d
Line Numbers
Raw Audit Messages
node=desk.mcguffeyfamily.net type=AVC msg=audit(1250728981.756:551):
avc:  denied  { execmod } for  pid=7313 comm="ld-linux.so.2"
path="/usr/lib/libGL.so.1.2.#prelink#.4GxqM1" dev=sda2 ino=1733603
scontext=unconfined_u:system_r:prelink_t:s0
tcontext=unconfined_u:object_r:lib_t:s0 tclass=file
node=desk.mcguffeyfamily.net type=SYSCALL msg=audit(1250728981.756:551):
arch=40000003 syscall=125 success=no exit=-13 a0=bd0000 a1=6a000 a2=5
a3=bf974f60 items=0 ppid=7297 pid=7313 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=84
comm="ld-linux.so.2" exe="/lib/ld-2.9.so"
subj=unconfined_u:system_r:prelink_t:s0 key=(null)
A few minutes later I got the same warning but it was about
SELinux is preventing ld-linux.so.2 from loading
/usr/lib/libGL.so.1.2.#prelink#.1brWwM which requires text relocation.
I ran rpm -VA and received the following:
[root@desk ~]# rpm -Va
S.5....T  c /etc/printcap
.......T  c /etc/sysconfig/system-config-users
.......T    /lib/modules/2.6.27.25-170.2.72.fc10.i686/modules.alias.bin
.......T    /lib/modules/2.6.27.25-170.2.72.fc10.i686/modules.dep.bin
.......T    /lib/modules/2.6.27.25-170.2.72.fc10.i686/modules.symbols.bin
S.5....T  c /etc/login.defs
..5....T  c /etc/inittab
S.5....T  c /etc/cups/classes.conf
S.5....T  c /etc/cups/printers.conf
SM5....T  c /etc/cups/subscriptions.conf
.......T    /lib/modules/2.6.27.29-170.2.79.fc10.i686/modules.alias.bin
.......T    /lib/modules/2.6.27.29-170.2.79.fc10.i686/modules.dep.bin
.......T    /lib/modules/2.6.27.29-170.2.79.fc10.i686/modules.symbols.bin
S.5....T  c /etc/openldap/ldap.conf
.M....G.    /var/log/gdm
.M......    /var/run/gdm
....L...  c /etc/pam.d/system-auth
S.?.....    /usr/lib/libGL.so.1.2
.......T    /var/lib/misc/PolicyKit.reload
S.5....T  c /etc/ppp/chap-secrets
S.5....T  c /etc/ppp/pap-secrets
..5....T  c /usr/lib/security/classpath.security
.......T    /lib/modules/2.6.27.29-170.2.78.fc10.i686/modules.alias.bin
.......T    /lib/modules/2.6.27.29-170.2.78.fc10.i686/modules.dep.bin
.......T    /lib/modules/2.6.27.29-170.2.78.fc10.i686/modules.symbols.bin
S.5....T  c /etc/libuser.conf
..5....T    /etc/cron.d/smolt
S.5....T  c /var/log/mail/statistics
S.5....T  c /etc/ldap.conf
S.5....T  c /etc/sane.d/dll.conf
with the following line on the error output:
prelink: /usr/lib/libGL.so.1.2.#prelink#.4GxqM1 Could not trace symbol
resolving
After receiving the second SELinux notice, rpm -Va gave the same results
except it referenced .1brWwM
prelink: /usr/lib/libGL.so.1.2.#prelink#.1brWwM Could not trace symbol
resolving
What are the two files:
/usr/lib/libGL.so.1.2.#prelink#.4GxqM1
/usr/lib/libGL.so.1.2.#prelink#.1brWwM
And what is going on with them?
Dave McGuffey