Research Menu

.
Skip Search Box

SELinux Mailing List

Re: need advice for ld_so_cache_t errors

From: Daniel J Walsh <dwalsh_at_redhat.com>
Date: Fri, 08 Oct 2004 17:02:57 -0400


Stephen Smalley wrote:

>On Mon, 2004-10-04 at 21:00, Greg Norris wrote:
>
>
>>Ok, I've (finally) figured out what's actually failing. When I strace a
>>tail command on my selinux box, the following entries seem of interest:
>>
>> open("/etc/ld.so.cache", O_RDONLY) = 3
>> fstat64(3, {st_mode=S_IFREG|0644, st_size=11997, ...}) = 0
>> old_mmap(NULL, 11997, PROT_READ, MAP_PRIVATE, 3, 0) = -1 EACCES (Permission denied)
>> close(3) = 0
>>
>> open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3
>> fstat64(3, {st_mode=S_IFREG|0644, st_size=1589840, ...}) = 0
>> mmap2(NULL, 1589840, PROT_READ, MAP_PRIVATE, 3, 0) = -1 EACCES (Permission denied)
>> close(3) = 0
>>
>>When I strace the same command on my non-selinux box (also running
>>Debian sid), both of the mmaps are successful. So I guess I need to
>>figure out why the the mmaps are being blocked.
>>
>>I'm not sure why selinux would log that as a denied execute, tho.
>>
>>
>
>Legacy binary? Read-only mmap/mprotect requests are now automatically
>translated to read-execute for backward compatibility when executing
>legacy binaries due to the NX support that was added to the upstream
>kernel. That translation happens before the SELinux hooks are
>encountered, so SELinux just sees it as a read/execute request.
>
>
>

Ok I am seeing this stuff alot right now. Mainly when running mozilla with java.

Seems there is a problem with either glib or m_protect.

kernel-2.6.8-1.603
glibc-2.3.3-66 

Oct  8 16:57:13 celtics kernel: audit(1097269033.954:10750480): avc:  denied  { execute } for  pid=22541 path=/etc/ld.so.cache dev=dm-0 ino=624955 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:ld_so_cache_t tclass=file
Oct  8 16:57:13 celtics kernel: audit(1097269033.967:10750749): avc:  denied  { execute } for  pid=22541 path=/tmp/hsperfdata_dwalsh/22541 dev=dm-0 ino=3118259 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:object_r:user_tmp_t tclass=file
Oct  8 16:57:14 celtics kernel: audit(1097269034.118:10751092): avc:  denied  { execute } for  pid=22541 path=/usr/java/jre1.5.0/lib/i386/client/classes.jsa dev=dm-0 ino=2380505 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:usr_t tclass=file
Oct  8 16:57:14 celtics kernel: audit(1097269034.172:10752097): avc:  denied  { execute } for  pid=22541 path=/usr/lib/locale/locale-archive dev=dm-0 ino=1786056 scontext=user_u:user_r:user_mozilla_t tcontext=root:object_r:locale_t tclass=file
Oct  8 16:57:14 celtics kernel: audit(1097269034.173:10752118): avc:  denied  { execute } for  pid=22541 path=/usr/lib/locale/en_US.utf8/LC_CTYPE dev=dm-0 ino=2032775 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:locale_t tclass=file



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
Received on Fri 8 Oct 2004 - 17:03:40 EDT
 

Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009

  
bottom
National Security Agency / Central Security Service