CentOS - Aug 2009 - Funny stuff in SELinux -- /usr/lib/libGL.so.1.2.#prelink#.4GxqM1

Received this SELinux warning:

Summary:

SELinux is preventing ld-linux.so.2 from loading
/usr/lib/libGL.so.1.2.#prelink#.4GxqM1 which requires text relocation.

Detailed Description:

The ld-linux.so.2 application attempted to load
/usr/lib/libGL.so.1.2.#prelink#.4GxqM1 which requires text relocation.
This is a
potential security problem. Most libraries do not need this permission.
Libraries are sometimes coded incorrectly and request this permission.
The
SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains
how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/libGL.so.1.2.#prelink#.4GxqM1 to use relocation as a
workaround, until
the library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this
package.

Allowing Access:

If you trust /usr/lib/libGL.so.1.2.#prelink#.4GxqM1 to run correctly,
you can
change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/usr/lib/libGL.so.1.2.#prelink#.4GxqM1'" You must also change the
default file
context files on the system in order to preserve them even on a full
relabel.
"semanage fcontext -a -t textrel_shlib_t
'/usr/lib/libGL.so.1.2.#prelink#.4GxqM1'"

Fix Command:

chcon -t textrel_shlib_t '/usr/lib/libGL.so.1.2.#prelink#.4GxqM1'

Additional Information:

Source Context                unconfined_u:system_r:prelink_t:s0
Target Context                unconfined_u:object_r:lib_t:s0
Target Objects                /usr/lib/libGL.so.1.2.#prelink#.4GxqM1
[ file ]
Source                        ld-linux.so.2
Source Path                   /lib/ld-2.9.so
Port                          <Unknown>
Host                          desk.mcguffeyfamily.net
Source RPM Packages           glibc-2.9-3
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-68.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execmod
Host Name                     desk.mcguffeyfamily.net
Platform                      Linux desk.mcguffeyfamily.net
                              2.6.27.29-170.2.79.fc10.i686 #1 SMP Fri
Aug 14
                              21:11:41 EDT 2009 i686 i686
Alert Count                   1
First Seen                    Wed 19 Aug 2009 08:43:01 PM EDT
Last Seen                     Wed 19 Aug 2009 08:43:01 PM EDT
Local ID                      194f2933-b29d-4605-9248-a056af793e4d
Line Numbers                  

Raw Audit Messages            

node=desk.mcguffeyfamily.net type=AVC msg=audit(1250728981.756:551):
avc:  denied  { execmod } for  pid=7313 comm="ld-linux.so.2"
path="/usr/lib/libGL.so.1.2.#prelink#.4GxqM1" dev=sda2 ino=1733603
scontext=unconfined_u:system_r:prelink_t:s0
tcontext=unconfined_u:object_r:lib_t:s0 tclass=file

node=desk.mcguffeyfamily.net type=SYSCALL msg=audit(1250728981.756:551):
arch=40000003 syscall=125 success=no exit=-13 a0=bd0000 a1=6a000 a2=5
a3=bf974f60 items=0 ppid=7297 pid=7313 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=84
comm="ld-linux.so.2" exe="/lib/ld-2.9.so"
subj=unconfined_u:system_r:prelink_t:s0 key=(null)



A few minutes later I got the same warning but it was about

SELinux is preventing ld-linux.so.2 from loading
/usr/lib/libGL.so.1.2.#prelink#.1brWwM which requires text relocation.


I ran rpm -VA and received the following:

[root at desk ~]# rpm -Va
S.5....T  c /etc/printcap
.......T  c /etc/sysconfig/system-config-users
.......T    /lib/modules/2.6.27.25-170.2.72.fc10.i686/modules.alias.bin
.......T    /lib/modules/2.6.27.25-170.2.72.fc10.i686/modules.dep.bin
.......T    /lib/modules/2.6.27.25-170.2.72.fc10.i686/modules.symbols.bin
S.5....T  c /etc/login.defs
..5....T  c /etc/inittab
S.5....T  c /etc/cups/classes.conf
S.5....T  c /etc/cups/printers.conf
SM5....T  c /etc/cups/subscriptions.conf
.......T    /lib/modules/2.6.27.29-170.2.79.fc10.i686/modules.alias.bin
.......T    /lib/modules/2.6.27.29-170.2.79.fc10.i686/modules.dep.bin
.......T    /lib/modules/2.6.27.29-170.2.79.fc10.i686/modules.symbols.bin
S.5....T  c /etc/openldap/ldap.conf
.M....G.    /var/log/gdm
.M......    /var/run/gdm
....L...  c /etc/pam.d/system-auth
S.?.....    /usr/lib/libGL.so.1.2
.......T    /var/lib/misc/PolicyKit.reload
S.5....T  c /etc/ppp/chap-secrets
S.5....T  c /etc/ppp/pap-secrets
..5....T  c /usr/lib/security/classpath.security
.......T    /lib/modules/2.6.27.29-170.2.78.fc10.i686/modules.alias.bin
.......T    /lib/modules/2.6.27.29-170.2.78.fc10.i686/modules.dep.bin
.......T    /lib/modules/2.6.27.29-170.2.78.fc10.i686/modules.symbols.bin
S.5....T  c /etc/libuser.conf
..5....T    /etc/cron.d/smolt
S.5....T  c /var/log/mail/statistics
S.5....T  c /etc/ldap.conf
S.5....T  c /etc/sane.d/dll.conf

with the following line on the error output:

prelink: /usr/lib/libGL.so.1.2.#prelink#.4GxqM1 Could not trace symbol
resolving


After receiving the second SELinux notice, rpm -Va gave the same results
except it referenced .1brWwM

prelink: /usr/lib/libGL.so.1.2.#prelink#.1brWwM Could not trace symbol
resolving



What are the two files:

/usr/lib/libGL.so.1.2.#prelink#.4GxqM1
/usr/lib/libGL.so.1.2.#prelink#.1brWwM

And what is going on with them?

Dave McGuffey

On Wed, 2009-08-19 at 21:15 -0400, David McGuffey wrote:
> Received this SELinux warning:
> 
> Summary:
> 
> SELinux is preventing ld-linux.so.2 from loading
> /usr/lib/libGL.so.1.2.#prelink#.4GxqM1 which requires text relocation.
> 
...
> 
> What are the two files:
> 
> /usr/lib/libGL.so.1.2.#prelink#.4GxqM1
> /usr/lib/libGL.so.1.2.#prelink#.1brWwM
> 
> And what is going on with them?
> 
> Dave McGuffey
> 
> 
> 
Sorry to cycle all of you...this was on my Fedora 10 box, not the CentOS
5.3 box.  It is still an interesting alert though.

I'll send the problem to the SELinux forum.

Dave McGuffey

On Wed, Aug 19, 2009 at 09:15:50PM -0400, David McGuffey
wrote:
> Received this SELinux warning:
> 
You should ask the fedora mailing list.....
> Source                        ld-linux.so.2
> Source Path                   /lib/ld-2.9.so
> Port                          <Unknown>
> Host                          desk.mcguffeyfamily.net
> Source RPM Packages           glibc-2.9-3
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.5.13-68.fc10
Tru
-- 
Tru Huynh (mirrors, CentOS-3 i386/x86_64 Package Maintenance)
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBEFA581B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL:
<http://lists.centos.org/pipermail/centos/attachments/20090820/eb09708f/attachment-0003.sig>

On Thu, 2009-08-20 at 03:36 +0200, Tru Huynh wrote:
> On Wed, Aug 19, 2009 at 09:15:50PM -0400, David McGuffey wrote:
> > Received this SELinux warning:
> > 
> 
> You should ask the fedora mailing list.....
> > Source                        ld-linux.so.2
> > Source Path                   /lib/ld-2.9.so
> > Port                          <Unknown>
> > Host                          desk.mcguffeyfamily.net
> > Source RPM Packages           glibc-2.9-3
> > Target RPM Packages           
> > Policy RPM                    selinux-policy-3.5.13-68.fc10
> 
> Tru
Yep...realized that right after I hit the send/receive button.  Ouch.

See my follow a few moments later.

Dave McGuffey