Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1069792
Summary: | libgcrypt.so.20 contains .text relocations | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Paul Whalen <pwhalen> | ||||
Component: | libgcrypt | Assignee: | Kyle McMartin <kmcmartin> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | rawhide | CC: | dominick.grift, dwalsh, hdegoede, jorton, kmcmartin, lvrabec, mgrepl, pbrobinson, peterm, pwhalen, rdieter, tmraz, vpodzime | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | arm | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | libgcrypt-1.6.1-3.fc21 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2014-07-31 14:03:12 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 245418 | ||||||
Attachments: |
|
Description
Paul Whalen
2014-02-25 16:41:31 UTC
Martin, a bit of fun ahead. Hans, a bit of fun ahead.[1] [1] https://fedoraproject.org/wiki/Changes/XorgWithoutRootRights#Dependencies (In reply to Martin Kolman from comment #2) > Hans, a bit of fun ahead.[1] > > [1] https://fedoraproject.org/wiki/Changes/XorgWithoutRootRights#Dependencies That has not landed yet, so whatever is going on here it is not caused by this. Disabling SELinux on Rawhide nightlies allows initial-setup to run (both GUI and Text). (In reply to Paul Whalen from comment #4) > Disabling SELinux on Rawhide nightlies allows initial-setup to run (both GUI > and Text). Well, that looks like a bug in the SELinux policy on ARM, so reassigning. Could you attach AVC msgs from permissive mode? # setenforce 0 re-test # ausearch -m avc -ts recent ausearch -m avc ---- time->Sat Jan 1 00:51:39 2000 type=UNKNOWN[1327] msg=audit(946687899.842:38): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E type=SYSCALL msg=audit(946687899.842:38): arch=40000028 syscall=125 per=800000 success=no exit=-13 a0=b63b8000 a1=98000 a2=5 a3=15 items=0 ppid=1 pid=581 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(946687899.842:38): avc: denied { execmod } for pid=581 comm="NetworkManager" path="/usr/lib/libgcrypt.so.20.0.1" dev="mmcblk0p3" ino=8251 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file ---- time->Sat Jan 1 00:54:45 2000 type=UNKNOWN[1327] msg=audit(946688085.830:33): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E type=SYSCALL msg=audit(946688085.830:33): arch=40000028 syscall=125 per=800000 success=yes exit=0 a0=b6332000 a1=98000 a2=5 a3=15 items=0 ppid=1 pid=569 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(946688085.830:33): avc: denied { execmod } for pid=569 comm="NetworkManager" path="/usr/lib/libgcrypt.so.20.0.1" dev="mmcblk0p3" ino=8251 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file ---- time->Sat Jan 1 00:54:49 2000 type=UNKNOWN[1327] msg=audit(946688089.321:47): proctitle=2F7573722F6C69622F706F6C6B69742D312F706F6C6B697464002D2D6E6F2D6465627567 type=SYSCALL msg=audit(946688089.321:47): arch=40000028 syscall=5 per=800000 success=yes exit=4 a0=b63eb164 a1=20000 a2=0 a3=0 items=0 ppid=1 pid=599 auid=4294967295 uid=999 gid=999 euid=999 suid=999 fsuid=999 egid=999 sgid=999 fsgid=999 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/lib/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0 key=(null) type=AVC msg=audit(946688089.321:47): avc: denied { open } for pid=599 comm="polkitd" path="/dev/urandom" dev="devtmpfs" ino=7111 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file type=AVC msg=audit(946688089.321:47): avc: denied { read } for pid=599 comm="polkitd" name="urandom" dev="devtmpfs" ino=7111 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file Is what i get on an arm ssystem execmod indicates /usr/lib/libgcrypt.so.20.0.1 is built incorrectly. Meaning it is not built with PIE and PIC? execmod is explained below http://www.akkadia.org/drepper/selinux-mem.html #============= policykit_t ============== #!!!! This avc is allowed in the current policy allow policykit_t urandom_device_t:chr_file { read open }; policykit_t is allowed to read urandom_device_t in Rawhide. rpm -q selinux-policy selinux-policy-3.13.1-46.fc21.noarch I'll fix it. Created attachment 897320 [details]
disable non-PIC asm on armv7hl
OK, I've fixed this. We need to disable camellia, cast5, and rijndael ARM asm right now, as those files are written in a non-PIC way. I'll look at fixing these upstream, but in the meantime we can just fallback to C.
Fixed and re-enabled in 1.6.1-4 |