1069792 – libgcrypt.so.20 contains .text relocations

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1069792 - libgcrypt.so.20 contains .text relocations

Summary: libgcrypt.so.20 contains .text relocations

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	libgcrypt
Sub Component:
Version:	rawhide
Hardware:	arm
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Kyle McMartin
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	ARMTracker
TreeView+	depends on / blocked

Reported:	2014-02-25 16:41 UTC by Paul Whalen
Modified:	2015-09-01 03:54 UTC (History)
CC List:	13 users (show)
Fixed In Version:	libgcrypt-1.6.1-3.fc21
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-07-31 14:03:12 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
disable non-PIC asm on armv7hl (2.68 KB, patch) 2014-05-19 20:54 UTC, Kyle McMartin	no flags	Details \| Diff
View All

Description Paul Whalen 2014-02-25 16:41:31 UTC

Description of problem:
initial-setup-graphical fails to run on ARM 

Version-Release number of selected component (if applicable):
initial-setup-0.3.14-1.fc21.armv7hl

How reproducible:
everytime

Steps to Reproduce:
1. Boot any rawhide ARM graphical image 


Actual results:
Log in screen when system is booted. 


Expected results:
initial-setup-graphical configuration

Additional info:
systemctl status initial-setup-graphical -l
initial-setup-graphical.service - Initial Setup configuration program
   Loaded: loaded (/usr/lib/systemd/system/initial-setup-graphical.service; enabled)
   Active: failed (Result: exit-code) since Wed 1969-12-31 19:00:26 EST; 6min ago
  Process: 529 ExecStart=/bin/xinit /bin/firstboot-windowmanager /bin/initial-setup -- /bin/Xorg :9 -ac -nolisten tcp (code=exited, status=203/EXEC)
  Process: 443 ExecStartPre=/bin/plymouth quit (code=exited, status=0/SUCCESS)
 Main PID: 529 (code=exited, status=203/EXEC)
   CGroup: /system.slice/initial-setup-graphical.service

Dec 31 19:00:26 localhost systemd[529]: Failed at step EXEC spawning /bin/xinit: Permission denied
Dec 31 19:00:26 localhost systemd[1]: initial-setup-graphical.service: main process exited, code=exited, status=203/EXEC
Dec 31 19:00:26 localhost systemd[1]: Failed to start Initial Setup configuration program.
Dec 31 19:00:26 localhost systemd[1]: Unit initial-setup-graphical.service entered failed state.

Comment 1 Vratislav Podzimek 2014-02-26 08:12:12 UTC

Martin, a bit of fun ahead.

Comment 2 Martin Kolman 2014-02-26 08:53:43 UTC

Hans, a bit of fun ahead.[1]

[1] https://fedoraproject.org/wiki/Changes/XorgWithoutRootRights#Dependencies

Comment 3 Hans de Goede 2014-03-17 09:11:22 UTC

(In reply to Martin Kolman from comment #2)
> Hans, a bit of fun ahead.[1]
> 
> [1] https://fedoraproject.org/wiki/Changes/XorgWithoutRootRights#Dependencies

That has not landed yet, so whatever is going on here it is not caused by this.

Comment 4 Paul Whalen 2014-04-15 13:56:50 UTC

Disabling SELinux on Rawhide nightlies allows initial-setup to run (both GUI and Text).

Comment 5 Martin Kolman 2014-04-17 13:58:01 UTC

(In reply to Paul Whalen from comment #4)
> Disabling SELinux on Rawhide nightlies allows initial-setup to run (both GUI
> and Text).

Well, that looks like a bug in the SELinux policy on ARM, so reassigning.

Comment 6 Miroslav Grepl 2014-04-17 14:28:05 UTC

Could you attach AVC msgs from permissive mode?

# setenforce 0
re-test
# ausearch -m avc -ts recent

Comment 7 Dennis Gilmore 2014-04-21 16:56:58 UTC

ausearch -m avc 
----
time->Sat Jan  1 00:51:39 2000
type=UNKNOWN[1327] msg=audit(946687899.842:38): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E
type=SYSCALL msg=audit(946687899.842:38): arch=40000028 syscall=125 per=800000 success=no exit=-13 a0=b63b8000 a1=98000 a2=5 a3=15 items=0 ppid=1 pid=581 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(946687899.842:38): avc:  denied  { execmod } for  pid=581 comm="NetworkManager" path="/usr/lib/libgcrypt.so.20.0.1" dev="mmcblk0p3" ino=8251 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
----
time->Sat Jan  1 00:54:45 2000
type=UNKNOWN[1327] msg=audit(946688085.830:33): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E
type=SYSCALL msg=audit(946688085.830:33): arch=40000028 syscall=125 per=800000 success=yes exit=0 a0=b6332000 a1=98000 a2=5 a3=15 items=0 ppid=1 pid=569 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(946688085.830:33): avc:  denied  { execmod } for  pid=569 comm="NetworkManager" path="/usr/lib/libgcrypt.so.20.0.1" dev="mmcblk0p3" ino=8251 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
----
time->Sat Jan  1 00:54:49 2000
type=UNKNOWN[1327] msg=audit(946688089.321:47): proctitle=2F7573722F6C69622F706F6C6B69742D312F706F6C6B697464002D2D6E6F2D6465627567
type=SYSCALL msg=audit(946688089.321:47): arch=40000028 syscall=5 per=800000 success=yes exit=4 a0=b63eb164 a1=20000 a2=0 a3=0 items=0 ppid=1 pid=599 auid=4294967295 uid=999 gid=999 euid=999 suid=999 fsuid=999 egid=999 sgid=999 fsgid=999 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/lib/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0 key=(null)
type=AVC msg=audit(946688089.321:47): avc:  denied  { open } for  pid=599 comm="polkitd" path="/dev/urandom" dev="devtmpfs" ino=7111 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(946688089.321:47): avc:  denied  { read } for  pid=599 comm="polkitd" name="urandom" dev="devtmpfs" ino=7111 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file


Is what i get on an arm ssystem

Comment 8 Daniel Walsh 2014-04-21 20:24:53 UTC

execmod indicates /usr/lib/libgcrypt.so.20.0.1 is built incorrectly.  Meaning it is not built with PIE and PIC?

execmod is explained below
http://www.akkadia.org/drepper/selinux-mem.html

#============= policykit_t ==============

#!!!! This avc is allowed in the current policy
allow policykit_t urandom_device_t:chr_file { read open };

policykit_t is allowed to read urandom_device_t in Rawhide.

rpm -q selinux-policy
selinux-policy-3.13.1-46.fc21.noarch

Comment 9 Kyle McMartin 2014-05-19 16:58:47 UTC

I'll fix it.

Comment 10 Kyle McMartin 2014-05-19 20:54:50 UTC

Created attachment 897320 [details]
disable non-PIC asm on armv7hl

OK, I've fixed this. We need to disable camellia, cast5, and rijndael ARM asm right now, as those files are written in a non-PIC way. I'll look at fixing these upstream, but in the meantime we can just fallback to C.

Comment 11 Peter Robinson 2014-07-31 14:03:12 UTC

Fixed and re-enabled in 1.6.1-4

Note You need to log in before you can comment on or make changes to this bug.