Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Antoine Martin <antoine@××××××××××.uk>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?
Date: Sat, 22 Oct 2005 16:42:42
Message-Id: 1129999090.31615.72.camel@localhost.localdomain
In Reply to: Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod? by Antoine Martin
1 On Sat, 2005-10-22 at 17:33 +0100, Antoine Martin wrote:
2 > On Sat, 2005-10-22 at 16:39 +0200, Dave Strydom wrote:
3 > > try run this:
4 > >
5 > > revdep-rebuild --soname libmysqlclient.so.12
6 > ^libmysqlclient.so.12^libmysqlclient.so.14, right?
7 >
8 > This does a:
9 > emerge --oneshot --nodeps =dev-db/mysql-4.1.14
10 > =dev-perl/DBD-mysql-2.9007 =mail-mta/postfix-2.1.5-r2
11 > =net-dns/pdns-2.9.18
12 >
13 > Which failed during the installation phase of postfix, with the same
14 > message as before..
15 > Then I switched to non-enforcing mode, rebuilt as above and now it's ok.
16 DOH
17 No it's not, when I switch back to enforcing it is still broken...
18
19 > No idea why...
20 Still
21
22 >
23 > Antoine
24 >
25 >
26 > >
27 > > On 10/22/05, Antoine Martin <antoine@××××××××××.uk> wrote:
28 > > Hi,
29 > >
30 > > I've upgraded a (gentoo x86 selinux) system from MySQL 4.0 to
31 > > 4.1, and
32 > > since then some of the software that uses mysql-libs refuse to
33 > > run
34 > > without 'shlib_t:file execmod'.
35 > >
36 > > ie: when starting postfix (built and rebuilt with mysql
37 > > support):
38 > > postfix: error while loading shared
39 > > libraries: /usr/lib/libmysqlclient.so.14: cannot restore
40 > > segment prot
41 > > after reloc: Permission denied
42 > >
43 > > And here is the audit message:
44 > > [ 3159.289877] audit(1130082418.254:1085):
45 > > avc: denied { execmod } for
46 > > pid=7905 comm="postfix" name="libmysqlclient.so.14.0.0 "
47 > > dev=md3
48 > > ino=84506 scontext=root:sysadm_r:postfix_postdrop_t
49 > > tcontext=system_u:object_r:shlib_t tclass=file
50 > >
51 > > But other software does not needed it (mysql client, pdns,
52 > > etc) even
53 > > though they are linked to the same library file...
54 > > What gives?
55 > >
56 > > Thanks
57 > > Antoine
58 > >
59 > > --
60 > > gentoo-hardened@g.o mailing list
61 > >
62 > >
63
64 --
65 gentoo-hardened@g.o mailing list
Report Message
Find on MARC Find on Google Groups