On Fri, 2004-10-08 at 12:08, Tom London wrote:
> If prelink is running from cron when you do a 'yum install' of a package
> that want's to do a ldconfig, you get the following avc
>
> Oct 8 08:31:39 fedora kernel: audit(1097249499.123:0): avc: denied
> { read } for pid=14475 exe=/lib/ld-2.3.3.so name=ld.so.cache dev=hda2
> ino=4473477 scontext=system_u:system_r:prelink_t
> tcontext=root:object_r:etc_t tclass=file
>
> and a message from ldconfig complaining about not being able to
> link ld.so.cache~
>
> I believe (hope?!) that this is harmless. But, does it make sense
> to prevent this, say by creating a lock files that would be used to
> prevent prelink and ldconfig from colliding?
>
> Or is it safe to allow this access? A 'dontaudit' would still
> leave curious looking messages during the yum.
/etc/ld.so.cache is supposed to be labeled ld_so_cache_t.
Seems odd that prelink_t isn't allowed to read etc_t, though.
--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency
