Tom London wrote:
There is a bug in rpm that will be fixed after FC3 ships. Basically RPM sets the default context of any execed script to be rpm_script_t.Running strict/enforcing off of Rawhide.
While doing today's rawhide installs (yum), I monitored the label of /etc/ld.so.cache via ls -lZ /etc/ld.so.cache
Several times during the installation of packages,
the label of this file changed from
system_u:object_r:ld_so_cache_t
to root:object_r:ld_so_cache_t [OK, I think]
or to
root:object_r:etc_t
[Not OK, I think]
Each time it changed to etc_t, I ran restorecon -vv /etc/ld.so.cache a few seconds later and got the typical restorecon reset context /etc/ld.so.cache->system_u:object_r:ld_so_cache_t
I'm guessing that when a package updates /etc/ld.so.cache, it may leave the label in a funny state, presuming that yum will fix it at the end.
Does this explain the 'intermittant' prelink error messages generated during package installations?
tom
This works fine for most applications because the post install scripts run in a shell and process transitions work properly. The
problem is that in certain situations rpm exec ldconfig which also runs in rpm_script_t, as opposed to ldconfig_t. As such it does not
have the rules to create the ld_so_cache_t correctly. In order to fix this problem we have added a new library function to libselinux
rpm_exec. This function will take a command and figure out if it should run under a specific context (ldconfig_t) or just execute it under
rpm_exec_t.
Dan
