On Mon, 2005-10-03 at 16:09 -0300, Alexandre Oliva wrote:
> I've been running FC devel forever. Ever since mcs was introduced,
> prelink has started displaying odd behavior: it would fail to set the
> context for some of the linked binaries and crash at the end. Some
> time ago, I put some time aside to investigate the issue.
>
> As it turned out, prelink would getxattr("selinux.context") for the
> old binary, and setxattr the new binary with the same context. For
> some reason, for binaries whose context did not end in :s0, the
> setxattr was denied.
>
> Running restorecon -F or chcon would reset the context of the binary
> correctly, enabling prelink to run; a simple fixfiles relabel would
> not; perhaps fixfiles -F relabel would, but I didn't try that.
>
> Oddly, even after I cleaned up all binaries to enable a full prelink
> run to complete successfully, after additional updates installed by
> yum, new libraries and binaries were introduced that fail to prelink,
> and I have to reset their contexts to get :s0 added in order for it to
> succeed.
>
> Since I'm told the mcs thingie was designed to not require relabeling
> and to be totally transparent, I thought I'd report this. I'm just
> not sure what package to file it against in bugzilla.
>
> Thoughts?
- Normally, this is hidden from userspace by libsetrans, which adds
the :s0 suffix when it is missing. But prelink uses the static
libselinux and thus doesn't pick up the dlopen of libsetrans and the
transparent context translation support.
- fixfiles relabel runs setfiles, and setfiles does use the shared
libselinux, so it ends up seeing the contexts as already having the :s0
and doesn't bother relabeling them. It appears that the force flag to
setfiles doesn't change this behavior, which is a bug in setfiles.
restorecon does honor the force flag in that respect.
- I don't understand how subsequent updates could end up creating new
files that lack :s0 after you've switched over to using MCS; the kernel
should prohibit setxattr or /proc/pid/attr/fscreate values that lack the
suffix, and should default it into new files.
- There is a patch pending against 2.6.15 that will enable SELinux to
canonicalize getxattr results, so that it will return the :s0 always
under MCS, even if the file hasn't been relabeled on disk.
--
Stephen Smalley
National Security Agency
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
