Stephen,
Thanks for taking an interest in this problem. Answers inline.
Stephen Smalley wrote:
On Sat, 2004-12-11 at 12:33, Dave Mack wrote:
OK, this is getting mildly annoying. With the current Rawhide tree (and
for about the last week) I've been running into a problem when I "yum
update" with SELinux in enforcing mode: the reboot which follows fails
because most of the symlinks to shared libraries in /lib have
evaporated. The culprit is ldconfig, which is being run during the yum
update after library changes.
Reproduce by:
# ls -l /lib/libtermcap.so.2*
lrwxrwxrwx 1 root root 19 Dec 11 09:17 /lib/termcap.so.2 ->
libtermcap.so.2.0.8
-rwxr-xr-x 1 root root 12952 Jun 15 17:34 /lib/libtermcap.so.2.0.8
# setenforce 1
# ldconfig
<many lines of complaint about "Input file /lib/<something>.so not found">
# ls -l /lib/libtermcap.so.2*
ls: error while loading shared libraries: libacl.so.1: cannot open
shared object file: No such file or directory
# setenforce 0
# ldconfig
<no errors>
Now everything is back to normal.
Is anyone else able to reproduce this or is it just me? Known bug?
There have been reports of shared objects becoming mislabeled over time,
but the precise cause is not yet known - likely prelink or rpm or a
combination due to an interleaving of an update and a prelink run. That
could be the source of your problem with ldconfig. Questions:
1) Are there any errors in your /var/log/prelink.log file of the form
'Could not get security context' or 'Could not set security context'?
There aren't any messages referring to "security context" in prelink.log.
2) Have you run with SELinux disabled at any time, and then failed to
fixfiles relabel when re-enabling SELinux? That could leave such files
unlabeled due to updates or prelink runs while SELinux was disabled.
This would certainly be my guess as the cause. As I mentioned in a
subsequent message to the list, running "fixfiles relabel" solved the
problem with ldconfig in enforcing mode.
3) Are there any errors in /var/log/messages with the function name
"post_create" in them?
No.
--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency