labelling issues

[Stephen Smalley]

On Fri, 2004-12-03 at 08:36, Stephen Smalley wrote:
> I've seen prior reports suggesting that it is prelink-related, but no
> hard evidence.  On the other hand, I just checked my FC3 systems (all
> strict policy) and they don't have any mislabeled shared objects. While
> they have been getting regular updates via yum and the prelink cron job
> is present, I see that prelink has been getting denials because of the
> /etc/ld.so.cache mislabeling problem (problem in rpm, not sure if a
> fixed rpm has found its way into FC3 or not).  So possibly if prelink
> wasn't encountering those denials on ld.so.cache, it would gone on to
> complete its processing and would have left the shared objects with the
> wrong label.  I'll restorecon /etc/ld.so.cache again and see if the
> problem manifests upon the next prelink run.

BTW, ask people who encounter the mislabeled shared objects to check
their /var/log/prelink.log for errors, particularly "Could not get
security context" or "Could not set security context", as prelink is
supposed to log those errors when it cannot get or set the file context.

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency