On Mon, 2005-10-03 at 16:09 -0300, Alexandre Oliva wrote:
I've been running FC devel forever. Ever since mcs was introduced, prelink has started displaying odd behavior: it would fail to set the context for some of the linked binaries and crash at the end. Some time ago, I put some time aside to investigate the issue.
As it turned out, prelink would getxattr("selinux.context") for the old binary, and setxattr the new binary with the same context. For some reason, for binaries whose context did not end in :s0, the setxattr was denied.
Running restorecon -F or chcon would reset the context of the binary correctly, enabling prelink to run; a simple fixfiles relabel would not; perhaps fixfiles -F relabel would, but I didn't try that.
Oddly, even after I cleaned up all binaries to enable a full prelink run to complete successfully, after additional updates installed by yum, new libraries and binaries were introduced that fail to prelink, and I have to reset their contexts to get :s0 added in order for it to succeed.
Since I'm told the mcs thingie was designed to not require relabeling and to be totally transparent, I thought I'd report this. I'm just not sure what package to file it against in bugzilla.
Thoughts?
- Normally, this is hidden from userspace by libsetrans, which adds the :s0 suffix when it is missing. But prelink uses the static libselinux and thus doesn't pick up the dlopen of libsetrans and the transparent context translation support.
- fixfiles relabel runs setfiles, and setfiles does use the shared libselinux, so it ends up seeing the contexts as already having the :s0 and doesn't bother relabeling them. It appears that the force flag to setfiles doesn't change this behavior, which is a bug in setfiles. restorecon does honor the force flag in that respect.
- I don't understand how subsequent updates could end up creating new files that lack :s0 after you've switched over to using MCS; the kernel should prohibit setxattr or /proc/pid/attr/fscreate values that lack the suffix, and should default it into new files.
- There is a patch pending against 2.6.15 that will enable SELinux to canonicalize getxattr results, so that it will return the :s0 always under MCS, even if the file hasn't been relabeled on disk.