On Mon, 2005-10-03 at 16:09 -0300, Alexandre Oliva wrote:
I've been running FC devel forever. Ever since mcs was
introduced,
prelink has started displaying odd behavior: it would fail to set the
context for some of the linked binaries and crash at the end. Some
time ago, I put some time aside to investigate the issue.
As it turned out, prelink would getxattr("selinux.context") for the
old binary, and setxattr the new binary with the same context. For
some reason, for binaries whose context did not end in :s0, the
setxattr was denied.
Running restorecon -F or chcon would reset the context of the binary
correctly, enabling prelink to run; a simple fixfiles relabel would
not; perhaps fixfiles -F relabel would, but I didn't try that.
Oddly, even after I cleaned up all binaries to enable a full prelink
run to complete successfully, after additional updates installed by
yum, new libraries and binaries were introduced that fail to prelink,
and I have to reset their contexts to get :s0 added in order for it to
succeed.
Since I'm told the mcs thingie was designed to not require relabeling
and to be totally transparent, I thought I'd report this. I'm just
not sure what package to file it against in bugzilla.
Thoughts?
- Normally, this is hidden from userspace by libsetrans, which adds
the :s0 suffix when it is missing. But prelink uses the static
libselinux and thus doesn't pick up the dlopen of libsetrans and the
transparent context translation support.
- fixfiles relabel runs setfiles, and setfiles does use the shared
libselinux, so it ends up seeing the contexts as already having the :s0
and doesn't bother relabeling them. It appears that the force flag to
setfiles doesn't change this behavior, which is a bug in setfiles.
restorecon does honor the force flag in that respect.
- I don't understand how subsequent updates could end up creating new
files that lack :s0 after you've switched over to using MCS; the kernel
should prohibit setxattr or /proc/pid/attr/fscreate values that lack the
suffix, and should default it into new files.
- There is a patch pending against 2.6.15 that will enable SELinux to
canonicalize getxattr results, so that it will return the :s0 always
under MCS, even if the file hasn't been relabeled on disk.
--
Stephen Smalley
National Security Agency