devel's mcs breaks prelink and FC4 compat

[Alexandre Oliva]

I've been running FC devel forever.  Ever since mcs was introduced,
prelink has started displaying odd behavior: it would fail to set the
context for some of the linked binaries and crash at the end.  Some
time ago, I put some time aside to investigate the issue.

As it turned out, prelink would getxattr("selinux.context") for the
old binary, and setxattr the new binary with the same context.  For
some reason, for binaries whose context did not end in :s0, the
setxattr was denied.

Running restorecon -F or chcon would reset the context of the binary
correctly, enabling prelink to run; a simple fixfiles relabel would
not; perhaps fixfiles -F relabel would, but I didn't try that.

Oddly, even after I cleaned up all binaries to enable a full prelink
run to complete successfully, after additional updates installed by
yum, new libraries and binaries were introduced that fail to prelink,
and I have to reset their contexts to get :s0 added in order for it to
succeed.

Since I'm told the mcs thingie was designed to not require relabeling
and to be totally transparent, I thought I'd report this.  I'm just
not sure what package to file it against in bugzilla.

Thoughts?

For reference, here's the command I used to get all contexts reset.
It can run for hours, so beware.

rm -f /tmp/prelink.restorecon.log; while /usr/sbin/prelink -av -mR -q 2>&1 | tee /tmp/prelink.log; sed -n 's,/usr/sbin/prelink: Could not set security context for \(.*\): Invalid argument,\1,p' /tmp/prelink.log  | xargs restorecon -v -F | tee -a /tmp/prelink.restorecon.log | grep .; do cmp /tmp/prelink.log /tmp/prelink.log.prev && break; mv -f /tmp/prelink.log /tmp/prelink.log.prev; done

-- 
Alexandre Oliva         http://www.lsd.ic.unicamp.br/~oliva/
Red Hat Compiler Engineer   aoliva@{redhat.com, gcc.gnu.org}
Free Software Evangelist  oliva@{lsd.ic.unicamp.br, gnu.org}