ldconfig + SELinux = symlink slaughter
Stephen Smalley
sds at epoch.ncsc.mil
Mon Dec 13 18:24:36 UTC 2004
On Sat, 2004-12-11 at 12:33, Dave Mack wrote:
> OK, this is getting mildly annoying. With the current Rawhide tree (and
> for about the last week) I've been running into a problem when I "yum
> update" with SELinux in enforcing mode: the reboot which follows fails
> because most of the symlinks to shared libraries in /lib have
> evaporated. The culprit is ldconfig, which is being run during the yum
> update after library changes.
>
> Reproduce by:
>
> # ls -l /lib/libtermcap.so.2*
>
> lrwxrwxrwx 1 root root 19 Dec 11 09:17 /lib/termcap.so.2 ->
> libtermcap.so.2.0.8
> -rwxr-xr-x 1 root root 12952 Jun 15 17:34 /lib/libtermcap.so.2.0.8
>
> # setenforce 1
> # ldconfig
>
> <many lines of complaint about "Input file /lib/<something>.so not found">
>
> # ls -l /lib/libtermcap.so.2*
>
> ls: error while loading shared libraries: libacl.so.1: cannot open
> shared object file: No such file or directory
>
> # setenforce 0
>
> # ldconfig
>
> <no errors>
>
> Now everything is back to normal.
>
> Is anyone else able to reproduce this or is it just me? Known bug?
There have been reports of shared objects becoming mislabeled over time,
but the precise cause is not yet known - likely prelink or rpm or a
combination due to an interleaving of an update and a prelink run. That
could be the source of your problem with ldconfig. Questions:
1) Are there any errors in your /var/log/prelink.log file of the form
'Could not get security context' or 'Could not set security context'?
2) Have you run with SELinux disabled at any time, and then failed to
fixfiles relabel when re-enabling SELinux? That could leave such files
unlabeled due to updates or prelink runs while SELinux was disabled.
3) Are there any errors in /var/log/messages with the function name
"post_create" in them?
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the test
mailing list