Re: ldconfig, /etc/ld.so.cache and prelink ?

Tom London wrote:

> Running strict/enforcing off of Rawhide.
>
> While doing today's rawhide installs (yum),
> I monitored the label of /etc/ld.so.cache via
>    ls -lZ /etc/ld.so.cache
>
> Several times during the installation of packages,
> the label of this file changed from
>     system_u:object_r:ld_so_cache_t
> to 
>     root:object_r:ld_so_cache_t 
> [OK, I think]
> or to
>     root:object_r:etc_t
> [Not OK, I think]
>
> Each time it changed to etc_t, I ran
>    restorecon -vv /etc/ld.so.cache
> a few seconds later and got the typical
>     restorecon reset context /etc/ld.so.cache->system_u:object_r:ld_so_cache_t
>
> I'm guessing that when a package updates
> /etc/ld.so.cache, it may leave the label
> in a funny state, presuming that yum
> will fix it at the end.
>
> Does this explain the 'intermittant' prelink
> error messages generated during package installations?
>
> tom
>  
There is a bug in rpm that will be fixed after FC3 ships.  Basically RPM 
sets the default context of any execed script to be rpm_script_t.
This works fine for most applications because the post install scripts 
run in a shell and process transitions work properly.  The
problem is that in certain situations rpm exec ldconfig which also runs 
in rpm_script_t, as opposed to ldconfig_t.  As such it does not
have the rules to create the ld_so_cache_t correctly.  In order to fix 
this problem we have added a new library function to libselinux
rpm_exec.  This function will take a command and figure out if it should 
run under a specific context (ldconfig_t) or just execute it under
rpm_exec_t.

Dan