labelling issues

Stephen Smalley sds at
Thu Dec 9 13:19:36 UTC 2004

On Wed, 2004-12-08 at 18:27, Joe Orton wrote:
> On Fri, Dec 03, 2004 at 08:42:18AM -0500, Stephen Smalley wrote:
> > BTW, ask people who encounter the mislabeled shared objects to check
> > their /var/log/prelink.log for errors, particularly "Could not get
> > security context" or "Could not set security context", as prelink is
> > supposed to log those errors when it cannot get or set the file context.
> is that any use?

The 'ls' output indicates that the libpcre shared object is labeled
correctly, so I wonder if he had already relabeled it via fixfiles or
restorecon prior to running that ls.

The prelink.log file does include some 'Could not get security context"
errors (with errno ENODATA), which is interesting, but peculiar that
there is no such error for the libpcre shared object, since that is the
one that is triggering this denial.  The lack of any context on those
files is very odd unless he ran with SELinux disabled for a while (in
which case the files would indeed end up with no context if they were
updated while SELinux was disabled and he failed to relabel when he
re-enabled SELinux).

Stephen Smalley <sds at>
National Security Agency

More information about the fedora-selinux-list mailing list