prelink and yum conflict

Tom London selinux at gmail.com
Mon Oct 11 15:08:26 UTC 2004 

I've been running this system strict/enforcing most of the time
(running strict/permissive when the policy is wedged).

After 'yum update' a few days ago, after observing the
'prelink messages' noted above, lots of stuff started
breaking, like gconftool-2, gnome-terminal, bononbo-activation-server,
etc.  Each would fail with segmentation faults.

These could all be repaired by reinstalling the 'appropriate'
package (e.g., GConf2, gnome-terminal, libbonobo, ....) via
'rpm -ivh --force yum-cached-package'

Following a suggestion from fedora-test-list, I started running
'rpm -V' (in permissive mode) on my installed packages. Many of these
fail, e.g.:

libuser
S.?......   /usr/bin/lchfn
S.?......   /usr/bin/lchsh
S.?......   /usr/lib/libuser.so.1.1.1
S.?......   /usr/sbin/lchage
S.?......   /usr/sbin/lgroupadd
S.?......   /usr/sbin/lgroupdel
S.?......   /usr/sbin/lgroupmod
S.?......   /usr/sbin/lid
S.?......   /usr/sbin/lnewusers
S.?......   /usr/sbin/lpasswd
S.?......   /usr/sbin/luseradd
S.?......   /usr/sbin/luserdel
S.?......   /usr/sbin/lusermod

each with a line like:
prelink: /usr/lib/liblwres.so.1.1.2: at least one of file's
dependencies has changed since prelinking
prelink: /usr/bin/dig: at least one of file's dependencies has changed
since prelinking
prelink: /usr/bin/host: at least one of file's dependencies has
changed since prelinking
prelink: /usr/bin/nslookup: at least one of file's dependencies has
changed since prelinking
prelink: /usr/bin/nsupdate: at least one of file's dependencies has
changed since prelinking

(there are scads of these, picked this one at random.
Sorry, the first set of messages not coordinated with second.).

I can 'make these go away' by reinstalling via 
'rpm -ivh --force yum-cached-package', and then
'rpm -V' succeeds with no messages.

Could yum/rpm/prelink be scribbling?  Or am I chasing
shadows?

tom

On Mon, 11 Oct 2004 08:39:30 -0400, Jeff Johnson <n3npq at nc.rr.com> wrote:
> Russell Coker wrote:
> 
> >On Sat, 9 Oct 2004 02:14, Stephen Smalley <sds at epoch.ncsc.mil> wrote:
> >
> >
> >>/etc/ld.so.cache is supposed to be labeled ld_so_cache_t.
> >>
> >>
> >
> >ldconfig is being executed directly from rpm not via "sh -c ldconfig".  This
> >means that it doesn't transition to ldconfig_t.
> >
> >Jeff, please change rpm to use "sh -c" for spawning all scripts including
> >ldconfig and /usr/sbin/glibc_post_upgrade.  Should I file a bugzilla against
> >rpm?
> >
> I would if it would "work".
> 
> This was my reasoning originally for limiting "rpm_script_t" to /bin/sh
> execution, rather than
> applying in general.
> 
> As long as glibc_post_upgrade is a static binary that attempts sshd
> restart, policy
> will be a bit more complex than otherwise. The restart of sshd is necessary
> iff there is a incompatibility in one of the name service modules, a fairly
> rare event.
> 
> Making glibc_post_upgrade actions a bit easier to see and change is
> needed imho.
> I'd suggest using the embedded lua now in rpm rather than the a
> statically linked
> helper. But that is probably a different problem than /etc/ld.so.cache
> mentioned here.
> 
> Current behavior is to set "rpm_script_t" for all package interpreters
> rather than
> just /bin/sh.
> 
> What change(s) do you wish?
> 
> 73 de Jeff
> 
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 


-- 
Tom London

More information about the fedora-selinux-list mailing list