ldconfig, /etc/ld.so.cache and prelink ?

[Daniel J Walsh]

Tom London wrote:

>Running strict/enforcing off of Rawhide.
>
>While doing today's rawhide installs (yum),
>I monitored the label of /etc/ld.so.cache via
>    ls -lZ /etc/ld.so.cache
>
>Several times during the installation of packages,
>the label of this file changed from
>     system_u:object_r:ld_so_cache_t
>to 
>     root:object_r:ld_so_cache_t 
>[OK, I think]
>or to
>     root:object_r:etc_t
>[Not OK, I think]
>
>Each time it changed to etc_t, I ran
>    restorecon -vv /etc/ld.so.cache
>a few seconds later and got the typical
>     restorecon reset context /etc/ld.so.cache->system_u:object_r:ld_so_cache_t
>
>I'm guessing that when a package updates
>/etc/ld.so.cache, it may leave the label
>in a funny state, presuming that yum
>will fix it at the end.
>
>Does this explain the 'intermittant' prelink
>error messages generated during package installations?
>
>tom
>  
>
There is a bug in rpm that will be fixed after FC3 ships.  Basically RPM 
sets the default context of any execed script to be rpm_script_t.
This works fine for most applications because the post install scripts 
run in a shell and process transitions work properly.  The
problem is that in certain situations rpm exec ldconfig which also runs 
in rpm_script_t, as opposed to ldconfig_t.  As such it does not
have the rules to create the ld_so_cache_t correctly.  In order to fix 
this problem we have added a new library function to libselinux
rpm_exec.  This function will take a command and figure out if it should 
run under a specific context (ldconfig_t) or just execute it under
rpm_exec_t.

Dan