devel's mcs breaks prelink and FC4 compat

Stephen Smalley sds at tycho.nsa.gov
Mon Oct 3 20:18:26 UTC 2005 

On Mon, 2005-10-03 at 16:09 -0300, Alexandre Oliva wrote:
> I've been running FC devel forever.  Ever since mcs was introduced,
> prelink has started displaying odd behavior: it would fail to set the
> context for some of the linked binaries and crash at the end.  Some
> time ago, I put some time aside to investigate the issue.
> 
> As it turned out, prelink would getxattr("selinux.context") for the
> old binary, and setxattr the new binary with the same context.  For
> some reason, for binaries whose context did not end in :s0, the
> setxattr was denied.
> 
> Running restorecon -F or chcon would reset the context of the binary
> correctly, enabling prelink to run; a simple fixfiles relabel would
> not; perhaps fixfiles -F relabel would, but I didn't try that.
> 
> Oddly, even after I cleaned up all binaries to enable a full prelink
> run to complete successfully, after additional updates installed by
> yum, new libraries and binaries were introduced that fail to prelink,
> and I have to reset their contexts to get :s0 added in order for it to
> succeed.
> 
> Since I'm told the mcs thingie was designed to not require relabeling
> and to be totally transparent, I thought I'd report this.  I'm just
> not sure what package to file it against in bugzilla.
> 
> Thoughts?

- Normally, this is hidden from userspace by libsetrans, which adds
the :s0 suffix when it is missing.  But prelink uses the static
libselinux and thus doesn't pick up the dlopen of libsetrans and the
transparent context translation support.

- fixfiles relabel runs setfiles, and setfiles does use the shared
libselinux, so it ends up seeing the contexts as already having the :s0
and doesn't bother relabeling them.  It appears that the force flag to
setfiles doesn't change this behavior, which is a bug in setfiles.
restorecon does honor the force flag in that respect.

- I don't understand how subsequent updates could end up creating new
files that lack :s0 after you've switched over to using MCS; the kernel
should prohibit setxattr or /proc/pid/attr/fscreate values that lack the
suffix, and should default it into new files.

- There is a patch pending against 2.6.15 that will enable SELinux to
canonicalize getxattr results, so that it will return the :s0 always
under MCS, even if the file hasn't been relabeled on disk.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list