Pam updates break system (Was: pam changes require dovecot restart)

[Gene C.]

On Saturday 17 December 2005 06:26, n0dalus wrote:
> On 12/17/05, Jeff Spaleta <jspaleta at gmail.com> wrote:
> > And pam seems to update just fine for me.  You'll have to do you best
> > to figure out why the libpam files didn't install.
> >
> > -jef
>
> I have done some more looking into the problem, and while
> unfortunately I was unable to reproduce the same problem, I did find
> some things in the log files.
>
> At the time of the update, lots of scriptlets failed with the
> accompianing log message below:
> Dec 17 08:53:26 kernel: audit(1134771806.214:1322): avc:  denied  {
> transition } for  pid=17748 comm="yum" name="bash" dev=hda7 ino=163054
> scontext=root:system_r:ldconfig_t tcontext=root:system_r:rpm_script_t
> tclass=process
>
> I am pretty new to SELinux, but to me it seems that the scontext and
> the tcontext are around the wrong way. I don't know how this could
> happen. In policy.20, source rpm_script_t is allowed to run the
> ldconfig_t process. What's happening here seems to be that ldconfig_t
> is trying to run rpm_script_t (as far as SELinux is concerned), which
> would not be what's really happening. I could be completely wrong
> though, so hopefully someone more experienced in these matters can
> comment.
> I can reproduce this error message consistently when doing certain updates.

I have exactly the same situation you have on a x86_64 install.  I remember 
that I batched the selinux and pam updates into a single yum update.
-- 
Gene