Bug 175354

Summary:	Failure of postinstall script to change security context
Product:	[Fedora] Fedora	Reporter:	Stephen Biggs <bugzilla-redhat>
Component:	libannodex	Assignee:	Thomas Vander Stichele <thomas>
Status:	CLOSED INSUFFICIENT_DATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	4	CC:	dennis, extras-qa, hdegoede, walters
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	i386
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2008-03-10 01:27:07 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Stephen Biggs 2005-12-09 10:16:25 UTC

Description of problem:
Upon installation of libannodex-0.7.2-1.fc4, attempts to change the security
context of the libraries fail with errors.

Version-Release number of selected component (if applicable):
0.7.2-1.fc4

How reproducible:
Always

Steps to Reproduce:
1. install/update to libannodex-0.7.2-1.fc4
2.
3.
  
Actual results:
The following errors occur:
chcon: can't apply partial context to unlabeled file /usr/lib/libannodex.so.0
chcon: can't apply partial context to unlabeled file /usr/lib/libannodex.so.0.4.0

Expected results:
Installation/upgrade without incident

Additional info:

Comment 1 Thomas Vander Stichele 2005-12-18 10:23:28 UTC

Colin,

the relevant post line reads:
chcon -t texrel_shlib_t %{_libdir}/libannodex.so.*


what should I do about this ? I think you mentioned getting something in
selinux-policy ?

Stephen,

does this problem actually fail the install ? AFAICT all that would be happening
is that it prints the two lines - is that correct ?

Comment 2 Stephen Biggs 2005-12-24 19:27:15 UTC

I don't think it fails install.  It shows as installed in RPM's list. 
 
However, IMHO, I think that it should fail, even if it doesn't currently. I 
think that it is worse if it actually goes ahead and is installed with this 
kind of error. This is a library that ends up with the default security 
context instead of what the author intended. 
 
That is, if the author or maintainer have good reasons to be changing security 
contexts and it is not changed correctly, then it should be failing the 
install.  It is an exploit waiting to happen.  But, on the other hand, if 
there aren't any good reasons to be messing with the security context in the 
first place, then why bother?

Comment 3 Dennis Gilmore 2006-03-09 19:14:38 UTC

this hasn't been touched in awhile,  Is this still true?  has anything been 
done to have the changes added to the default selinux policy?

Comment 4 Thomas Vander Stichele 2006-06-15 09:21:54 UTC

I really can't comment further, I don't understand selinux well enough and could
really use someone with more knowledge to look at this.

Comment 5 Thomas Vander Stichele 2006-09-02 10:53:05 UTC

has this happened at all with the latest package, 0.7.3-3.fc4 ?

Comment 6 petrosyan 2008-03-10 01:27:07 UTC

The information we've requested above is required in order
to review this problem report further and diagnose/fix the
issue if it is still present.  Since there have not been any
updates to the report since thirty (30) days or more since we
requested additional information, we're assuming the problem
is either no longer present in the current Fedora release, or
that there is no longer any interest in tracking the problem.

Setting status to "INSUFFICIENT_DATA".  If you still
experience this problem after updating to our latest Fedora
release and can provide the information previously requested, 
please feel free to reopen the bug report.

Thank you in advance.