Bug 175354 - Failure of postinstall script to change security context
Summary: Failure of postinstall script to change security context
Alias: None
Product: Fedora
Classification: Fedora
Component: libannodex   
(Show other bugs)
Version: 4
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Thomas Vander Stichele
QA Contact: Fedora Extras Quality Assurance
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2005-12-09 10:16 UTC by Stephen Biggs
Modified: 2008-03-10 01:27 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-03-10 01:27:07 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Stephen Biggs 2005-12-09 10:16:25 UTC
Description of problem:
Upon installation of libannodex-0.7.2-1.fc4, attempts to change the security
context of the libraries fail with errors.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. install/update to libannodex-0.7.2-1.fc4
Actual results:
The following errors occur:
chcon: can't apply partial context to unlabeled file /usr/lib/libannodex.so.0
chcon: can't apply partial context to unlabeled file /usr/lib/libannodex.so.0.4.0

Expected results:
Installation/upgrade without incident

Additional info:

Comment 1 Thomas Vander Stichele 2005-12-18 10:23:28 UTC

the relevant post line reads:
chcon -t texrel_shlib_t %{_libdir}/libannodex.so.*

what should I do about this ? I think you mentioned getting something in
selinux-policy ?


does this problem actually fail the install ? AFAICT all that would be happening
is that it prints the two lines - is that correct ?

Comment 2 Stephen Biggs 2005-12-24 19:27:15 UTC
I don't think it fails install.  It shows as installed in RPM's list. 
However, IMHO, I think that it should fail, even if it doesn't currently. I 
think that it is worse if it actually goes ahead and is installed with this 
kind of error. This is a library that ends up with the default security 
context instead of what the author intended. 
That is, if the author or maintainer have good reasons to be changing security 
contexts and it is not changed correctly, then it should be failing the 
install.  It is an exploit waiting to happen.  But, on the other hand, if 
there aren't any good reasons to be messing with the security context in the 
first place, then why bother? 

Comment 3 Dennis Gilmore 2006-03-09 19:14:38 UTC
this hasn't been touched in awhile,  Is this still true?  has anything been 
done to have the changes added to the default selinux policy? 

Comment 4 Thomas Vander Stichele 2006-06-15 09:21:54 UTC
I really can't comment further, I don't understand selinux well enough and could
really use someone with more knowledge to look at this.

Comment 5 Thomas Vander Stichele 2006-09-02 10:53:05 UTC
has this happened at all with the latest package, 0.7.3-3.fc4 ?

Comment 6 petrosyan 2008-03-10 01:27:07 UTC
The information we've requested above is required in order
to review this problem report further and diagnose/fix the
issue if it is still present.  Since there have not been any
updates to the report since thirty (30) days or more since we
requested additional information, we're assuming the problem
is either no longer present in the current Fedora release, or
that there is no longer any interest in tracking the problem.

Setting status to "INSUFFICIENT_DATA".  If you still
experience this problem after updating to our latest Fedora
release and can provide the information previously requested, 
please feel free to reopen the bug report.

Thank you in advance.

Note You need to log in before you can comment on or make changes to this bug.