Red Hat Bugzilla – Bug 175354
Failure of postinstall script to change security context
Last modified: 2008-03-09 21:27:07 EDT
Description of problem: Upon installation of libannodex-0.7.2-1.fc4, attempts to change the security context of the libraries fail with errors. Version-Release number of selected component (if applicable): 0.7.2-1.fc4 How reproducible: Always Steps to Reproduce: 1. install/update to libannodex-0.7.2-1.fc4 2. 3. Actual results: The following errors occur: chcon: can't apply partial context to unlabeled file /usr/lib/libannodex.so.0 chcon: can't apply partial context to unlabeled file /usr/lib/libannodex.so.0.4.0 Expected results: Installation/upgrade without incident Additional info:
Colin, the relevant post line reads: chcon -t texrel_shlib_t %{_libdir}/libannodex.so.* what should I do about this ? I think you mentioned getting something in selinux-policy ? Stephen, does this problem actually fail the install ? AFAICT all that would be happening is that it prints the two lines - is that correct ?
I don't think it fails install. It shows as installed in RPM's list. However, IMHO, I think that it should fail, even if it doesn't currently. I think that it is worse if it actually goes ahead and is installed with this kind of error. This is a library that ends up with the default security context instead of what the author intended. That is, if the author or maintainer have good reasons to be changing security contexts and it is not changed correctly, then it should be failing the install. It is an exploit waiting to happen. But, on the other hand, if there aren't any good reasons to be messing with the security context in the first place, then why bother?
this hasn't been touched in awhile, Is this still true? has anything been done to have the changes added to the default selinux policy?
I really can't comment further, I don't understand selinux well enough and could really use someone with more knowledge to look at this.
has this happened at all with the latest package, 0.7.3-3.fc4 ?
The information we've requested above is required in order to review this problem report further and diagnose/fix the issue if it is still present. Since there have not been any updates to the report since thirty (30) days or more since we requested additional information, we're assuming the problem is either no longer present in the current Fedora release, or that there is no longer any interest in tracking the problem. Setting status to "INSUFFICIENT_DATA". If you still experience this problem after updating to our latest Fedora release and can provide the information previously requested, please feel free to reopen the bug report. Thank you in advance.