Description of problem: The post install script for prelink show: [root@tlondon ~]# rpm -q -scripts prelink postinstall scriptlet (using /bin/sh): touch /var/lib/misc/prelink.force [root@tlondon ~]# This creates the file /var/lib/misc/prelink.force with the wrong SELinux label: it gets created with var_lib_t instead of prelink_var_lib_t. This causes prelink cron script to throw AVCs: node=tlondon.innopath.com type=AVC msg=audit(1271169652.784:29091): avc: denied { getattr } for pid=6638 comm="prelink" path="/var/lib/misc/prelink.force" dev=dm-0 ino=5243615 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file node=tlondon.innopath.com type=SYSCALL msg=audit(1271169652.784:29091): arch=c000003e syscall=4 success=no exit=-13 a0=206bab0 a1=7fffd7d1bd80 a2=7fffd7d1bd80 a3=8 items=0 ppid=3331 pid=6638 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="prelink" exe="/bin/bash" subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null) Adding 'restorecon /var/lib/misc/prelink.force' would correct this. Version-Release number of selected component (if applicable): prelink-0.4.2-7.fc14.x86_64 How reproducible: Every install.... Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Either add [ -x /sbin/restorecon ] && /sbin/restorecon /var/lib/misc/prelink.force Or make prelink.force part of the rpm payload. Should fix the label.
Ugly. Is this needed also for f13 or just f14? No idea when the policy changed, certainly prelink has been doing this for years.
Fedora 12 added policy to try to handle these labels (Also RHEL6). So yes, but can't you just put it in payload and be done with it.
The file is short-lived - usually survives at most a day. Yeah, probably putting it into the payload and adding %config(missingok) and whatever else is needed to avoid rpm -V failures could work too.
Actually, now I remember from glibc that there were many issues with that and I ended up keeping empty /usr/lib/locale/locale-archive.tmpl instead of removing it, because missingok implies %config and the ugly rpmsave etc. suffixes.
Bill do you have any good ideas on this one.
prelink-0.4.3-2.fc{12,13,14} has that restorecon in %post.
Tested; it works. [root@tlondon ~]# ls -l /var/lib/misc total 8 -rw-r--r--. 1 root root 29 Apr 7 07:24 prelink.full -rw-r--r--. 1 root root 29 Apr 13 07:40 prelink.quick [root@tlondon Download]# rpm -Uvh prelink* Preparing... ########################################### [100%] 1:prelink ########################################### [ 50%] 2:prelink-debuginfo ########################################### [100%] [root@tlondon Download]# ls -lZ /var/lib/misc -rw-r--r--. root root system_u:object_r:prelink_var_lib_t:s0 prelink.force -rw-r--r--. root root system_u:object_r:prelink_var_lib_t:s0 prelink.full -rw-r--r--. root root system_u:object_r:prelink_var_lib_t:s0 prelink.quick [root@tlondon Download]#
If the file is always empty, %config(missingok) should be fine, as the payload file will only ever change in timestamp, I think. I'd test it, of course.
prelink-0.4.3-2.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/prelink-0.4.3-2.fc13
prelink-0.4.3-2.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update prelink'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/prelink-0.4.3-2.fc13
prelink-0.4.3-2.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
I've tried %verify(not md5 size mtime) %config(missingok,noreplace) /var/lib/misc/prelink.force with a zero-sized file in the payload, but that doesn't really work - when it is removed, upgrade of the package to a newer version doesn't create the file at all. The same for %verify(not md5 size mtime) %config(missingok) /var/lib/misc/prelink.force The restorecon in %post doesn't work well either though - see #584319.
Could we finally move these to a prelink specific directory? /var/lib/prelink Then I could label the directory properly allow the cron script and prelink to manipulate and we don't have to worry about the file. These files have always been a pain in the butt for SELinux since they exist in a directory not controled by the prelink package.
That works for me, those 3 files are only mentioned in prelink.spec and /etc/cron.daily/prelink, nowhere else.
prelink-0.4.3-3.{fc13,fc14,el6} built. Guess a bodhi request for f13 should be filed for both selinux-policy and prelink together.