On Fri, 2004-12-03 at 08:36, Stephen Smalley wrote:
I've seen prior reports suggesting that it is prelink-related, but no hard evidence. On the other hand, I just checked my FC3 systems (all strict policy) and they don't have any mislabeled shared objects. While they have been getting regular updates via yum and the prelink cron job is present, I see that prelink has been getting denials because of the /etc/ld.so.cache mislabeling problem (problem in rpm, not sure if a fixed rpm has found its way into FC3 or not). So possibly if prelink wasn't encountering those denials on ld.so.cache, it would gone on to complete its processing and would have left the shared objects with the wrong label. I'll restorecon /etc/ld.so.cache again and see if the problem manifests upon the next prelink run.
BTW, ask people who encounter the mislabeled shared objects to check their /var/log/prelink.log for errors, particularly "Could not get security context" or "Could not set security context", as prelink is supposed to log those errors when it cannot get or set the file context.