* Daniel J Walsh <dwalsh@redhat.com> [2004-11-18 20:50]:
> Thomas Bleher wrote:
> >* Daniel J Walsh <dwalsh@redhat.com> [2004-11-18 15:32]:
> >>policy-1.19.2/domains/program/ldconfig.te
> >>--- nsapolicy/domains/program/ldconfig.te	2004-11-09 
> >>13:35:12.000000000 -0500
> >>+++ policy-1.19.2/domains/program/ldconfig.te	2004-11-18 
> >>08:48:23.918139878 -0500
> >>@@ -26,7 +26,7 @@
> >>allow ldconfig_t lib_t:lnk_file create_lnk_perms;
> >>
> >>allow ldconfig_t userdomain:fd use;
> >>-allow ldconfig_t etc_t:file { getattr read };
> >>+allow ldconfig_t etc_t:file { getattr read unlink };
> >>   
> >
> >Which files does it want to unlink? Is it possible that the file was
> >just mislabeled? (there's this line in the policy:
> >file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file)
> >so it should probably be ld_so_cache_t)
> > 
> >
> Yes I added this because it gets, mislabeled and then can not change it 
> back.
> A bug in RPM was causing it many times.   Booting in non enforcing 
> mode,  non selinux mode
> This can easily happen on targeted policy, but could also happen on strict,
> Allowing ldconfig_t from unlink etc_t files seems like a reasonable way 
> around the problem.

Ah, OK. Best solution would probably be to make ldconfig create its files in a
separate directory, but until then this seems like a good workaround.
How about a comment above this line like:
# allow ldconfig to work if /etc/ld.so.cache is mislabeled

Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7