[Discuss] Strange SELinux behavior

[richard.pieri at gmail.com (Richard Pieri)]

On 1/30/2015 5:44 PM, Matthew Gillen wrote:
> Looking at that command on my fedora 20 box, I see the following:
>   ldd -r /usr/bin/condor_status
> shows that libselinux.so is explicitly linked in to the binary.  So it
> will always try to load it.  Interestingly, there is no libsepol.so that
> gets loaded if I run it as a user or root (although that file does exist
> in /lib on my system, and SELinux is enabled).

That's the behavior that I'm seeing on the boxes that segfault: runs 
fine as root with no libsepol linked, segfaults as me after libsepol is 
loaded. What's extra weird is that only three of the six boxes do that; 
the other three run normally with the same binaries and SELinux likewise 
disabled.


> Perhaps libsepol is only loaded by libselinux under certain conditions
> (i.e. using explicit calls to dlopen instead of relying on the
> startup-linking), and your user has some environment var set that
> creates those conditions?

Unlikely. I used the same tarball to install and configure Condor on all 
six nodes and I'm running from my AFS home directory on all six so my 
environment is constant.

Since I couldn't figure out the cause I tried a newer Condor tarball 
from U-Wisc. More strangeness: the binaries in that newer tarball work 
correctly on all six nodes. Makes me think that there's a problem with 
the older binaries from U-Wisc.

-- 
Rich P.