[Discuss] Strange SELinux behavior
Richard Pieri
richard.pieri at gmail.com
Fri Jan 30 19:32:38 EST 2015
On 1/30/2015 5:44 PM, Matthew Gillen wrote:
> Looking at that command on my fedora 20 box, I see the following:
> ldd -r /usr/bin/condor_status
> shows that libselinux.so is explicitly linked in to the binary. So it
> will always try to load it. Interestingly, there is no libsepol.so that
> gets loaded if I run it as a user or root (although that file does exist
> in /lib on my system, and SELinux is enabled).
That's the behavior that I'm seeing on the boxes that segfault: runs
fine as root with no libsepol linked, segfaults as me after libsepol is
loaded. What's extra weird is that only three of the six boxes do that;
the other three run normally with the same binaries and SELinux likewise
disabled.
> Perhaps libsepol is only loaded by libselinux under certain conditions
> (i.e. using explicit calls to dlopen instead of relying on the
> startup-linking), and your user has some environment var set that
> creates those conditions?
Unlikely. I used the same tarball to install and configure Condor on all
six nodes and I'm running from my AFS home directory on all six so my
environment is constant.
Since I couldn't figure out the cause I tried a newer Condor tarball
from U-Wisc. More strangeness: the binaries in that newer tarball work
correctly on all six nodes. Makes me think that there's a problem with
the older binaries from U-Wisc.
--
Rich P.
More information about the Discuss
mailing list