SE Linux installer changes needed - was Re: /etc/ld.so.cache and FC4T3
Russell Coker
russell at coker.com.au
Mon May 16 15:44:41 UTC 2005
On Tuesday 17 May 2005 01:13, Peter Jones <pjones at redhat.com> wrote:
> > initrd. Sure an initrd can support ext2 with labels, but that's not
> > being done at the moment and such a significant change is unlikely to be
> > made to the installer in a hurry.
>
> Anaconda has been using initramfs for boot media since November. Are
> you sure you mean initrd?
That was my understanding of it, I thought that initrd=whatever for the boot
loaded made it use initrd. Could you please give me a URL for the correct
information.
> Regardless of that, why isn't ld.so.cache's context getting set
> correctly from the data in the glibc package?
The cache file is created by ldconfig. So it's not an issue of the glibc
package or RPM. We could patch ldconfig to specifically request the context
we desire (using the same mechanism that rpm uses to determine the correct
file type), but that seems like a waste as such code would only be needed for
the install.
file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file)
In normal operation the ldconfig program runs in domain ldconfig_t. The above
SE Linux policy specifies that when domain ldconfig_t creates a file in a
directory of type etc_t the file type should be ld_so_cache_t.
Currently during the install everything runs in kernel_t (including ldconfig)
so the policy in question does not apply.
The options to solve this are to hack the policy or to run restorecon at the
end of the install.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list