SE Linux installer changes needed - was Re: /etc/ld.so.cache and FC4T3

[Russell Coker]

On Tuesday 17 May 2005 01:27, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> It is a runtime-created file, and ldconfig is not specifically modified
> to set the security context on it, so it just follows the default
> behavior, i.e. if there is a file type transition rule for the creating
> domain and the parent directory type, then apply the resulting type
> (which is what normally happens when ldconfig is run in the ldconfig_t
> domain); otherwise, inherit the type from the parent directory.  In this
> case, it seems that ldconfig is not running in its domain because the
> caller isn't in the expected domain because the calling sequence never
> transitioned out of kernel_t due to the lack of labeling on the
> initramfs.  At least that is what I gleaned from Russell's posting.

Yes.  However although the kernel_t domain is used for everything the programs 
being run will all be from the chroot environment and thus have the correct 
types.  Therefore ldconfig_exec_t will be used for the ldconfig program and 
we can do a domain transition on it.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page