[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Not good

Daniel J Walsh wrote:

I don't believe that is what the user was complaining about. The problem is that when you build any rpm, it tries to read /etc/security/selinux/file_contexts which is marked policy_config_t. Rpm is storing the file_contexts of files in its headers. The current policy-1.9.2-12 allows users to read this, problem is that rpm needs to then check if the security contexts are valid. So they need can_getsecurity defined. This has been updated for policy-1.9.2-13 (Available on people). This is being governed by the
user_canbe_sysadm tunable. If you turn this off only staff_u would be able to do it.

Normal users running checkpolicy would still require the can_setenforce and maybe some other privs.

The path to the file context RE's is configurable for rpmbuild as well, there is no reason whatsoever that
the path cannot be changed to something else if/when the time comes.

In fact, policy for package builds is likely to be different than policy for the build system in almost every case.

73 de Jeff

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]