FC3 " avc: denied" issue
Colin Walters
walters at redhat.com
Mon Dec 27 16:59:56 UTC 2004
On Mon, 2004-12-27 at 11:44 -0500, Valdis.Kletnieks at vt.edu wrote:
> On Mon, 27 Dec 2004 11:32:41 EST, Colin Walters said:
>
> > Dan recently worked on a patch for coreutils to make the 'install'
> > command do this internally. I don't think we can ask every ISV to
> > insert restorecon commands at arbitrary points in their code. Saying
> > however that they must use the 'install' command (or RPM) to install
> > software is a much more defensible position, IMO.
>
> Any opinions on how they should integrate their current 'mknod' commands,
> which currently need a restorecon? Should mknod handle it, or is that
> part still NVidia's problem? (I suppose it would be OK to push *that*
> one back at the sofware - many packages install dozens or even hundreds
> of regular files, but rarely use mknod (even the NVidia one has some 35
> files and only 7 mknod's)
Yeah; I think anything that calls mknod is a special case, since it is
very low-level and inherently Linux-specific. Asking those ISVs to
suffix mknod invocations with something like:
test -x /sbin/restorecon && /sbin/restorecon /dev/nvidia
isn't too onerous. At least until we have some sort of API for these
vendors to add device files. (Although it's unclear to me why they need
to create device files at all; shouldn't udev be creating it dynamically
when their kernel module is inserted?)
But the larger issue here of breaking the general
'./configure;make;make install' is very bad; I hope Dan's patch will fix
this.
More information about the fedora-selinux-list
mailing list