FC3 " avc: denied" issue
Colin Walters
walters at redhat.com
Mon Dec 27 17:14:22 UTC 2004
On Tue, 2004-12-28 at 03:47 +1100, Russell Coker wrote:
> Valdis just said that they have specific builds for different distributions
> and different versions of the various distributions. As they already have
> such a variation, adding another simple thing such as restorecon is not
> asking a lot (IMHO).
If you just view this in the specific context of NVidia, sure, we could
probably browbeat them into adding a bit more goo to their code.
But the larger issue here is keeping 'make install' working for the vast
majority of software out there (the ones that don't create device files,
etc). I see tons of reports in Bugzilla from people confused as to why
this breaks on Fedora, and for good reason. You need to think of our
existing software infrastructure, from filesystem paths like
"/usr/local/lib" to tools like "install" and "ldconfig" as an API.
We've told ISVs (and I'm not just talking about proprietary software
here; an ISV could also be software like a Xine tarball) that they can
integrate with our system by using 'install' to a few filesystem paths,
and running the magic command 'ldconfig'.
If we all of a sudden tell them that they have to run some additional
magic command, we are breaking that API. And that's wrong, *especially*
in this case because the breakage is mostly needless; I think Dan's
patch for "install" should cover the vast majority of cases.
Breaking this API is wrong because not only will it lead to a higher
support burden for us (and if you watch Bugzilla, it clearly *has* lead
to that), it will also lead to people recommending to turn off SELinux.
More information about the fedora-selinux-list
mailing list