prelink and yum conflict
Jeff Johnson
n3npq at nc.rr.com
Tue Oct 12 13:27:21 UTC 2004
Stephen Smalley wrote:
>On Mon, 2004-10-11 at 02:34, Russell Coker wrote:
>
>
>>On Sat, 9 Oct 2004 02:14, Stephen Smalley <sds at epoch.ncsc.mil> wrote:
>>
>>
>>>/etc/ld.so.cache is supposed to be labeled ld_so_cache_t.
>>>
>>>
>>ldconfig is being executed directly from rpm not via "sh -c ldconfig". This
>>means that it doesn't transition to ldconfig_t.
>>
>>Jeff, please change rpm to use "sh -c" for spawning all scripts including
>>ldconfig and /usr/sbin/glibc_post_upgrade. Should I file a bugzilla against
>>rpm?
>>
>>
>
>Ironically, this used to work with the older rpm that did not setexeccon
>to rpm_script_t for binaries, as there was a transition from rpm_t to
>ldconfig_t in the policy. But since we asked Jeff to change the
>behavior, the explicit setexeccon takes precedence over the default
>transition, and ldconfig ends up running in rpm_script_t directly then.
>
>
Not so much irony as difficult coordination. Compiling "rpm_script_t"
into rpm is
gonna be difficult coordination, and now that there are two behaviors,
support
is gonna get messy too.
I'm open for better ideas, would like to have the choice of
"rpm_script_t" exec type in libselinux
even though mechanism is of necessity in rpm.
How about a simple routine, I pass the interpreter (i.e. "/bin/sh" or
"/sbin/ldconfig"), and
libselinux gives me the IDENTITY:ROLE:TYPE to set.
Even better, rpm will fork, then give libselinux argv[0] before doing
execve. Then libselinux
can do whatever it wants.
You can have argv, not just argv[0] if you want too. ;-)
Sound like a plan?
73 de Jeff
More information about the fedora-selinux-list
mailing list