SELinux and third party installers
Daniel J Walsh
dwalsh at redhat.com
Mon Jan 3 15:31:13 UTC 2005
Mike Hearn wrote:
>On Thu, 30 Dec 2004 22:52:02 -0500, Daniel J Walsh wrote:
>
>
>>The problem is that sometimes file like share libraries need a different
>>file context (shlib_t)
>>than the directory they are being copied to (lib_t). RPM and now
>>install have the smarts to handle this. mv and cp do not.
>>
>>
>
>I see. What happens if you create a file in a lib_t directory using the
>standard POSIX APIs? I looked at the Loki setup sources and it doesn't use
>"cp" directly of course, it just opens files and copies them using a
>read/write loop.
>
>What happens if a library is put in a directory that isn't lib_t, and the
>DSO is not marked as shlib_t? Does the linker refuse to link it? Or is it
>just that ldconfig cannot read them.
>
The file will get recieve the context of the parent directory. Linker
is probably running in
unconfined_t so it will not any problem.
>I have a game here where it uses libraries marked as file_t, and it seems
>to work when using LD_LIBRARY_PATH which makes me happier :)
>
>Most third party programs do not rely on the linker cache anyway, so I
>suppose this is a good thing.
>
>
>
You should not have anything marked file_t unless they were created on a
machine that was not running
SELinux. This indicates that you need a relabel.
>>What do you base this on? Fedora is where most of the SELinux
>>development has been going on.
>>
>>
>
>Yes, I mean it's hard to find out how Fedora differs from Debian or Gentoo
>SELinux-wise. If I use "install" does this only work on Fedora? Or is this
>something that will eventually be merged into other distributions too.
>
>
Hopefully, good ideas usually get picked up by other distributions, of
course they might not
think this is a good idea. :^)
Of course you could say that generally about differences between
distributions.
>What about the pam_selinux module, is that used elsewhere or on other
>distros must I remember to use the SELinux su equivalent as well? (I
>forgot it's name ...)
>
>
>
I believe pam_selinux is being used elsewhere.
>thanks -mike
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
More information about the fedora-selinux-list
mailing list