SELinux and third party installers

Daniel J Walsh dwalsh at redhat.com
Mon Jan 3 15:31:13 UTC 2005 

Mike Hearn wrote:

>On Thu, 30 Dec 2004 22:52:02 -0500, Daniel J Walsh wrote:
>  
>
>>The problem is that sometimes file like share libraries need a different 
>>file context (shlib_t)
>>than the directory they are being copied to (lib_t).  RPM and now 
>>install have the smarts to handle this.  mv and cp do not.
>>    
>>
>
>I see. What happens if you create a file in a lib_t directory using the
>standard POSIX APIs? I looked at the Loki setup sources and it doesn't use
>"cp" directly of course, it just opens files and copies them using a
>read/write loop.
>
>What happens if a library is put in a directory that isn't lib_t, and the
>DSO is not marked as shlib_t? Does the linker refuse to link it? Or is it
>just that ldconfig cannot read them.
>
The file will get recieve the context of the parent directory.   Linker 
is probably running in
unconfined_t so it will not any problem. 

>I have a game here where it uses libraries marked as file_t, and it seems
>to work when using LD_LIBRARY_PATH which makes me happier :)
>
>Most third party programs do not rely on the linker cache anyway, so I
>suppose this is a good thing.
>
>  
>


You should not have anything marked file_t unless they were created on a 
machine that was not running
SELinux.  This indicates that you need a relabel.

>>What do you base this on?  Fedora is where most of the SELinux 
>>development has been going on.
>>    
>>
>
>Yes, I mean it's hard to find out how Fedora differs from Debian or Gentoo
>SELinux-wise. If I use "install" does this only work on Fedora? Or is this
>something that will eventually be merged into other distributions too.
>  
>
Hopefully, good ideas usually get picked up by other distributions, of 
course they might not
think this is a good idea. :^)
 Of course you could say that generally about differences between 
distributions.

>What about the pam_selinux module, is that used elsewhere or on other
>distros must I remember to use the SELinux su equivalent as well? (I
>forgot it's name ...)
>
>  
>
I believe pam_selinux is being used elsewhere.

>thanks -mike
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
>

More information about the fedora-selinux-list mailing list