SELinux and third party installers
Colin Walters
walters at redhat.com
Mon Jan 3 17:49:05 UTC 2005
On Thu, 2004-12-30 at 21:05 +0000, Mike Hearn wrote:
> Hi,
>
> I have a couple of questions. The first is that in the FC3 targetted
> policy, it appears that ldconfig cannot write to user_home_t directories.
> Why is this? It appears to be a restriction with no purpose, and some
> programs rely on this to work. In fact I see from the archives that
> ldconfig not being able to write or search certain directories has come up
> before.
Can you explain why you have ldconfig writing to a home directory? Are
you doing the equivalent of "ldconfig > ~/install.log"?
> The second question is what impact SELinux will have on third party
> installers. It seems from the nVidia thread that currently if you copy
> files onto the system using "cp", this is the wrong way to do it and it
> will break peoples SELinux setups. This surely cannot be correct: that'd
> break every pretty much every third party installer (eg Loki Setup,
> etc) out there!
My hope was that by modifying "install", we'd minimize the breakage. At
least all of the Automake-generated packages should work.
I had a quick look at two other ISV installers; HelixPlayer and Mozilla.
It appears neither uses "install", they both do the equivalent of cp.
The route we may need to go down is having a relabeling daemon that
monitors /usr/lib/, /usr/local/lib, etc. and fixes file contexts.
More information about the fedora-selinux-list
mailing list