SELinux and third party installers
Colin Walters
walters at redhat.com
Tue Jan 4 20:21:07 UTC 2005
On Tue, 2005-01-04 at 15:21 +0000, Mike Hearn wrote:
> On Mon, 03 Jan 2005 12:49:05 -0500, Colin Walters wrote:
> > Can you explain why you have ldconfig writing to a home directory? Are
> > you doing the equivalent of "ldconfig > ~/install.log"?
>
> cp *.so.* ~/.local/lib
> /sbin/ldconfig -n ~/.local/lib # generate the symlinks
Hmm. This is actually something that should work in the strict policy,
but not in targeted. The reason is that in targeted, we can't easily
differentiate between the system and users. So in targeted, we
transition to ldconfig_t, but in strict there should be no transition.
I can't think of any good ideas on a solution for this one at the
moment. Can you file a bugzilla?
> Hmm, OK. I have to admit I never saw a third party installer that uses
> "install" so that is probably not enough.
Depends how you define third party, but I know what you mean.
> A daemon that fixes contexts as files are added feels rather racy.
It's just as racy as prelink; actually less so because it doesn't
actually change file content.
> I'm
> sure I'm missing a lot of context from previous discussions on the matter
> here, but perhaps the kernel should set the context automatically when a
> new file is created in certain directories that are marked as "autofix".
What specific race conditions do you see that we can't solve in
userspace?
More information about the fedora-selinux-list
mailing list