SELinux error with yum --installroot

Bob Kashani bobk at ocf.berkeley.edu
Wed Jan 5 07:21:24 UTC 2005 

On Tue, 2005-01-04 at 10:18 -0500, Stephen Smalley wrote:
> On Tue, 2005-01-04 at 02:14, Bob Kashani wrote:
> > But here is the log message that I get when ldconfig fails in /home (as
> > requested by Stephen).
> > 
> > Jan  3 22:44:05 chaucer kernel: audit(1104821045.640:0): avc:  denied
> > { search } for  pid=4960 exe=/sbin/ldconfig name=bob-chroot dev=hdb1
> > ino=855792 scontext=root:system_r:ldconfig_t
> > tcontext=user_u:object_r:file_t tclass=dir
> > Jan  3 22:44:05 chaucer kernel: audit(1104821045.641:0): avc:  denied
> > { search } for  pid=4960 exe=/sbin/ldconfig name=bob-chroot dev=hdb1
> > ino=855792 scontext=root:system_r:ldconfig_t
> > tcontext=user_u:object_r:file_t tclass=dir
> 
> First, I'd suggest relabeling /home, as there shouldn't be any file_t
> files there.  restorecon -R /home.  Was /home inherited from a prior
> install, or did you run a non-SELinux kernel while creating files there?

Well, /home/gnome (my test user account) is actually a symbolic link
to /mnt/hdb1/home/gnome (this way I can log into the same account from
rawhide and FC3 without having to copy files around). /home is on hda3
and /home/gnome is on hdb1. hdb1 has rawhide installed on it and I had
turned off selinux a long time ago since it was giving me problems. But
all of the files in /home/gnome were created under FC3 w/ selinux. I
booted into rawhide (hdb1) and enabled selinux and ran 'restorecon -
R /'. Now when I'm in FC3 file_t is gone. :)

> Second, ldconfig is normally restricted in the set of types it can
> access; see the "SELinux and third party installers" thread.  This can
> be changed in the policy if necesssary, but understand that there are
> implications.

I read the thread and I seem to understand the technical reason behind
why ldconfig is restricted in the way that it is (the security side of
the issue). But is seems a little harsh from a usability point of view
since for example, you can no longer run ldconfig in a chroot in your
home dir. I like fine grained security but isn't the whole idea behind
policy-targeted to enable security without restricting usability too
much? I would understand not allowing ldconfig to execute in /home with
policy-strict but shouldn't policy-targeted allow you to do this
regardless of the potential security issues? Do the security concerns in
this case outweigh the usability issues?

Bob

-- 
Bob Kashani
http://www.ocf.berkeley.edu/~bobk/garnome

More information about the fedora-selinux-list mailing list