SE Linux installer changes needed - was Re: /etc/ld.so.cache and FC4T3
russell at coker.com.au
Sun May 15 15:06:27 UTC 2005
On Saturday 14 May 2005 02:46, Russell Coker <russell at coker.com.au> wrote:
> I am seeing /etc/ld.so.cache getting type etc_t for an initial install of
> FC4T3. Is anyone else seeing this?
> At this stage I'm not sure whether I messed up my install process or
> whether it's a more general thing.
I've found the problem.
The domain anaconda_t seems to be unused (we should probably just delete
anaconda.te). The installation process runs all initial programs from an
initrd (gzip compressed cpio file). cpio has no support for SE Linux labels
so no domain transitions occur and everything runs in kernel_t. Everything
that's not in an initrd is in a cramfs file system (which also has no support
for SE Linux labelling). This means that created files get the type of the
directory - etc_t in the case of /etc/ld.so.cache.
One possible method of dealing with this would be the following:
domain_auto_trans(kernel_t, ldconfig_exec_t, ldconfig_t)
The other option is to run restorecon at the end of the install. Both options
are ugly hacks.
Given that we aren't doing anything with SE Linux at the install the best
option is probably to create a policy that defines all file types with a
single domain that can have read/write access to them, this will save space
in the stage2 files and also precious RAM (currently installing to a machine
with 64M of RAM is almost impossible, and 4176K of that problem is the SE
I've attached a little Perl script that will munge a targeted policy. It
replaces most type and domain definitions with typealias rules and reduces
the policy binary size from 4176K to 60K. That saves 4116K of kernel memory
and almost 700K on the cramfs. The saving of 4M of kernel memory will make a
huge difference to the install on small machines. Currently it's almost
impossible to install a FC4 test version on a machine with 64M of RAM, this
change will give the same result as adding another 4M of RAM to machines for
the installer (particularly important for machines that run out of RAM before
completing the partitioning process).
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1170 bytes
Desc: not available
More information about the fedora-selinux-list