On Saturday 14 May 2005 02:46, Russell Coker <russell@xxxxxxxxxxxx> wrote: > I am seeing /etc/ld.so.cache getting type etc_t for an initial install of > FC4T3. Is anyone else seeing this? > > At this stage I'm not sure whether I messed up my install process or > whether it's a more general thing. I've found the problem. The domain anaconda_t seems to be unused (we should probably just delete anaconda.te). The installation process runs all initial programs from an initrd (gzip compressed cpio file). cpio has no support for SE Linux labels so no domain transitions occur and everything runs in kernel_t. Everything that's not in an initrd is in a cramfs file system (which also has no support for SE Linux labelling). This means that created files get the type of the directory - etc_t in the case of /etc/ld.so.cache. One possible method of dealing with this would be the following: domain_auto_trans(kernel_t, ldconfig_exec_t, ldconfig_t) The other option is to run restorecon at the end of the install. Both options are ugly hacks. Given that we aren't doing anything with SE Linux at the install the best option is probably to create a policy that defines all file types with a single domain that can have read/write access to them, this will save space in the stage2 files and also precious RAM (currently installing to a machine with 64M of RAM is almost impossible, and 4176K of that problem is the SE Linux policy). I've attached a little Perl script that will munge a targeted policy. It replaces most type and domain definitions with typealias rules and reduces the policy binary size from 4176K to 60K. That saves 4116K of kernel memory and almost 700K on the cramfs. The saving of 4M of kernel memory will make a huge difference to the install on small machines. Currently it's almost impossible to install a FC4 test version on a machine with 64M of RAM, this change will give the same result as adding another 4M of RAM to machines for the installer (particularly important for machines that run out of RAM before completing the partitioning process). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Attachment:
tiny.pl
Description: Perl program
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-devel-list
