On Fri, Feb 24, 2006 at 05:23:05 -0500, "Mike A. Harris" <mharris@xxxxxxxxxx> wrote: > Davide Bolcioni wrote: > >Mike A. Harris wrote: > > > >>Both ATI and Nvidia's proprietary video driver installation utilities > >>replace the Red Hat supplied libGL library with their own libGL. > > > > > >Could SELinux be used to prevent this and, more generally, disallow > >replacement of rpm-controlled files even by the root user ? Yes it should be possible to do this. However, you need some way to distinguish updates of those libraries when done normally as opposed to being done by ATI or Nvidia code. What you would probably like to do is only let rpm change those files. However if ATI and Nvidia are supplying rpms, selinux isn't going to be able to tell the difference. You could also go by what role the person who runs rpm had. Then it would be up to you to change your role based on whose rpms you were installing. Another issue is that files only have one tag for selinux and if you use a tag that indicates just that it was installed by rpm, that isn't going to play nice with other selinux policies. You might be able to get away with restricting how files with a number of different types are updated. You may cover some files you don't want doing this, but I think you could get close. Another approach would be to have rpm not allow rpms to stomp on files from other rpms if they weren't signed by the same key (perhaps --force would override that). -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
