Re: SELinux and third party installers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Mike Hearn wrote:

Hi,

I have a couple of questions. The first is that in the FC3 targetted
policy, it appears that ldconfig cannot write to user_home_t directories.
Why is this? It appears to be a restriction with no purpose, and some
programs rely on this to work. In fact I see from the archives that
ldconfig not being able to write or search certain directories has come up
before.

The second question is what impact SELinux will have on third party
installers. It seems from the nVidia thread that currently if you copy
files onto the system using "cp", this is the wrong way to do it and it
will break peoples SELinux setups. This surely cannot be correct: that'd
break every pretty much every third party installer (eg Loki Setup,
etc) out there!



Yes install and rpm are the only options right now. Not sure how dpkg works on debian.
Your other option is to use cp and the run restorecon.

The problem is similar to DAC, in that you have to specify the file context associated with the file, the same
way you need to specify file permission for Descretionary Access Control. In most cases the default behavior is
that the file picks up the protection of the directory that you are copying into. Or the context of the file you are replacying.
The problem is that sometimes file like share libraries need a different file context (shlib_t)
than the directory they are being copied to (lib_t). RPM and now install have the smarts to handle this. mv and cp do not.
And it is arguable that they shouldn't. Imagine using cp/mv to copy a sensitive piece of data. If they changed the context without you knowing
they could allow the sensitive data to be exposed.

If this is the case and this rather questionable decision is not reversed,
is using "install" the correct way to go about things on *every* SELinux
enabled distro, or is that a Fedora custom thing? It's a bit worrying how
much Fedora SELinux seems to differ from upstream, is this something that
will get better with time?


What do you base this on? Fedora is where most of the SELinux development has been going on.

thanks -mike

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux