Re: SELinux and third party installers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Mike Hearn wrote:

On Thu, 30 Dec 2004 22:52:02 -0500, Daniel J Walsh wrote:


The problem is that sometimes file like share libraries need a different file context (shlib_t)
than the directory they are being copied to (lib_t). RPM and now install have the smarts to handle this. mv and cp do not.



I see. What happens if you create a file in a lib_t directory using the
standard POSIX APIs? I looked at the Loki setup sources and it doesn't use
"cp" directly of course, it just opens files and copies them using a
read/write loop.

What happens if a library is put in a directory that isn't lib_t, and the
DSO is not marked as shlib_t? Does the linker refuse to link it? Or is it
just that ldconfig cannot read them.

The file will get recieve the context of the parent directory. Linker is probably running in
unconfined_t so it will not any problem. 

I have a game here where it uses libraries marked as file_t, and it seems
to work when using LD_LIBRARY_PATH which makes me happier :)

Most third party programs do not rely on the linker cache anyway, so I
suppose this is a good thing.





You should not have anything marked file_t unless they were created on a machine that was not running
SELinux. This indicates that you need a relabel.

What do you base this on? Fedora is where most of the SELinux development has been going on.



Yes, I mean it's hard to find out how Fedora differs from Debian or Gentoo
SELinux-wise. If I use "install" does this only work on Fedora? Or is this
something that will eventually be merged into other distributions too.


Hopefully, good ideas usually get picked up by other distributions, of course they might not
think this is a good idea. :^)
Of course you could say that generally about differences between distributions.

What about the pam_selinux module, is that used elsewhere or on other
distros must I remember to use the SELinux su equivalent as well? (I
forgot it's name ...)



I believe pam_selinux is being used elsewhere.

thanks -mike

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux