On Wed, 2005-01-05 at 08:10 -0500, Daniel J Walsh wrote:
> >I read the thread and I seem to understand the technical reason behind
> >why ldconfig is restricted in the way that it is (the security side of
> >the issue). But is seems a little harsh from a usability point of view
> >since for example, you can no longer run ldconfig in a chroot in your
> >home dir. I like fine grained security but isn't the whole idea behind
> >policy-targeted to enable security without restricting usability too
> >much? I would understand not allowing ldconfig to execute in /home with
> >policy-strict but shouldn't policy-targeted allow you to do this
> >regardless of the potential security issues? Do the security concerns in
> >this case outweigh the usability issues?
> >
> >Bob
> >
> >
> >
> What AVC messages are you seeing. We can and probably should loosen up
> ldconfig policy for targeted.
>
> Dan
Here is the AVC message I'm getting:
Jan 5 11:56:39 chaucer kernel: audit(1104954999.233:0): avc: denied
{ search } for pid=4605 exe=/sbin/ldconfig name=g-chroot dev=hdb1
ino=855792 scontext=root:system_r:ldconfig_t
tcontext=system_u:object_r:user_home_t tclass=dir
Bob
--
Bob Kashani
http://www.ocf.berkeley.edu/~bobk/garnome
