On Tuesday 17 May 2005 01:27, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > It is a runtime-created file, and ldconfig is not specifically modified > to set the security context on it, so it just follows the default > behavior, i.e. if there is a file type transition rule for the creating > domain and the parent directory type, then apply the resulting type > (which is what normally happens when ldconfig is run in the ldconfig_t > domain); otherwise, inherit the type from the parent directory. In this > case, it seems that ldconfig is not running in its domain because the > caller isn't in the expected domain because the calling sequence never > transitioned out of kernel_t due to the lack of labeling on the > initramfs. At least that is what I gleaned from Russell's posting. Yes. However although the kernel_t domain is used for everything the programs being run will all be from the chroot environment and thus have the correct types. Therefore ldconfig_exec_t will be used for the ldconfig program and we can do a domain transition on it. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list