Stephen Smalley wrote:
On Wed, 2005-01-05 at 02:21, Bob Kashani wrote:
>I read the thread and I seem to understand the technical reason behind
>why ldconfig is restricted in the way that it is (the security side of
>the issue). But is seems a little harsh from a usability point of view
>since for example, you can no longer run ldconfig in a chroot in your
>home dir. I like fine grained security but isn't the whole idea behind
>policy-targeted to enable security without restricting usability too
>much? I would understand not allowing ldconfig to execute in /home with
>policy-strict but shouldn't policy-targeted allow you to do this
>regardless of the potential security issues? Do the security concerns in
>this case outweigh the usability issues?
>
>
I'm not clear on why ldconfig runs in its own domain at all under
targeted policy (vs. unconfined_t). It used to just run unconfined_t in
older versions of the targeted policy. Is it an attempt to preserve the
type on /etc/ld.so.cache via the file type transition rules?
Yes.