SE Linux installer changes needed - was Re: /etc/ld.so.cache and FC4T3

[Russell Coker]

On Tuesday 17 May 2005 01:13, Peter Jones <pjones at redhat.com> wrote:
> > initrd.  Sure an initrd can support ext2 with labels, but that's not
> > being done at the moment and such a significant change is unlikely to be
> > made to the installer in a hurry.
>
> Anaconda has been using initramfs for boot media since November.  Are
> you sure you mean initrd?

That was my understanding of it, I thought that initrd=whatever for the boot 
loaded made it use initrd.  Could you please give me a URL for the correct 
information.

> Regardless of that, why isn't ld.so.cache's context getting set
> correctly from the data in the glibc package?

The cache file is created by ldconfig.  So it's not an issue of the glibc 
package or RPM.  We could patch ldconfig to specifically request the context 
we desire (using the same mechanism that rpm uses to determine the correct 
file type), but that seems like a waste as such code would only be needed for 
the install.

file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file)

In normal operation the ldconfig program runs in domain ldconfig_t.  The above 
SE Linux policy specifies that when domain ldconfig_t creates a file in a 
directory of type etc_t the file type should be ld_so_cache_t.

Currently during the install everything runs in kernel_t (including ldconfig) 
so the policy in question does not apply.

The options to solve this are to hack the policy or to run restorecon at the 
end of the install.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page