SE Linux installer changes needed - was Re: /etc/ and FC4T3

Russell Coker russell at
Mon May 16 15:46:37 UTC 2005

On Tuesday 17 May 2005 01:27, Stephen Smalley <sds at> wrote:
> It is a runtime-created file, and ldconfig is not specifically modified
> to set the security context on it, so it just follows the default
> behavior, i.e. if there is a file type transition rule for the creating
> domain and the parent directory type, then apply the resulting type
> (which is what normally happens when ldconfig is run in the ldconfig_t
> domain); otherwise, inherit the type from the parent directory.  In this
> case, it seems that ldconfig is not running in its domain because the
> caller isn't in the expected domain because the calling sequence never
> transitioned out of kernel_t due to the lack of labeling on the
> initramfs.  At least that is what I gleaned from Russell's posting.

Yes.  However although the kernel_t domain is used for everything the programs 
being run will all be from the chroot environment and thus have the correct 
types.  Therefore ldconfig_exec_t will be used for the ldconfig program and 
we can do a domain transition on it.

--   My NSA Security Enhanced Linux packages  Bonnie++ hard drive benchmark    Postal SMTP/POP benchmark  My home page

More information about the selinux mailing list