SE Linux installer changes needed - was Re: /etc/ld.so.cache and FC4T3

Russell Coker russell at coker.com.au
Sun May 15 15:06:27 UTC 2005


On Saturday 14 May 2005 02:46, Russell Coker <russell at coker.com.au> wrote:
> I am seeing /etc/ld.so.cache getting type etc_t for an initial install of
> FC4T3.  Is anyone else seeing this?
>
> At this stage I'm not sure whether I messed up my install process or
> whether it's a more general thing.

I've found the problem.

The domain anaconda_t seems to be unused (we should probably just delete 
anaconda.te).  The installation process runs all initial programs from an 
initrd (gzip compressed cpio file).  cpio has no support for SE Linux labels 
so no domain transitions occur and everything runs in kernel_t.  Everything 
that's not in an initrd is in a cramfs file system (which also has no support 
for SE Linux labelling).  This means that created files get the type of the 
directory - etc_t in the case of /etc/ld.so.cache.

One possible method of dealing with this would be the following:
domain_auto_trans(kernel_t, ldconfig_exec_t, ldconfig_t)

The other option is to run restorecon at the end of the install.  Both options 
are ugly hacks.

Given that we aren't doing anything with SE Linux at the install the best 
option is probably to create a policy that defines all file types with a 
single domain that can have read/write access to them, this will save space 
in the stage2 files and also precious RAM (currently installing to a machine 
with 64M of RAM is almost impossible, and 4176K of that problem is the SE 
Linux policy).

I've attached a little Perl script that will munge a targeted policy.  It 
replaces most type and domain definitions with typealias rules and reduces 
the policy binary size from 4176K to 60K.  That saves 4116K of kernel memory 
and almost 700K on the cramfs.  The saving of 4M of kernel memory will make a 
huge difference to the install on small machines.  Currently it's almost 
impossible to install a FC4 test version on a machine with 64M of RAM, this 
change will give the same result as adding another 4M of RAM to machines for 
the installer (particularly important for machines that run out of RAM before 
completing the partitioning process).

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tiny.pl
Type: application/x-perl
Size: 1170 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20050516/97c6d36d/attachment.pl>


More information about the fedora-devel-list mailing list