SE Linux installer changes needed - was Re: /etc/ld.so.cache and FC4T3

Stephen Smalley sds at tycho.nsa.gov
Mon May 16 15:27:49 UTC 2005


On Mon, 2005-05-16 at 11:13 -0400, Peter Jones wrote:
> Anaconda has been using initramfs for boot media since November.  Are
> you sure you mean initrd?
> 
> Regardless of that, why isn't ld.so.cache's context getting set
> correctly from the data in the glibc package?

It is a runtime-created file, and ldconfig is not specifically modified
to set the security context on it, so it just follows the default
behavior, i.e. if there is a file type transition rule for the creating
domain and the parent directory type, then apply the resulting type
(which is what normally happens when ldconfig is run in the ldconfig_t
domain); otherwise, inherit the type from the parent directory.  In this
case, it seems that ldconfig is not running in its domain because the
caller isn't in the expected domain because the calling sequence never
transitioned out of kernel_t due to the lack of labeling on the
initramfs.  At least that is what I gleaned from Russell's posting.

-- 
Stephen Smalley
National Security Agency




More information about the fedora-devel-list mailing list