Attention: Proprietary video driver users (ATI, Nvidia, etc.)
Bruno Wolff III
bruno at wolff.to
Fri Feb 24 15:08:27 UTC 2006
On Fri, Feb 24, 2006 at 05:23:05 -0500,
"Mike A. Harris" <mharris at mharris.ca> wrote:
> Davide Bolcioni wrote:
> >Mike A. Harris wrote:
> >
> >>Both ATI and Nvidia's proprietary video driver installation utilities
> >>replace the Red Hat supplied libGL library with their own libGL.
> >
> >
> >Could SELinux be used to prevent this and, more generally, disallow
> >replacement of rpm-controlled files even by the root user ?
Yes it should be possible to do this. However, you need some way to distinguish
updates of those libraries when done normally as opposed to being done by
ATI or Nvidia code. What you would probably like to do is only let rpm
change those files. However if ATI and Nvidia are supplying rpms, selinux
isn't going to be able to tell the difference.
You could also go by what role the person who runs rpm had. Then it would be
up to you to change your role based on whose rpms you were installing.
Another issue is that files only have one tag for selinux and if you use
a tag that indicates just that it was installed by rpm, that isn't going to
play nice with other selinux policies. You might be able to get away with
restricting how files with a number of different types are updated. You
may cover some files you don't want doing this, but I think you could get
close.
Another approach would be to have rpm not allow rpms to stomp on files
from other rpms if they weren't signed by the same key (perhaps --force
would override that).
More information about the fedora-devel-list
mailing list