SELinux blocking Gizmo on FC5
Paul Howarth
paul at city-fan.org
Mon Apr 3 13:06:13 UTC 2006
Michael Wiktowy wrote:
> On 4/2/06, Craig White <craigwhite at azapple.com> wrote:
>> On Sun, 2006-04-02 at 09:31 +0200, A.J. Bonnema wrote:
>>> Michael Wiktowy wrote:
>>>> I just fixed my problem with
>>>> chcon -t texrel_shlib_t /usr/lib/libsipphoneapi.so.0.78.20060211
>>>> I am not exactly sure what that does though.
>>> Craig,
>>>
>>> I wonder how many people do these statements without understanding the
>>> implications? How secure would that be?
>> ----
>> I see your point and agree with it except that you can consider...
>>
>> the target is /usr/lib/libsippphoneapi.so...
>>
>> so the adjustment is made to one specific file for one specific purpose
>> and the whole of selinux remains intact beyond that. That is
>> significant.
>
>
> All this conversation is starting to make me feel a little bit like a
> lab-rat ;]
>
> Beyond all the philosophical design considerations and discoverability
> issues, did I do "The Right Thing" here? Also, could someone explain what
> the textrel_shlib_t context implies over the original lib_t or point me
> somewhere that does so clearly?
A reasonable starting point is the "Additional Security Access Checks"
section here:
http://fedoraproject.org/wiki/SELinux/FC5Features
The link to Ulrich Drepper's article there explains the technicalities.
Paul.
More information about the fedora-list
mailing list