Not good
Jeff Johnson
n3npq at nc.rr.com
Tue Apr 6 15:23:00 UTC 2004
Daniel J Walsh wrote:
> I don't believe that is what the user was complaining about. The
> problem is that when you build any rpm, it tries to read
> /etc/security/selinux/file_contexts which is marked policy_config_t.
> Rpm is storing the file_contexts of files in its headers. The current
> policy-1.9.2-12 allows users to read this, problem is that rpm needs
> to then check if the security contexts are valid. So they need
> can_getsecurity defined. This has been updated for policy-1.9.2-13
> (Available on people). This is being governed by the
> user_canbe_sysadm tunable. If you turn this off only staff_u would be
> able to do it.
>
> Normal users running checkpolicy would still require the
> can_setenforce and maybe some other privs.
The path to the file context RE's is configurable for rpmbuild as well,
there is no reason whatsoever that
the path cannot be changed to something else if/when the time comes.
In fact, policy for package builds is likely to be different than policy
for the build system in almost every case.
73 de Jeff
More information about the fedora-selinux-list
mailing list