SELinux and third party installers
Mike Hearn
mike at navi.cx
Tue Jan 4 17:06:01 UTC 2005
On Tue, 04 Jan 2005 11:25:31 -0500, Stephen Smalley wrote:
> I'm not in favor of the daemon idea. "install" is akin to "rpm" in the
> sense of installing a file, so it may make sense to initialize its
> security context based on pathname at that time, because we have no real
> runtime knowledge of its security properties and have presumably checked
> its integrity in some manner prior to installation.
Alright. It seems to me then that files that are not copied in some
SELinux aware matter from an installer (ie new files created in /usr/lib
or whatever) should just be subject to normal UNIX security and SELinux
should not control them. Supporting SELinux would then become a feature of
newer installers, but older software would not break.
I have a feeling you can't selectively opt files out of SELinux like that
though.
More information about the fedora-selinux-list
mailing list