SELinux error with yum --installroot
Stephen Smalley
sds at epoch.ncsc.mil
Thu Jan 6 13:13:20 UTC 2005
On Wed, 2005-01-05 at 02:21, Bob Kashani wrote:
> I read the thread and I seem to understand the technical reason behind
> why ldconfig is restricted in the way that it is (the security side of
> the issue). But is seems a little harsh from a usability point of view
> since for example, you can no longer run ldconfig in a chroot in your
> home dir. I like fine grained security but isn't the whole idea behind
> policy-targeted to enable security without restricting usability too
> much? I would understand not allowing ldconfig to execute in /home with
> policy-strict but shouldn't policy-targeted allow you to do this
> regardless of the potential security issues? Do the security concerns in
> this case outweigh the usability issues?
I'm not clear on why ldconfig runs in its own domain at all under
targeted policy (vs. unconfined_t). It used to just run unconfined_t in
older versions of the targeted policy. Is it an attempt to preserve the
type on /etc/ld.so.cache via the file type transition rules?
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list