[DSE-Dev] refpolicy: patch for ldconfig from glibc 2.7

Václav Ovsík vaclav.ovsik at i.cz
Thu Aug 14 09:32:02 UTC 2008


On Wed, Aug 13, 2008 at 10:45:07PM +1000, Russell Coker wrote:
> On Wednesday 13 August 2008 20:09, Václav Ovsík <vaclav.ovsik at i.cz> wrote:
> > sid:~# fgrep /var/cache/ldconfig
> > /etc/selinux/default/contexts/files/file_contexts
> > /var/cache/ldconfig/aux-cache   -- system_u:object_r:ld_so_cache_t:s0
> > sid:~#
> 
> semanage fcontext -l | grep var.cache.ldconfig
> 
> The above command (or something similar) is what you want.  It's best to use 
> tools such as semanage so that when (not if) the layout of the files change 
> you will still get the results you desire.

Sounds reasonable. Thanks.

> > So running ldconfig emits denials still.
> >
> > Nevertheless, I think we should use the solution from Fedora now
> > already upstream. Why to do common thing in some special way?
> 
> We can do that, I just have to review it.

Ok.

> > > Incidentally what is the benefit of having that new type defined in that
> > > patch?
> >
> > ldconfig_cache_t? Different purpose?
> 
> We don't want to have a type for every purpose of file.
> 
> It's a matter of who gets to write to it and who can read it.  Having two 
> types that produce data that can be publicly read and which can only be 
> written by one program makes no sense.

I don't know, the file /var/cache/ldconfig/aux-cache has mode 600 and
its directory has 700.

-- 
Zito



More information about the SELinux-devel mailing list