[DSE-Dev] refpolicy: patch for ldconfig from glibc 2.7
vaclav.ovsik at i.cz
Thu Aug 14 09:32:02 UTC 2008
On Wed, Aug 13, 2008 at 10:45:07PM +1000, Russell Coker wrote:
> On Wednesday 13 August 2008 20:09, Václav Ovsík <vaclav.ovsik at i.cz> wrote:
> > sid:~# fgrep /var/cache/ldconfig
> > /etc/selinux/default/contexts/files/file_contexts
> > /var/cache/ldconfig/aux-cache -- system_u:object_r:ld_so_cache_t:s0
> > sid:~#
> semanage fcontext -l | grep var.cache.ldconfig
> The above command (or something similar) is what you want. It's best to use
> tools such as semanage so that when (not if) the layout of the files change
> you will still get the results you desire.
Sounds reasonable. Thanks.
> > So running ldconfig emits denials still.
> > Nevertheless, I think we should use the solution from Fedora now
> > already upstream. Why to do common thing in some special way?
> We can do that, I just have to review it.
> > > Incidentally what is the benefit of having that new type defined in that
> > > patch?
> > ldconfig_cache_t? Different purpose?
> We don't want to have a type for every purpose of file.
> It's a matter of who gets to write to it and who can read it. Having two
> types that produce data that can be publicly read and which can only be
> written by one program makes no sense.
I don't know, the file /var/cache/ldconfig/aux-cache has mode 600 and
its directory has 700.
More information about the SELinux-devel