On Wed, 2005-01-05 at 08:10 -0500, Daniel J Walsh wrote:
I read the thread and I seem to understand the technical reason behind why ldconfig is restricted in the way that it is (the security side of the issue). But is seems a little harsh from a usability point of view since for example, you can no longer run ldconfig in a chroot in your home dir. I like fine grained security but isn't the whole idea behind policy-targeted to enable security without restricting usability too much? I would understand not allowing ldconfig to execute in /home with policy-strict but shouldn't policy-targeted allow you to do this regardless of the potential security issues? Do the security concerns in this case outweigh the usability issues?
Bob
What AVC messages are you seeing. We can and probably should loosen up ldconfig policy for targeted.
Dan
Here is the AVC message I'm getting:
Jan 5 11:56:39 chaucer kernel: audit(1104954999.233:0): avc: denied { search } for pid=4605 exe=/sbin/ldconfig name=g-chroot dev=hdb1 ino=855792 scontext=root:system_r:ldconfig_t tcontext=system_u:object_r:user_home_t tclass=dir
Bob