Christopher J. PeBenito wrote:
> On Tue, 2007-04-24 at 16:11 +0800, Ken YANG wrote:
>> Daniel J Walsh wrote:
>>> So the real question, is there much value with the division between 
>>> lib_t and shlib_t.
>>> When dealing with strict policy, shared libraries were always getting 
>>> mislabeled as lib_t, and causing problems, for little security advantage.
>>> As we remove the differences between strict and targeted, I don't intend 
>>> to get rid of lib_t == shlib_t.
>>
>> i find most files labeled with "lib_t" are ".a" or symbolic link to
>> ".so"
>>
>> what difference between lib_t and shlib_t? what is the purpose of
>> "lib_t" type?
> 
> The difference boils down to being able to mmap shlib_t files as
> executable (which is required for shared libraries to work), whereas
> that is not allowed for lib_t files.  That means that only shared
> libraries are shlib_t and symlinks and static libraries (and other
> random files placed in /lib or /usr/lib) are lib_t.


the problem is due to my fault, rebooting with strict policy without
relabel in permissive mode.

in my opinion, the distinction between lib_t and shlib_t in strict
policy should be kept, we can not regards all libs as same with share
libraries.

we can avoid this "denial problems" by writing corresponding
informations in manual. In many situations, switching from targeted
to strict is a "big" changes, only certain people will perform this
kind of operation, and i guess these people will also study the manual,
before administrate SELinux system.



> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.