:: Re: [DNG] running with separate / a…
Top Page
Delete this message
Reply to this message
Author: Rainer Weikusat
Date:  
To: dng
Subject: Re: [DNG] running with separate / and /usr
Antonio Rendina via Dng <dng@???> writes:
> The way I see it is that the packages that lives in /bin,/sbin should
> call only libraries at the same very level.
> Having a fake library that allows selinux to not be loaded can become
> a security concern (I didn't give it much thought, but I think you can
> see the risk).
> So, by my point of view, the solutions that I see are:
>
> 1) compile the packages without selinux
> 2) move all the required libraries to "/" hierarchy.
>
> My preference goes to number 2.


So far, this would be libpcre2. Additionally, udev and the kernel module
tools need libcrypto (from OpenSSL).

Complete list of programs in / which need libselinux (on my system):

bin/dir
bin/mknod
bin/vdir
bin/netstat
bin/udevadm
bin/umount
bin/findmnt
bin/tar
bin/mkdir
bin/mv
bin/lsblk
bin/ls
bin/ss
bin/mountpoint
bin/sed
bin/mount
bin/cp
sbin/mkswap
sbin/unix_update
sbin/init
sbin/fstrim
sbin/fsck
sbin/unix_chkpwd
sbin/dmsetup
sbin/partprobe
sbin/swapon
sbin/swapoff
sbin/udevd
sbin/parted
sbin/sulogin
sbin/cfdisk

Dito for libcrypto:

bin/udevadm
bin/kmod
sbin/dhclient
sbin/udevd

(as determined by
find bin/ sbin/ -type f | while read x; do ldd $x 2>/dev/null | grep -q libcrypto && echo $x; done)

If moving the libraries was considered an acceptable solution, I'm
willing to create bug reports (or whatever else would be suitable) with
patches for the affected packages. I won't be able to work on this
before Sunday, though.