On Mon, 2005-03-28 at 10:05 -0500, Ivan Gyurdiev wrote:
.. so what you're saying is that nautilus (running as user_t,
which has
read access to the file in question, as well as appropriate relabel
access), should determine its mime type, or use the DND target app, and
associate a context with that, which the mime handler can play, then
relabel file to that context (can't copy - what if it's huge?).... and
do this for every mime handler I attempt to open it with?
Seems fairly pointless to perform such a relabeling if the context
determination is based entirely on untrusted input from the same source
as the data itself and the user isn't involved to any greater degree
than selecting the file in the first place. If you are going to run it
through a filtering pipeline (e.g. malicious code checker), then it
makes more sense to set up a relabeling or data copying pipeline using
TE to ensure that each filter stage is unbypassable and tamperproof
(i.e. an assured pipeline in TE parlance). Note however that relabeling
in place is not necessarily safe, as Linux does not yet fully support
revocation of access.
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency