On Thu, 2004-12-30 at 16:05, Mike Hearn wrote:
I have a couple of questions. The first is that in the FC3 targetted
policy, it appears that ldconfig cannot write to user_home_t directories.
Why is this? It appears to be a restriction with no purpose, and some
programs rely on this to work. In fact I see from the archives that
ldconfig not being able to write or search certain directories has come up
before.
Principle of least privilege; only allow a program to do what it
requires for its legitimate purpose. If it truly requires such access
for legitimate purposes, then you can certainly propose adding those
permissions, but be aware of potential ramifications, e.g. mis-use of
permissions by the caller, corruption of ldconfig via untrustworthy
input, etc.
The second question is what impact SELinux will have on third party
installers. It seems from the nVidia thread that currently if you copy
files onto the system using "cp", this is the wrong way to do it and it
will break peoples SELinux setups. This surely cannot be correct: that'd
break every pretty much every third party installer (eg Loki Setup,
etc) out there!
cp only explicitly sets the security context if you pass one of the
relevant options to it. Otherwise, it just follows the default behavior
of creating the new file based on the domain of the creating process and
the type of the parent directory (which falls back to inheriting the
type on the parent directory in the absence of an explicit rule).
Having cp automatically try to preserve or set context has been
discussed previously, but is often not what you want and may often run
into permissions problems for unprivileged callers.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency