Attention: Proprietary video driver users (ATI, Nvidia, etc.)

Ivan Gyurdiev ivg2 at cornell.edu
Thu Feb 23 10:27:26 UTC 2006


Davide Bolcioni wrote:
>>
>> Could SELinux be used to prevent this and, more generally, disallow
>> replacement of rpm-controlled files even by the root user ?
>>
>
> That would be incredibly annoying and is not where we want to go... It 
> would complicate updates and installs and configuration and everything 
> that is normal administration. 
I disagree, I think this would improve the security of the distribution.
I would not recommend making such changes to targeted policy, but it 
seems potentially valuable to strict.

Granting all powers to root is dangerous, we should be moving in the 
opposite direction, from coarse-grained security towards fine-grained 
security. I.E. applications ran as sysadm_t which don't need install 
(and relabeling) privileges shouldn't have them.

I see no reason why my accidental execution of a hostile script as 
sysadm_t should have the powers to take over my computer.
I think strict policy has already been changed to run in an 
underprivileged role by default (staff_r) for root logins, so I'm not 
sure if more needs to be done... 




More information about the devel mailing list