AppArmor for Fedora
Alan Cox
alan at lxorguk.ukuu.org.uk
Mon Aug 27 20:55:30 UTC 2007
> It is funny that I read this question when I was going to look at
> AppArmor myself.
>
> I read an article about AppArmor finding that Skype on Linux reads
> /etc/passwd and firefox settings today. Did Selinux stop this from
> happening as well?
>
> http://forum.skype.com/index.php?showtopic=95261
>
> I like SELINUX and will continue using it.
The passwd file isn't considered secret in any way. Its public readable
data. The /etc/shadow file holds passwords and is root only.
You can certainly set skype up not to be allowed anywhere near your
firefox settings (my guess is its looking for an address book to import
or plugin data nothing too sinister).
The problem with stuff like apparmor is you can say things like
"/etc/passwd" is not accessible to program XYZ. But program XYZ can then
do things to access it via another path (eg by renaming a copy of itself
".eric" and adding that to your .profile). SELinux puts labels on actual
objects, not on paths so renaming itself .eric doesn't help, nor does
finding another path to /etc/passwd (eg by running a program to create a
link).
Alan
More information about the users
mailing list