[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Attention: Proprietary video driver users (ATI, Nvidia, etc.)

2006/2/23, Ivan Gyurdiev <ivg2 cornell edu>:
> Davide Bolcioni wrote:
> >>
> >> Could SELinux be used to prevent this and, more generally, disallow
> >> replacement of rpm-controlled files even by the root user ?
> >>
> >
> > That would be incredibly annoying and is not where we want to go... It
> > would complicate updates and installs and configuration and everything
> > that is normal administration.
> I disagree, I think this would improve the security of the distribution.
> I would not recommend making such changes to targeted policy, but it
> seems potentially valuable to strict.
> Granting all powers to root is dangerous, we should be moving in the
> opposite direction, from coarse-grained security towards fine-grained
> security. I.E. applications ran as sysadm_t which don't need install
> (and relabeling) privileges shouldn't have them.


> I see no reason why my accidental execution of a hostile script as
> sysadm_t should have the powers to take over my computer.
> I think strict policy has already been changed to run in an
> underprivileged role by default (staff_r) for root logins, so I'm not
> sure if more needs to be done...


Rudolf Kastl

my personal conclusion:

While there should be mechanisms to turn off the "rpm file protection"
it would by default be nice since users stop wrecking their systems
and reporting bogus bugs.

Rudolf Kastl
> --
> fedora-devel-list mailing list
> fedora-devel-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]