[RFC] /var versus /srv
Karl MacMillan
kmacmill at redhat.com
Thu Sep 27 21:11:25 UTC 2007
On Thu, 2007-09-27 at 16:18 -0400, Jesse Keating wrote:
> On Thu, 27 Sep 2007 15:53:38 -0400
> Karl MacMillan <kmacmill at redhat.com> wrote:
>
> > 3) Have rpm set contexts that aren't yet valid. This option was
> > explored and there was even a kernel patch that would allow this. The
> > fear is that it would allow a malicious package to create files with
> > _any_ context that is not yet valid. It makes it difficult or
> > impossible to constrain rpm. You could go back after the policy is
> > installed and check for contexts that are still invalid and fix
> > those. No decision was reached about how to handle the hole and
> > nothing happened. The SELinux upstream developers (well, at least me)
> > are willing to reconsider this proposal.
>
> Wouldn't it be reasonable to lay them down as 'undefined_t' and let the
> post-rpm transactions relabel them?
>
That is possible - though obviously you have to handle things cleanly
for upgrades to that you don't end up with, say, libc labeled as
undefined_t. So you would have to:
1) check every context as you put a file down
2) if it is valid set it
3) otherwise, set to undefined_t (and ideally add file to list)
4) install policy in post
5) relabel (ideally with list kept from before)
Part of the problem, though, is figuring out what the context for a file
should be. I believe that you can record contexts from when the rpm was
built, but how do you handle if the admin has a local labeling rule that
should take effect?
Karl
More information about the fedora-devel-list
mailing list