AppArmor for Fedora
Rick Stevens
rstevens at internap.com
Mon Aug 27 22:51:20 UTC 2007
On Mon, 2007-08-27 at 21:55 +0100, Alan Cox wrote:
> > It is funny that I read this question when I was going to look at
> > AppArmor myself.
> >
> > I read an article about AppArmor finding that Skype on Linux reads
> > /etc/passwd and firefox settings today. Did Selinux stop this from
> > happening as well?
> >
> > http://forum.skype.com/index.php?showtopic=95261
> >
> > I like SELINUX and will continue using it.
>
> The passwd file isn't considered secret in any way. Its public readable
> data. The /etc/shadow file holds passwords and is root only.
>
> You can certainly set skype up not to be allowed anywhere near your
> firefox settings (my guess is its looking for an address book to import
> or plugin data nothing too sinister).
>
> The problem with stuff like apparmor is you can say things like
> "/etc/passwd" is not accessible to program XYZ. But program XYZ can then
> do things to access it via another path (eg by renaming a copy of itself
> ".eric" and adding that to your .profile). SELinux puts labels on actual
> objects, not on paths so renaming itself .eric doesn't help, nor does
> finding another path to /etc/passwd (eg by running a program to create a
> link).
Eric? Like my pet fish, Eric? Or my pet parrot, Eric?
"I'd like a fish license, please." (with apologies to John Cleese)
----------------------------------------------------------------------
- Rick Stevens, Principal Engineer rstevens at internap.com -
- CDN Systems, Internap, Inc. http://www.internap.com -
- -
- If Windows isn't a virus, then it sure as hell is a carrier! -
----------------------------------------------------------------------
More information about the fedora-list
mailing list