Some questions relating to selinux
Colin Walters
walters at redhat.com
Mon Apr 12 17:24:39 UTC 2004
On Mon, 2004-04-12 at 13:06, Russell Coker wrote:
> We discussed this at length and came to the conclusion that running a GNOME or
> KDE environment in a privileged role is a bad idea.
The problem is that it's going to happen. E.g. if you log in as a
staff_r, then inside a terminal use 'su' to become root/sysadm_r, and
run a program that uses X.
> Also GNOME and KDE
> create lots of /tmp entries such as /tmp/mcop-user and /tmp/.gconf-user. If
> you login to GNOME or KDE as one role and then login as the same UID with
> another role then one of two things will happen:
>
> 1) role A is not permitted to write to role B's /tmp files and the login will
> fail in ways that might be surprising and difficult to debug.
>
> 2) role A is permitted to write to role B's /tmp files, things will work BUT
> role A can probably use this to take over role B processes. If we permit
> this bi-directionally so that no combination of X login order will result in
> failure then we give role A and role B such access to each other that we
> should just merge them.
There's a third option - write policy such that only for those shared
files, each role can access the other's files. That's what I'm working
on right now with GConf.
> The conclusion is that there is no benefit in giving the user two roles and
> allowing them both to be accessed through a GUI login.
Although we don't have SE-X yet, making most of this moot, I think it's
still a worthwhile goal.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040412/a694b628/attachment.sig>
More information about the fedora-selinux-list
mailing list