Security contexts for the contexts directory?
Stephen Smalley
sds at epoch.ncsc.mil
Thu May 27 14:27:21 UTC 2004
On Thu, 2004-05-27 at 09:54, Daniel J Walsh wrote:
> Ok how about, default_contexts_t for contexts directory and users
> directory. Create a new directory called files and put file_contexts in
> there with a context of file_contexts_t.
The existing default_context_t (no 's') type seems reasonable for the
contexts directory and users subdirectory. Note however that this will
likely require new allow rules in the policy, as some domains may have
previously had read access to the files under etc_t and will now need
read permission to default_context_t.
> Should that have default_contexts_t also? Or something different?
/etc/selinux/config should have a different type. We could define a
type for the /etc/selinux directory and simply use that type for the
config file as well to ease maintenance. That would also make sense
from a control perspective - you are unlikely to be allowed to modify
the /etc/selinux directory (e.g. add new policies under it) unless you
can also modify /etc/selinux/config to set the type. No other files
under /etc/selinux would normally have that type, as everything else is
a subdirectory and has a separate type assigned.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list