Security contexts for the contexts directory?
Daniel J Walsh
dwalsh at redhat.com
Thu May 27 13:54:44 UTC 2004
Stephen Smalley wrote:
>On Thu, 2004-05-27 at 07:54, Daniel J Walsh wrote:
>
>
>>With the new design of the policy tree, we have moved the "contexts"
>>files into
>>/etc/selinux/*/contexts/
>>
>>These files include default_contexts, file_contexts, default_type,
>>failsafe_contexts ...
>>as well as contexts for individual users like users/root. Currently the
>>security contexts for these files is etc_t. Should we change them so
>>something else? default_contexts_t? Should file_contexts be marked
>>differently then the others?
>>
>>
>
>I'd suggest a single type (other than etc_t) for default_contexts,
>default_type, failsafe_context, and the other files installed from
>policy/appconfig. file_contexts should likely have a different type to
>allow different access, so perhaps it should have its own directory and
>type. With the old layout and policy, it ends up in policy_config_t,
>but I think we want to distinguish it from the binary policy file as
>well as from the appconfig files.
>
>
>
Ok how about, default_contexts_t for contexts directory and users
directory. Create a new directory called files and put file_contexts in
there with a context of file_contexts_t.
>>Also since policy is determined by /etc/sysconfig/selinux, should we set
>>a special security context on it? If we do should we move it to a
>>directory where it would be easier to maintain the security context?
>>Maybe rename it to /etc/selinux/config?
>>
>>
>
>I would prefer having a distinct type on it (and moving it to a
>directory with that type so that we can easily preserve the type), as
>the integrity of that file is critical to SELinux, at least in the
>Fedora Core implementation.
>
>
>
Should that have default_contexts_t also? Or something different?
More information about the fedora-selinux-list
mailing list