SELinux and third party installers

[Stephen Smalley]

On Thu, 2004-12-30 at 16:05, Mike Hearn wrote:
> I have a couple of questions. The first is that in the FC3 targetted
> policy, it appears that ldconfig cannot write to user_home_t directories.
> Why is this? It appears to be a restriction with no purpose, and some
> programs rely on this to work. In fact I see from the archives that
> ldconfig not being able to write or search certain directories has come up
> before.

Principle of least privilege; only allow a program to do what it
requires for its legitimate purpose.  If it truly requires such access
for legitimate purposes, then you can certainly propose adding those
permissions, but be aware of potential ramifications, e.g. mis-use of
permissions by the caller, corruption of ldconfig via untrustworthy
input, etc.

> The second question is what impact SELinux will have on third party
> installers. It seems from the nVidia thread that currently if you copy
> files onto the system using "cp", this is the wrong way to do it and it
> will break peoples SELinux setups. This surely cannot be correct: that'd
> break every pretty much every third party installer (eg Loki Setup,
> etc) out there!

cp only explicitly sets the security context if you pass one of the
relevant options to it.  Otherwise, it just follows the default behavior
of creating the new file based on the domain of the creating process and
the type of the parent directory (which falls back to inheriting the
type on the parent directory in the absence of an explicit rule). 
Having cp automatically try to preserve or set context has been
discussed previously, but is often not what you want and may often run
into permissions problems for unprivileged callers.

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency