SELinux and third party installers

Jeff Johnson n3npq at nc.rr.com
Tue Jan 4 16:06:41 UTC 2005


Stephen Smalley wrote:

>On Tue, 2005-01-04 at 10:21, Mike Hearn wrote:
>  
>
>>A daemon that fixes contexts as files are added feels rather racy. I'm
>>sure I'm missing a lot of context from previous discussions on the matter
>>here, but perhaps the kernel should set the context automatically when a
>>new file is created in certain directories that are marked as "autofix".
>>
>>OK so then we have the problem that the context setting code is all done
>>in userspace with regexs and other un-kernely things. Maybe there needs to
>>be a framework in the kernel where a thread that does a file creation can
>>be suspended and the kernel invokes a user-space program with the file
>>path to figure out what the context should be. Once the process returns
>>with the answer the file can be atomically created/set and the original
>>thread resumes.
>>    
>>
>
>To clarify, the file_contexts configuration is only really intended to
>initialize the security contexts for a filesystem at install-time. 
>After that point, you shouldn't be setting file contexts based on
>pathnames, as they don't convey the desired information about the real
>security properties of the object.  Instead, you want the file to be
>labeled based on the creating process domain and parent directory type
>(which is what the kernel does), and allow security-aware applications
>to further customize the context if necessary for finer-grained labeling
>(which is already supported via the libselinux API).  Pathname-based
>security considered harmful.
>
>  
>

But inode based automagic labeling is gonna be needed, and the aliasing
problems due to path in order to accomplish same can be handled.

JMHO, policy still congealing.

73 de Jeff




More information about the fedora-selinux-list mailing list