Desktop apps interoperability

Stephen Smalley sds at
Mon Mar 28 15:12:30 UTC 2005

On Mon, 2005-03-28 at 10:05 -0500, Ivan Gyurdiev wrote:
> .. so what you're saying is that nautilus (running as user_t, which has
> read access to the file in question, as well as appropriate relabel
> access), should determine its mime type, or use the DND target app, and
> associate a context with that, which the mime handler can play, then
> relabel file to that context (can't copy - what if it's huge?).... and
> do this for every mime handler I attempt to open it with?

Seems fairly pointless to perform such a relabeling if the context
determination is based entirely on untrusted input from the same source
as the data itself and the user isn't involved to any greater degree
than selecting the file in the first place.  If you are going to run it
through a filtering pipeline (e.g. malicious code checker), then it
makes more sense to set up a relabeling or data copying pipeline using
TE to ensure that each filter stage is unbypassable and tamperproof
(i.e. an assured pipeline in TE parlance).  Note however that relabeling
in place is not necessarily safe, as Linux does not yet fully support
revocation of access.

Stephen Smalley <sds at>
National Security Agency

More information about the fedora-selinux-list mailing list