Odd boolean in /etc/selinux/strict/booleans?
Daniel J Walsh
dwalsh at redhat.com
Thu Mar 31 18:03:23 UTC 2005
Ivan Gyurdiev wrote:
>On Thu, 2005-03-31 at 11:09 -0500, Daniel J Walsh wrote:
>
>
>>Ivan Gyurdiev wrote:
>>
>>
>>
>>>>Bad name in the installed file. It used to be disable_games. We might
>>>>want to add a
>>>>boolean back in to prevent users from running games at all. But we
>>>>would need to remove
>>>>exec_type from the attribute.
>>>>
>>>>
>>>>
>>>>
>>>Prevent users from running games? Why do we want to do that?
>>>What's wrong with the current approach to doing this...namely..don't
>>>install any games, and then the users won't be running them.
>>>
>>>
>>>
>>>
>>>
>>I am thinking of the situation where you might want to users in a
>>certain role allowed to play games and others not, on a shared
>>machine. A more interesting example would be to disallow sysadm from
>>running games, mozilla ...
>>
>>Basically a user accidently runs mozilla or a game while newroled to
>>sysadm. Might be nice to have that error out.
>>Ordinarily a transition happens but still It would be nice to prevent this.
>>
>>
>
>I actually see SElinux as suited for the *opposite* phenomenon.
>Particularly, while on a legacy machine running mozilla and company as
>root would not be a very bright idea, on a SElinux-constrained machine
>it shouldn't be so bad (it's confined, how much damage can it do?).
>
>
>
>
>
>
>
Well actually the more I think about this, this is the job of roles.
But the problem here is
not disable-trans as no exec. I think we need to maybe stop marking
certain defined
domains as exec_type. To prevent all users from being able to execute
the application
without a transition.
I think lots of users have had the experience of accidentally running
something as root when
they did not want too. Even in your example I disable-trans for games
and then accidentally
run some game as sysadm, bad things can happen.
Dan
--
More information about the fedora-selinux-list
mailing list