cupsd: minor nit
Russell Coker
russell at coker.com.au
Mon Sep 12 22:26:03 UTC 2005
Thread taken from fedora-selinux-list to fedora-devel-list for a wider
audience. The general concept is that a daemon should never create a
directory under /var/cache (or similar non-specific places on the file
system) at run-time. If /var/cache/$DAEMON is needed then the package of
$DAEMON should provide that directory. This prevents the possible problem of
name conflicts and allows more restrictive SE Linux access control
(preventing a compromised daemon from performing a trivial DOS attack on
other daemons).
On Tuesday 13 September 2005 01:30, Tom London <selinux at gmail.com> wrote:
> OK, so the rubric here is that daemon-like services need to have their
> 'major' directory entries in places like /var created and labeled by their
> package, not created upon startup. This sounds quite reasonable.
Yes, that's my idea.
> So, the normal 'name space' conflicts will likely be detected during
> package install.
One of several benefits of it.
> Do we need to be concerned with possible 'widening' conflicts on such
> directories (e.g., two packages wanting to 'own' the same directory, one
> with a 'wider' label)?
What do you mean "wider"? Do you mean less restrictive permissions? If so
then it certainly would be a problem if two packages desired different
permissions for a single file system object, whether one is a superset of the
other or whether they are disjoint. It is something that we need to be
concerned about, but it will hopefully be rare and we can just fix it when it
occurs.
Detecting and solving such problems is an advantage of my suggestion. When we
have such directories in packages we can easily check for such conflicts. At
the moment I suspect that such daemon behavior is not uncommon and don't know
in what situations it may potentially bite us.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list