cupsd: minor nit
selinux at gmail.com
Tue Sep 13 14:36:42 UTC 2005
On 9/12/05, Russell Coker <russell at coker.com.au> wrote:
> Thread taken from fedora-selinux-list to fedora-devel-list for a wider
> audience. The general concept is that a daemon should never create a
> directory under /var/cache (or similar non-specific places on the file
> system) at run-time. If /var/cache/$DAEMON is needed then the package of
> $DAEMON should provide that directory. This prevents the possible problem of
> name conflicts and allows more restrictive SE Linux access control
> (preventing a compromised daemon from performing a trivial DOS attack on
> other daemons).
> On Tuesday 13 September 2005 01:30, Tom London <selinux at gmail.com> wrote:
> > OK, so the rubric here is that daemon-like services need to have their
> > 'major' directory entries in places like /var created and labeled by their
> > package, not created upon startup. This sounds quite reasonable.
> Yes, that's my idea.
> > So, the normal 'name space' conflicts will likely be detected during
> > package install.
> One of several benefits of it.
> > Do we need to be concerned with possible 'widening' conflicts on such
> > directories (e.g., two packages wanting to 'own' the same directory, one
> > with a 'wider' label)?
> What do you mean "wider"? Do you mean less restrictive permissions? If so
> then it certainly would be a problem if two packages desired different
> permissions for a single file system object, whether one is a superset of the
> other or whether they are disjoint. It is something that we need to be
> concerned about, but it will hopefully be rare and we can just fix it when it
> Detecting and solving such problems is an advantage of my suggestion. When we
> have such directories in packages we can easily check for such conflicts. At
> the moment I suspect that such daemon behavior is not uncommon and don't know
> in what situations it may potentially bite us.
What I'm concerned about are situations (like, e.g., /usr/lib/mozilla)
where two packages (e.g., mozplugger and firefox, on my machine) seem
to 'provide' the same directory (at least as reported by 'rpm -qif
In such a case, if 'the first to install' package created the
directory with a less restrictive context (or some such), would we
have a chance for a problem?
Do we need some way to coordinate/check this?
More information about the fedora-selinux-list