| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 17 Apr 2007 18:26:24 -0400 From: Karl MacMillan <kmacmill@...hat.com> To: Andi Kleen <andi@...stfloor.org> Cc: James Morris <jmorris@...ei.org>, David Safford <safford@...son.ibm.com>, John Johansen <jjohansen@...e.de>, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, linux-fsdevel@...r.kernel.org Subject: Re: AppArmor FAQ On Tue, 2007-04-17 at 20:10 +0200, Andi Kleen wrote: > On Tue, Apr 17, 2007 at 01:47:39PM -0400, James Morris wrote: > > Normal applications need zero modification under SELinux. > > > > Some applications which manage security may need to be made SELinux-aware, > > Anything that can touch /etc/resolv.conf? That's potentially a lot of binaries > if you consider anything scripts could do with it. > Certainly not - most things are handled by policy. I don't think that any applications shipped with Fedora are modified to handle resolv.conf. They are either confined and policy takes care of it or, in the case of things like vi, they are generically modified to preserve labels (and that change is partially to accommodate the targeted policy). Any application that preserves DAC mode bits should likely also preserve ACLs and SELinux labels (I guess they should potentially just preserve all xattrs - not certain). > > although this can often be done with PAM plugins, which is a standard way > > to do this kind of thing in modern Unix & Linux OSs. > > PAM plugins in vi and emacs? Scary idea. > Err, no. I don't think that is what James was suggesting. > And what do you do if someone decides to use OpenOffice to edit their > /etc/resolv.conf? For a lot of people that's the only text editor > they know. > Yeah right, I'm certain there are a lot of users (even clueless ones) that use OO for files in /etc. I assume that line wrapping alone would make this impossible and running a huge X application as root is obviously not the best idea. Actually, it seems unlikely that a clueless user would know how to run OO as root. Anyway, general concerns aside, for a targeted system this would likely just work depending on how OO saves files or whether it preserves labels. It would also be possible to create a small policy that defined a domain for OO that would allow editing resolv.conf. If you went that route the policy could set the label correctly. This is actually one of the major advantages of SELinux. You can create multiple domains for the same app that allow different actions depending on the circumstances. Karl - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists