[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1176848784.5946.101.camel@localhost.localdomain>
Date: Tue, 17 Apr 2007 18:26:24 -0400
From: Karl MacMillan <kmacmill@...hat.com>
To: Andi Kleen <andi@...stfloor.org>
Cc: James Morris <jmorris@...ei.org>,
David Safford <safford@...son.ibm.com>,
John Johansen <jjohansen@...e.de>,
linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-fsdevel@...r.kernel.org
Subject: Re: AppArmor FAQ
On Tue, 2007-04-17 at 20:10 +0200, Andi Kleen wrote:
> On Tue, Apr 17, 2007 at 01:47:39PM -0400, James Morris wrote:
> > Normal applications need zero modification under SELinux.
> >
> > Some applications which manage security may need to be made SELinux-aware,
>
> Anything that can touch /etc/resolv.conf? That's potentially a lot of binaries
> if you consider anything scripts could do with it.
>
Certainly not - most things are handled by policy. I don't think that
any applications shipped with Fedora are modified to handle resolv.conf.
They are either confined and policy takes care of it or, in the case of
things like vi, they are generically modified to preserve labels (and
that change is partially to accommodate the targeted policy). Any
application that preserves DAC mode bits should likely also preserve
ACLs and SELinux labels (I guess they should potentially just preserve
all xattrs - not certain).
> > although this can often be done with PAM plugins, which is a standard way
> > to do this kind of thing in modern Unix & Linux OSs.
>
> PAM plugins in vi and emacs? Scary idea.
>
Err, no. I don't think that is what James was suggesting.
> And what do you do if someone decides to use OpenOffice to edit their
> /etc/resolv.conf? For a lot of people that's the only text editor
> they know.
>
Yeah right, I'm certain there are a lot of users (even clueless ones)
that use OO for files in /etc. I assume that line wrapping alone would
make this impossible and running a huge X application as root is
obviously not the best idea. Actually, it seems unlikely that a clueless
user would know how to run OO as root.
Anyway, general concerns aside, for a targeted system this would likely
just work depending on how OO saves files or whether it preserves
labels.
It would also be possible to create a small policy that defined a domain
for OO that would allow editing resolv.conf. If you went that route the
policy could set the label correctly. This is actually one of the major
advantages of SELinux. You can create multiple domains for the same app
that allow different actions depending on the circumstances.
Karl
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists