On Thu, 2004-10-07 at 13:23 -0400, Sean Middleditch wrote: > On Thu, 2004-10-07 at 12:56 -0400, Stephen Smalley wrote: > > On Thu, 2004-10-07 at 12:07, Jeff Spaleta wrote: > > > I think there is a point here too.. but let me rephrase it by asking a > > > question. Is there ever any value in having files in a path NOT be > > > the correct security context for that path? > > > > Yes, there is value in customizing your file contexts beyond the default > > settings. > > The point of the original question (as I interpreted it), is there value > in having mv, rename, and similar operations not update the file's > security context to the correct one of the new path? Yes. As Stephen said, moving a file doesn't change its DAC permissions, so it shouldn't change its MAC label either. > The common operation should have the expected result. So, the question > is, shouldn't the desired behavior of the mv, rename, and similar > operations be to update the context of the file by default? You might as well argue that moving a file into ~/public_html should make it automagically readable by Apache, even if the file mode is 600. > Most people do not complain about MAC due to the fact that it does what > it does. Most complaints on SELinux are because it's far too complex to > get it to do what it does. Complexity is the bane of security. Lack of > education on security is the biggest security problem of them all. > SELinux adds a lot of complexity and increases the amount of education a > user/admin needs to operate a secured system. One certainly needs to learn more, but fundamental advancements like this will always require learning new things. That's just life. > The SELinux configuration syntax makes it vastly too difficult to > configure things for the common case. The format makes it possible to > do just about anything, yes, but when you just know that binary foo only > needs to do X and Y to files A and B, There is a *lot* more than just files that require protection. Processes, file descriptors, ports, sysv shmem, etc. > Simplifying the config syntax could make SELinux far more usable. The > current syntax requires the admin to think in terms of SELinux > mechanics, not in terms of what they want the system to do. You can't > just write "/bin/foo can only perform read operations, and only > on /etc/foo.rc," Having something like that in the policy would add more confusion, because it would be a huge special case. The SELinux policy is simple in that the essentials only deal with types - there is the same conceptual model for files, as well as processes, TCP ports, etc. This would also make it much harder to write a tool like apol which can analyze a security policy to determine information flow - can my web administrator with control over httpd_t access any nurse_t processes or any health_record_t files? > you need to write, "/bin/foo is this > context, /etc/foo.rc is this context, and the traits between these are > this" and so on. Low-level implementation details are directly exposed. It's not "implementation details" - types are fundamental to understanding and using MAC, they cannot be hidden.
Description: This is a digitally signed message part