[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Attention: Proprietary video driver users (ATI, Nvidia, etc.)



Davide Bolcioni wrote:

Could SELinux be used to prevent this and, more generally, disallow
replacement of rpm-controlled files even by the root user ?


That would be incredibly annoying and is not where we want to go... It would complicate updates and installs and configuration and everything that is normal administration.
I disagree, I think this would improve the security of the distribution.
I would not recommend making such changes to targeted policy, but it seems potentially valuable to strict.

Granting all powers to root is dangerous, we should be moving in the opposite direction, from coarse-grained security towards fine-grained security. I.E. applications ran as sysadm_t which don't need install (and relabeling) privileges shouldn't have them.

I see no reason why my accidental execution of a hostile script as sysadm_t should have the powers to take over my computer. I think strict policy has already been changed to run in an underprivileged role by default (staff_r) for root logins, so I'm not sure if more needs to be done...
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]