[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Attention: Proprietary video driver users (ATI, Nvidia, etc.)



2006/2/23, Ivan Gyurdiev <ivg2 cornell edu>:
> Davide Bolcioni wrote:
> >>
> >> Could SELinux be used to prevent this and, more generally, disallow
> >> replacement of rpm-controlled files even by the root user ?
> >>
> >
> > That would be incredibly annoying and is not where we want to go... It
> > would complicate updates and installs and configuration and everything
> > that is normal administration.
> I disagree, I think this would improve the security of the distribution.
> I would not recommend making such changes to targeted policy, but it
> seems potentially valuable to strict.
>
> Granting all powers to root is dangerous, we should be moving in the
> opposite direction, from coarse-grained security towards fine-grained
> security. I.E. applications ran as sysadm_t which don't need install
> (and relabeling) privileges shouldn't have them.

agreed.

>
> I see no reason why my accidental execution of a hostile script as
> sysadm_t should have the powers to take over my computer.
> I think strict policy has already been changed to run in an
> underprivileged role by default (staff_r) for root logins, so I'm not
> sure if more needs to be done...

agreed

regards,
Rudolf Kastl

my personal conclusion:

While there should be mechanisms to turn off the "rpm file protection"
it would by default be nice since users stop wrecking their systems
and reporting bogus bugs.

regards,
Rudolf Kastl
>
> --
> fedora-devel-list mailing list
> fedora-devel-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]