[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: AppArmor for Fedora



On Mon, 2007-08-27 at 21:55 +0100, Alan Cox wrote:
> > It is funny that I read this question when I was going to look at 
> > AppArmor myself.
> > 
> > I read an article about AppArmor finding that Skype on Linux reads 
> > /etc/passwd and firefox settings today.  Did Selinux stop this from 
> > happening as well?
> > 
> > http://forum.skype.com/index.php?showtopic=95261
> > 
> > I like SELINUX and will continue using it.
> 
> The passwd file isn't considered secret in any way. Its public readable
> data. The /etc/shadow file holds passwords and is root only.
> 
> You can certainly set skype up not to be allowed anywhere near your
> firefox settings (my guess is its looking for an address book to import
> or plugin data nothing too sinister).
> 
> The problem with stuff like apparmor is you can say things like
> "/etc/passwd" is not accessible to program XYZ. But program XYZ can then
> do things to access it via another path (eg by renaming a copy of itself
> ".eric" and adding that to your .profile). SELinux puts labels on actual
> objects, not on paths so renaming itself .eric doesn't help, nor does
> finding another path to /etc/passwd (eg by running a program to create a
> link).

Eric?  Like my pet fish, Eric?  Or my pet parrot, Eric?

"I'd like a fish license, please."  (with apologies to John Cleese)

----------------------------------------------------------------------
- Rick Stevens, Principal Engineer             rstevens internap com -
- CDN Systems, Internap, Inc.                http://www.internap.com -
-                                                                    -
-    If Windows isn't a virus, then it sure as hell is a carrier!    -
----------------------------------------------------------------------


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]