SELinux and third party installers
Stephen Smalley
sds at epoch.ncsc.mil
Tue Jan 4 15:40:59 UTC 2005
On Tue, 2005-01-04 at 10:21, Mike Hearn wrote:
> A daemon that fixes contexts as files are added feels rather racy. I'm
> sure I'm missing a lot of context from previous discussions on the matter
> here, but perhaps the kernel should set the context automatically when a
> new file is created in certain directories that are marked as "autofix".
>
> OK so then we have the problem that the context setting code is all done
> in userspace with regexs and other un-kernely things. Maybe there needs to
> be a framework in the kernel where a thread that does a file creation can
> be suspended and the kernel invokes a user-space program with the file
> path to figure out what the context should be. Once the process returns
> with the answer the file can be atomically created/set and the original
> thread resumes.
To clarify, the file_contexts configuration is only really intended to
initialize the security contexts for a filesystem at install-time.
After that point, you shouldn't be setting file contexts based on
pathnames, as they don't convey the desired information about the real
security properties of the object. Instead, you want the file to be
labeled based on the creating process domain and parent directory type
(which is what the kernel does), and allow security-aware applications
to further customize the context if necessary for finer-grained labeling
(which is already supported via the libselinux API). Pathname-based
security considered harmful.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list