Security context, how to change?
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Thu Oct 13 06:04:50 UTC 2005
On Thu, 13 Oct 2005 07:42:48 +0200, Tomas Larsson said:
> How do I change the security context automatically.
> I.e if I am moving one file from one folder, is it possible to automatically
> to
> Put the context for the new directory on the file.
> For example, if I move a file from the FTP-upload folder to HTTPD download
> folder.
It may make more sense to create a new context 'user_uploaded_t' or some
such, and give the FTP server the access needed to write it, and the httpd
the needed read access. That way, it gets "sandboxed" and even if it's
malicious code, nothing else can accidentally read/execute it, so your
system integrity is enhanced.
Depending on your paranoia level, you may or may not want to allow some
way for a process running in some user_t to un-sandbox the file. It may be
sufficient to allow user_t to read it, as there probably shouldn't be any
automated processes running as user_t - with the implicit "the user is taking
responsibility for this"...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20051013/68a0dcc4/attachment.sig>
More information about the fedora-selinux-list
mailing list