From: Ivan Gyurdiev <ivg2@cornell.edu>
To: russell@coker.com.au
Cc: Daniel J Walsh <dwalsh@redhat.com>, SELinux <SELinux@tycho.nsa.gov>
Subject: Re: [Fwd: Latest Diff]
Date: Thu, 05 May 2005 21:58:03 -0400 [thread overview]
Message-ID: <1115344683.15149.11.camel@localhost.localdomain> (raw)
In-Reply-To: <200505061134.27455.russell@coker.com.au>
> > Is it better to create orbit-$USER in a startup script, or
> > to include selinux support in libORBit2 in order to
> > properly set the context of /tmp/orbit-$USER to ROLE_orbit_tmp_t
> > when it's created?
>
> What does orbit do exactly? What needs to access it?
ORBit is an implementation of CORBA - it has to do with
inter-process communication. All GNOME programs use
it to talk to each other. For example, mozilla (with gnome support)
uses it to talk to GConf and the gnome vfs daemon
(and other things that I haven't figured out yet, which
need to be constrained).
Apps create sockets in /tmp/orbit-$USER, and read/write to other apps'
sockets to talk to them.
The current orbit rules in mozilla/gift are a mess, because they allow
interaction w/ ROLE_tmp_t, which seems to me like a bad idea.
I have a better suggestion (I think), included as part of my patch here:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=155800
It's the patch you were looking at earlier, but I've added a lot more
stuff, and fixed bugs. It can't be merged at this point, but parts of
it probably can..
...but orbit-$USER needs to be labeled properly, and it can be created
by anything that interfaces w/ libORBit-2, I think...which means
that either it has to be created by a startup script, or
the library should be modified to use matchpathcon()
when it creates the folder. I don't know which.
I also thought perhaps there should be a skeleton for /tmp
(https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=156452)
but I'm now starting to think that's may be a bad idea, and I should
close the bug.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2005-05-06 1:58 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-05 19:35 [Fwd: Latest Diff] Daniel J Walsh
2005-05-05 21:44 ` Ivan Gyurdiev
2005-05-06 1:34 ` Russell Coker
2005-05-06 1:58 ` Ivan Gyurdiev [this message]
2005-05-06 15:39 ` Ivan Gyurdiev
2005-05-07 13:50 ` Russell Coker
2005-05-07 17:04 ` Ivan Gyurdiev
2005-05-07 19:50 ` Ivan Gyurdiev
2005-05-09 14:42 ` Daniel J Walsh
2005-05-09 18:12 ` Ivan Gyurdiev
2005-05-09 18:17 ` Daniel J Walsh
2005-05-09 18:24 ` Ivan Gyurdiev
2005-05-09 18:27 ` Daniel J Walsh
2005-05-09 18:37 ` Ivan Gyurdiev
2005-05-11 14:59 ` Stephen Smalley
2005-05-07 23:01 ` Russell Coker
2005-05-06 12:33 ` Daniel J Walsh
2005-05-06 5:33 ` Russell Coker
2005-05-06 12:43 ` Daniel J Walsh
2005-05-06 13:22 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1115344683.15149.11.camel@localhost.localdomain \
--to=ivg2@cornell.edu \
--cc=SELinux@tycho.nsa.gov \
--cc=dwalsh@redhat.com \
--cc=russell@coker.com.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.