From: Tom <tom@lemuria.org>
To: Ivan Gyurdiev <ivg2@cornell.edu>
Cc: "Fedora SELinux support list for users & developers."
<fedora-selinux-list@redhat.com>,
selinux@tycho.nsa.gov
Subject: Re: Desktop apps interoperability
Date: Mon, 28 Mar 2005 13:26:54 +0200 [thread overview]
Message-ID: <20050328132653.F27857@lemuria.org> (raw)
In-Reply-To: <1111987652.1514.97.camel@cobra.ivg2.net>; from ivg2@cornell.edu on Mon, Mar 28, 2005 at 12:27:31AM -0500
On Mon, Mar 28, 2005 at 12:27:31AM -0500, Ivan Gyurdiev wrote:
> Part of the problem seems to be the way Linux apps treat /home, as the
> place for everything.
It doesn't. It treats $HOME as the only place that the user has
permission to store his stuff. On a well-configured system, that
assumption is correct.
> Why are both app. settings and user data stored
> in /home as the default location.
Because otherwise the user couldn't add or edit them.
> Now Windows' approach of having "My Documents" and the like is starting
> to make a lot of sense (even though I absolutely hate those names).
The Linux approach, however, allows much more flexibility.
If you want applications to share data, there are several ways to
accomplish that goal. Here's just a quick idea:
* add $HOME/Downloads as a directory
* give it its own type, maybe ROLE_downloads_t
* give mozilla permissions to write there, with file_type_auto_trans
* give mplayer permissions to the resulting files
voila, mplayer can now play stuff downloaded from the web, without
opening up the big hole of giving it permissions to all mozilla files.
Another solution, for a more paranoid environment would be adding a
virus/malware scanner domain that can read mozilla's files and write them
out again (after checking and/or cleaning) as a regular ROLE_home_t
file. This would ensure that any files fully accessible in the home
directory have been scanned.
The point is - I may or may not want mplayer to play random stuff from
the web with potentially dangerous content. If you want to, evaluate
your security requirements and institute the appropriate solution.
--
http://web.lemuria.org/pubkey.html
pub 1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2005-03-28 11:26 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-28 4:57 Desktop apps interoperability Ivan Gyurdiev
2005-03-28 5:03 ` Ivan Gyurdiev
2005-03-28 5:27 ` Ivan Gyurdiev
2005-03-28 10:01 ` Luke Kenneth Casson Leighton
2005-03-28 10:17 ` Rogelio Serrano
2005-03-29 11:33 ` Dale Amon
2005-03-29 13:54 ` Stephen Smalley
2005-03-29 15:39 ` Colin Walters
2005-03-28 11:26 ` Tom [this message]
2005-03-28 12:15 ` Ivan Gyurdiev
2005-03-28 13:11 ` Tom
2005-03-28 13:46 ` Ivan Gyurdiev
2005-03-28 14:09 ` Tom
2005-03-28 15:05 ` Ivan Gyurdiev
2005-03-28 15:12 ` Stephen Smalley
2005-03-28 15:47 ` Tom
2005-03-28 16:04 ` Stephen Smalley
2005-03-28 16:20 ` Tom
2005-03-28 16:39 ` Stephen Smalley
2005-03-30 5:01 ` Ivan Gyurdiev
2005-03-28 15:41 ` Tom
2005-03-28 10:04 ` Luke Kenneth Casson Leighton
2005-03-28 13:36 ` Stephen Smalley
2005-03-28 18:27 ` Luke Kenneth Casson Leighton
2005-03-28 18:23 ` Stephen Smalley
2005-03-28 19:54 ` Luke Kenneth Casson Leighton
2005-03-28 19:46 ` Stephen Smalley
2005-03-28 13:43 ` Stephen Smalley
-- strict thread matches above, loose matches on Subject: below --
2005-03-28 16:51 Casey Schaufler
2005-03-30 15:05 Casey Schaufler
2005-03-30 15:29 ` Ivan Gyurdiev
2005-03-30 15:52 Casey Schaufler
2005-03-30 16:13 ` Ivan Gyurdiev
2005-03-30 21:50 ` Tom
2005-03-30 22:12 ` Luke Kenneth Casson Leighton
2005-03-31 8:37 ` Tom
2005-03-31 10:05 ` Luke Kenneth Casson Leighton
2005-03-31 8:42 ` Ivan Gyurdiev
2005-03-30 17:04 Casey Schaufler
2005-03-30 17:15 ` Stephen Smalley
2005-03-30 17:26 ` Luke Kenneth Casson Leighton
2005-03-30 17:44 ` Ivan Gyurdiev
2005-03-30 18:09 ` Jim McCullough
2005-03-30 22:09 ` Luke Kenneth Casson Leighton
2005-03-30 22:00 ` Luke Kenneth Casson Leighton
2005-03-31 9:25 ` Ivan Gyurdiev
2005-03-31 9:48 ` Ivan Gyurdiev
2005-03-30 17:27 Casey Schaufler
2005-03-30 17:53 Casey Schaufler
2005-03-30 17:56 ` Stephen Smalley
2005-03-30 17:58 Casey Schaufler
2005-03-31 10:04 ` Ivan Gyurdiev
2005-03-31 16:05 Casey Schaufler
2005-03-31 16:08 ` Stephen Smalley
2005-03-31 21:13 ` Tom
2005-03-31 21:05 ` Stephen Smalley
2005-04-01 5:28 ` Rogelio Serrano
2005-04-01 7:54 ` Tom
2005-03-31 17:40 ` Ivan Gyurdiev
2005-03-31 16:51 Casey Schaufler
2005-03-31 18:16 ` Stephen Smalley
2005-04-02 3:50 Casey Schaufler
2005-04-03 23:39 Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050328132653.F27857@lemuria.org \
--to=tom@lemuria.org \
--cc=fedora-selinux-list@redhat.com \
--cc=ivg2@cornell.edu \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.