From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Ivan Gyurdiev <ivg2@cornell.edu>,
selinux@tycho.nsa.gov, fedora-selinux-list@redhat.com
Subject: Re: Desktop apps interoperability
Date: Mon, 28 Mar 2005 19:27:14 +0100 [thread overview]
Message-ID: <20050328182714.GG3430@lkcl.net> (raw)
In-Reply-To: <1112016992.2914.19.camel@moss-spartans.epoch.ncsc.mil>
On Mon, Mar 28, 2005 at 08:36:32AM -0500, Stephen Smalley wrote:
> On Mon, 2005-03-28 at 11:04 +0100, Luke Kenneth Casson Leighton wrote:
> > On Sun, Mar 27, 2005 at 11:57:35PM -0500, Ivan Gyurdiev wrote:
> >
> > > There can't be more than one file_type_auto_trans on the same folder
> > > type (right?).
> >
> > bizarrely, no.
> >
> > i believe this issue was raised some months ago, with the
> > "alternative file context" thing.
> >
> > if file_type_auto_trans also took an executable [domain] as an
> > additional argument, i believe you stand a chance of achieving
> > what you seek.
>
> file_type_auto_trans() is based on the domain of the creating process,
> the type of the parent directory, and optionally the class of the new
> file.
brain-lapse. of course it is. duh.
> [description of how to make programs security-aware]
so the issue ivan describes _can_ be solved.
... question: in what ways do you ensure that a security-aware
compromised program is only allowed to create certain filetypes?
is it to do with using compute_av()?
l.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2005-03-28 18:27 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-28 4:57 Desktop apps interoperability Ivan Gyurdiev
2005-03-28 5:03 ` Ivan Gyurdiev
2005-03-28 5:27 ` Ivan Gyurdiev
2005-03-28 10:01 ` Luke Kenneth Casson Leighton
2005-03-28 10:17 ` Rogelio Serrano
2005-03-29 11:33 ` Dale Amon
2005-03-29 13:54 ` Stephen Smalley
2005-03-29 15:39 ` Colin Walters
2005-03-28 11:26 ` Tom
2005-03-28 12:15 ` Ivan Gyurdiev
2005-03-28 13:11 ` Tom
2005-03-28 13:46 ` Ivan Gyurdiev
2005-03-28 14:09 ` Tom
2005-03-28 15:05 ` Ivan Gyurdiev
2005-03-28 15:12 ` Stephen Smalley
2005-03-28 15:47 ` Tom
2005-03-28 16:04 ` Stephen Smalley
2005-03-28 16:20 ` Tom
2005-03-28 16:39 ` Stephen Smalley
2005-03-30 5:01 ` Ivan Gyurdiev
2005-03-28 15:41 ` Tom
2005-03-28 10:04 ` Luke Kenneth Casson Leighton
2005-03-28 13:36 ` Stephen Smalley
2005-03-28 18:27 ` Luke Kenneth Casson Leighton [this message]
2005-03-28 18:23 ` Stephen Smalley
2005-03-28 19:54 ` Luke Kenneth Casson Leighton
2005-03-28 19:46 ` Stephen Smalley
2005-03-28 13:43 ` Stephen Smalley
-- strict thread matches above, loose matches on Subject: below --
2005-03-28 16:51 Casey Schaufler
2005-03-30 15:05 Casey Schaufler
2005-03-30 15:29 ` Ivan Gyurdiev
2005-03-30 15:52 Casey Schaufler
2005-03-30 16:13 ` Ivan Gyurdiev
2005-03-30 21:50 ` Tom
2005-03-30 22:12 ` Luke Kenneth Casson Leighton
2005-03-31 8:37 ` Tom
2005-03-31 10:05 ` Luke Kenneth Casson Leighton
2005-03-31 8:42 ` Ivan Gyurdiev
2005-03-30 17:04 Casey Schaufler
2005-03-30 17:15 ` Stephen Smalley
2005-03-30 17:26 ` Luke Kenneth Casson Leighton
2005-03-30 17:44 ` Ivan Gyurdiev
2005-03-30 18:09 ` Jim McCullough
2005-03-30 22:09 ` Luke Kenneth Casson Leighton
2005-03-30 22:00 ` Luke Kenneth Casson Leighton
2005-03-31 9:25 ` Ivan Gyurdiev
2005-03-31 9:48 ` Ivan Gyurdiev
2005-03-30 17:27 Casey Schaufler
2005-03-30 17:53 Casey Schaufler
2005-03-30 17:56 ` Stephen Smalley
2005-03-30 17:58 Casey Schaufler
2005-03-31 10:04 ` Ivan Gyurdiev
2005-03-31 16:05 Casey Schaufler
2005-03-31 16:08 ` Stephen Smalley
2005-03-31 21:13 ` Tom
2005-03-31 21:05 ` Stephen Smalley
2005-04-01 5:28 ` Rogelio Serrano
2005-04-01 7:54 ` Tom
2005-03-31 17:40 ` Ivan Gyurdiev
2005-03-31 16:51 Casey Schaufler
2005-03-31 18:16 ` Stephen Smalley
2005-04-02 3:50 Casey Schaufler
2005-04-03 23:39 Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050328182714.GG3430@lkcl.net \
--to=lkcl@lkcl.net \
--cc=fedora-selinux-list@redhat.com \
--cc=ivg2@cornell.edu \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.