From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
To: Petter Reinholdtsen <pere@hungry.com>
Cc: SE-Linux <selinux@tycho.nsa.gov>
Subject: Re: (fwd) Bug#270919: Can you test a new version of sysvinit?
Date: Sat, 10 Sep 2005 20:59:36 +0100 [thread overview]
Message-ID: <20050910195936.GD9179@lkcl.net> (raw)
In-Reply-To: <20050909143142.GC27535@saruman.uio.no>
On Fri, Sep 09, 2005 at 04:31:42PM +0200, Petter Reinholdtsen wrote:
> My message was rejected from the mailing list. Perhaps you are
> interested, so I forward it directly to you.
>
> ----- Forwarded message from Petter Reinholdtsen <pere@hungry.com> -----
>
> X-Sieve: CMU Sieve 2.2
> Date: Thu, 8 Sep 2005 22:48:00 +0200
> From: Petter Reinholdtsen <pere@hungry.com>
> To: SE-Linux <selinux@tycho.nsa.gov>
> Bcc: Petter Reinholdtsen <petter.reinholdtsen@usit.uio.no>
> Subject: Re: [pere@hungry.com: Bug#270919: Can you test a new version of sysvinit?]
> X-UiO-Spam-info: not spam, SpamAssassin (score=-5.616, required 12,
> autolearn=disabled, ALL_TRUSTED -2.82, AWL 2.20,
> UIO_MAIL_IS_INTERNAL -5.00)
>
> [Luke Kenneth Casson Leighton]
> > basically this simple fix - attempting "touch /etc/mtab" as a test
> > instead of "touch /etc" - stops a debian/selinux system getting into
> > deeper and deeper shit :)
>
> The patch I applied just removed the test, it did not change it into a
> touch /etc/mtab. Would that be a better fix? Better patches are
> welcome. :)
*thinks*
this is from memory, from over six months ago when i had the
time to look at this stuff.
iirc selinux permissions are granted to initrc_t to write to
/etc/mtab but not to /etc.
therefore i believe it is acceptable to allow the test to be
"touch /etc/mtab" like wot i believe i wrote in followup messages to
bugs.debian.org.
it's generally - no it's totally - bogus to assume that write
permission to a directory being banned implies that files _in_ that
directory are also banned.
selinux allows far finer grained permissions than the out-of-date
[20-year-old] unix filesystem permissions.
anyway: if you think that you can get away with removing the test,
_great_.
l.
> ----- End forwarded message -----
--
--
<a href="http://lkcl.net">http://lkcl.net</a>
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
parent reply other threads:[~2005-09-11 13:26 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <20050909143142.GC27535@saruman.uio.no>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050910195936.GD9179@lkcl.net \
--to=lkcl@lkcl.net \
--cc=pere@hungry.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.