Re: (fwd) Bug#270919: Can you test a new version of sysvinit?

All of lore.kernel.org
 help / color / mirror / Atom feed

* Re: (fwd) Bug#270919: Can you test a new version of sysvinit?
       [not found] <20050909143142.GC27535@saruman.uio.no>
@ 2005-09-10 19:59 ` Luke Kenneth Casson Leighton
  0 siblings, 0 replies; only message in thread
From: Luke Kenneth Casson Leighton @ 2005-09-10 19:59 UTC (permalink / raw)
  To: Petter Reinholdtsen; +Cc: SE-Linux

On Fri, Sep 09, 2005 at 04:31:42PM +0200, Petter Reinholdtsen wrote:
> My message was rejected from the mailing list.  Perhaps you are
> interested, so I forward it directly to you.
> 
> ----- Forwarded message from Petter Reinholdtsen <pere@hungry.com> -----
> 
> X-Sieve: CMU Sieve 2.2
> Date: Thu, 8 Sep 2005 22:48:00 +0200
> From: Petter Reinholdtsen <pere@hungry.com>
> To: SE-Linux <selinux@tycho.nsa.gov>
> Bcc: Petter Reinholdtsen <petter.reinholdtsen@usit.uio.no>
> Subject: Re: [pere@hungry.com: Bug#270919: Can you test a new version of sysvinit?]
> X-UiO-Spam-info: not spam, SpamAssassin (score=-5.616, required 12,
> 	autolearn=disabled, ALL_TRUSTED -2.82, AWL 2.20,
> 	UIO_MAIL_IS_INTERNAL -5.00)
> 
> [Luke Kenneth Casson Leighton]
> > basically this simple fix - attempting "touch /etc/mtab" as a test
> > instead of "touch /etc" - stops a debian/selinux system getting into
> > deeper and deeper shit :)
> 
> The patch I applied just removed the test, it did not change it into a
> touch /etc/mtab.  Would that be a better fix?  Better patches are
> welcome. :)

 *thinks*

 this is from memory, from over six months ago when i had the
 time to look at this stuff.
 
 iirc selinux permissions are granted to initrc_t to write to
 /etc/mtab but not to /etc.

 therefore i believe it is acceptable to allow the test to be
 "touch /etc/mtab" like wot i believe i wrote in followup messages to
 bugs.debian.org.

 it's generally - no it's totally - bogus to assume that write
 permission to a directory being banned implies that files _in_ that
 directory are also banned.

 selinux allows far finer grained permissions than the out-of-date
 [20-year-old] unix filesystem permissions.


 anyway: if you think that you can get away with removing the test,
 _great_.

 l.


> ----- End forwarded message -----

-- 
--
<a href="http://lkcl.net">http://lkcl.net</a>
--

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2005-09-11 13:26 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20050909143142.GC27535@saruman.uio.no>
2005-09-10 19:59 ` (fwd) Bug#270919: Can you test a new version of sysvinit? Luke Kenneth Casson Leighton

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.