Re: [patch] screen_macros.te

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel J Walsh <dwalsh@redhat.com>
To: russell@coker.com.au
Cc: SELinux <selinux@tycho.nsa.gov>
Subject: Re: [patch] screen_macros.te
Date: Thu, 06 Jan 2005 09:49:37 -0500	[thread overview]
Message-ID: <41DD5001.3010302@redhat.com> (raw)
In-Reply-To: <200501062246.42763.russell@coker.com.au>

Russell Coker wrote:

>On Thursday 06 January 2005 00:21, Daniel J Walsh <dwalsh@redhat.com> wrote:
>  
>
>>I would like to add a new file type cert_t for ssl cert files, since
>>these are defaulted to usr_t right now.
>>Shouldn't these be protected at a higher level?
>>    
>>
>
>Are you talking about protecting the integrity or the secrecy of data in such 
>files?
>
>If integrity then anything which can write to usr_t can break the system 
>anyway.  If secrecy then nothing in an rpm is secret anyway.
>
>If there are certificates that have any secret data then they should be 
>somewhere other than under /usr.
>
>  
>
They are not in an RPM, and there has been discussions that they should 
be moved under /var/ or /etc/.
I think readability is the problem here.  Wherever they end up we need a 
general case protecting the
certificates so ever application that can read /usr or /etc/ or /var can 
not read these files.   We are also going
have to start looking at how we can protect Kerberos Key Files.  But 
that is another conversation.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2005-01-06 14:49 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-01-04 23:01 [patch] screen_macros.te Greg Norris
2005-01-04 23:34 ` Greg Norris
2005-01-05 13:21   ` Daniel J Walsh
2005-01-05 15:18     ` New type cert_t? Daniel J Walsh
2005-01-06 11:46     ` [patch] screen_macros.te Russell Coker
2005-01-06 14:49       ` Daniel J Walsh [this message]
2005-01-12 18:51   ` James Carter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=41DD5001.3010302@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=russell@coker.com.au \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.