Re: File Browsing apps and getattr

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: ivg2@cornell.edu, selinux@tycho.nsa.gov
Subject: Re: File Browsing apps and getattr
Date: Tue, 01 Feb 2005 13:01:13 -0500	[thread overview]
Message-ID: <41FFC3E9.9020805@redhat.com> (raw)
In-Reply-To: <1107264676.26936.63.camel@moss-spartans.epoch.ncsc.mil>

Stephen Smalley wrote:

>On Tue, 2005-02-01 at 08:26, Ivan Gyurdiev wrote:
>  
>
>>Why is the stat() information so important for security?
>>    
>>
>
>It depends on the particular file, obviously.  The point is that it
>represents an information flow that conveys possibly sensitive
>information about the object, and should be controlled in accordance
>with the security properties of the object.
>
>  
>
>>If you won't do this, how do you plan to address the denials I have
>>posted about? 
>>
>>Will you leave ls in this state:
>>
>>[phantom@cobra ~]$ ls -l /var
>>total 112
>>?---------   ? ?    ?       ?            ? account
>>drwxr-xr-x  10 root root 4096 Jan 16 05:33 cache
>>drwxr-xr-x   3 root root 4096 Oct 19 13:20 db
>>drwxr-xr-x   3 root root 4096 Aug 12 11:02 empty
>>?---------   ? ?    ?       ?            ? gdm
>>drwxr-xr-x  24 root root 4096 Jan 16 05:33 lib
>>drwxr-xr-x   2 root root 4096 Aug 12 11:02 local
>>?---------   ? ?    ?       ?            ? lock
>>drwxr-xr-x  13 root root 4096 Feb  1 04:02 log
>>?---------   ? ?    ?       ?            ? mail
>>?---------   ? ?    ?       ?            ? named
>>drwx------   2 root root 4096 Dec  1 13:49 net-snmp
>>drwxr-xr-x   2 root root 4096 Aug 12 11:02 nis
>>drwxr-xr-x   2 root root 4096 Aug 12 11:02 opt
>>drwxr-xr-x   2 root root 4096 Aug 12 11:02 preserve
>>drwxr-xr-x  18 root root 4096 Feb  1 06:16 run
>>drwxr-xr-x  14 root root 4096 Aug 12 11:02 spool
>>drwxrwxrwt   2 root root 4096 Feb  1 06:16 tmp
>>drwxr-xr-x  12 root root 4096 Jan 11 19:28 www
>>?---------   ? ?    ?       ?            ? yp
>>[phantom@cobra ~]$
>>    
>>
>
>You can certainly propose allowing access to additional file types on a
>case-by-case basis, possibly introducing new attributes to identify the
>desired set of types, but adding permissions always requires a
>justification, not just 'why not?'.  What is the functional requirement
>that ls display the attributes of those subdirectories/files?  What is
>the real benefit if you cannot search the subdirectories or read the
>files?
>
>dontaudit is appropriate if you just want to silence the warnings,
>although you obviously don't want to do that for a file to which you
>truly want to track attempted accesses.
>
>  
>
There is already a usrcanread attribute.

Should we create another attribute SECURITYFILE, so we could label 
file_types that have greater security concerns.

shadow_t, cert_t, kerberos_*, ...




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2005-02-01 18:01 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-01-31 22:26 File Browsing apps and getattr Ivan Gyurdiev
2005-02-01 12:11 ` Stephen Smalley
2005-02-01 13:08   ` Ivan Gyurdiev
2005-02-01 13:11     ` Stephen Smalley
2005-02-01 13:26       ` Ivan Gyurdiev
2005-02-01 13:31         ` Stephen Smalley
2005-02-01 18:01           ` Daniel J Walsh [this message]
2005-02-01 18:42           ` Ivan Gyurdiev
2005-02-01 19:52             ` Stephen Smalley
2005-02-01 23:39               ` Ivan Gyurdiev
2005-02-02 12:03                 ` Stephen Smalley
2005-02-02 13:19                   ` Ivan Gyurdiev
2005-02-02 13:14                     ` Stephen Smalley
2005-02-02 14:14                       ` Ivan Gyurdiev
2005-02-02 14:07                     ` Daniel J Walsh
2005-02-02 14:22                       ` Stephen Smalley
2005-02-02 14:36                         ` Daniel J Walsh
2005-02-02 16:01                           ` Ivan Gyurdiev
2005-02-02 16:22                             ` Daniel J Walsh
2005-02-02 16:41                               ` Ivan Gyurdiev
2005-02-01 16:15         ` Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=41FFC3E9.9020805@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=ivg2@cornell.edu \
    --cc=sds@epoch.ncsc.mil \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.