From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Possible regression and bug in userdom_base_user_template
Date: Mon, 01 Mar 2010 08:39:13 -0500 [thread overview]
Message-ID: <4B8BC381.8060601@redhat.com> (raw)
In-Reply-To: <20100301102220.GF3990@myhost.felk.cvut.cz>
On 03/01/2010 05:22 AM, Michal Svoboda wrote:
>
> Christopher J. PeBenito wrote:
>
>> The Fedora list is more appropriate for this discussion, as these rules
>> are specific to the Fedora policy.
>>
> Okay, it seems so, thanks. But the usr_t rule remains in refpolicy too.
> Is the reasoning here the same? That is
>
> Daniel J Walsh wrote:
>
>> Executing usr_t is not that big of a security risk.
>>
> ... because from the purity point of view it would seem that usr_t
> should be a label of read only, non-executable files.
>
> Michal Svoboda
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
Yes if my goal was to have anyone who uses an SELinux system, to totally
understand the difference, but my goal is to have the largest possible
segment of computer users gain some protection for SELinux. Forcing
them to label every package in the world correctly or blowing up the
application for very little increased security is just nuts.
Right now I have SELinux usage in Fedora at > 70% If I turned off
unconfined_t and unconfined initrc_t and started preventing execution of
usr_t, I would bet that number would collapse.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100301/1f7b49ee/attachment.html
next prev parent reply other threads:[~2010-03-01 13:39 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-24 10:54 [refpolicy] Possible regression and bug in userdom_base_user_template Michal Svoboda
2010-02-24 14:29 ` Christopher J. PeBenito
2010-02-24 15:10 ` Alan Rouse
2010-02-24 14:36 ` Daniel J Walsh
2010-03-01 10:22 ` Michal Svoboda
2010-03-01 13:39 ` Daniel J Walsh [this message]
2010-03-01 13:42 ` Christopher J. PeBenito
2010-03-01 15:01 ` Michal Svoboda
2010-03-01 15:32 ` Christopher J. PeBenito
2010-03-01 17:03 ` Michal Svoboda
2010-03-01 17:48 ` Martin Orr
2010-03-01 20:14 ` Michal Svoboda
2010-03-02 14:13 ` Christopher J. PeBenito
2010-03-02 14:19 ` Daniel J Walsh
2010-03-03 20:22 ` Michal Svoboda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B8BC381.8060601@redhat.com \
--to=dwalsh@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.