From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Labeling of ~/.local, ~/.config, ... owned by gnome though not gnome specific
Date: Sat, 18 Sep 2010 12:01:12 +0200 [thread overview]
Message-ID: <4C948DE8.8050702@gmail.com> (raw)
In-Reply-To: <201009181142.56428.Nicky726@gmail.com>
On 09/18/2010 11:42 AM, Nicky726 wrote:
> Dne P? 17. z??? 2010 15:04:38 jste napsal(a):
>> No I am saying you can suggest renames and try to get them upstream, if
>> you do I will convert to using them. Once they are upstream it becomes a
>> pain to change.
>
> By the upstream you mean refpolicy? Will it be a valid module, that just
> defines those types, creates interfaces to access them in ways and labels the
> directories?
I do not think so.
Its part of a larger issue that we need to find consensus on in the
community.
The problem is that we just declare types and define contexts, but that
no module really owns it.
That does not makes sense from the perspective of SELinux?
How did these object get on the file system in the first place? which,
if any package installed them (obviously no package installs ~/.config)
I have yet to find out what creates ~/.config, I suspect it is
gnome-session (in Gnome) but i am not sure.
And even then if we find out there are other loosely related issues.
For example the other xdg directories in HOME_DIR created by XDG. Like
Downloads, Videos, Documents, Music, Pictures, Templates etc.
In Fedora, most of these are not labelled explicitly yet either with the
exception of Music i believe.
The problem here is that XDG creates these directories in the applicable
locale (language)
How would be guarantee that these locations get labelled properly for
all languages?
With regard to HOME_DIR/\{.config, .local, .cache} we rely on
restorecond to ensure proper labelling in Fedora.
I suspect that upstream however will not accept making that assumption,
thus i do not believe refpolicy will adopt fedoras' solution for dealing
with the Freedesktop XDG specifications.
Another piece in the puzzle called: confining the user space.
The key issue in my view is the we need consensus in the community about
how to go forward with the user space.
> Thanx,
> Ondrej Vadinsky
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100918/0223b5b7/attachment.bin
next prev parent reply other threads:[~2010-09-18 10:01 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <201009161816.19552.Nicky726@gmail.com>
2010-09-16 19:22 ` [refpolicy] Labeling of ~/.local, ~/.config, ... owned by gnome though not gnome specific Daniel J Walsh
2010-09-16 21:13 ` Nicky726
2010-09-16 21:34 ` Daniel J Walsh
2010-09-17 7:37 ` Nicky726
2010-09-17 13:04 ` Daniel J Walsh
2010-09-18 9:42 ` Nicky726
2010-09-18 10:01 ` Dominick Grift [this message]
[not found] <mailman.1.1284829201.3561.refpolicy@oss.tresys.com>
2010-09-20 19:38 ` Nicky726
2010-09-23 17:59 ` Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C948DE8.8050702@gmail.com \
--to=domg472@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.