From: Karl MacMillan <kmacmill@redhat.com>
To: Andi Kleen <andi@firstfloor.org>
Cc: James Morris <jmorris@namei.org>,
David Safford <safford@watson.ibm.com>,
John Johansen <jjohansen@suse.de>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org
Subject: Re: AppArmor FAQ
Date: Tue, 17 Apr 2007 18:26:24 -0400 [thread overview]
Message-ID: <1176848784.5946.101.camel@localhost.localdomain> (raw)
In-Reply-To: <20070417181016.GA10903@one.firstfloor.org>
On Tue, 2007-04-17 at 20:10 +0200, Andi Kleen wrote:
> On Tue, Apr 17, 2007 at 01:47:39PM -0400, James Morris wrote:
> > Normal applications need zero modification under SELinux.
> >
> > Some applications which manage security may need to be made SELinux-aware,
>
> Anything that can touch /etc/resolv.conf? That's potentially a lot of binaries
> if you consider anything scripts could do with it.
>
Certainly not - most things are handled by policy. I don't think that
any applications shipped with Fedora are modified to handle resolv.conf.
They are either confined and policy takes care of it or, in the case of
things like vi, they are generically modified to preserve labels (and
that change is partially to accommodate the targeted policy). Any
application that preserves DAC mode bits should likely also preserve
ACLs and SELinux labels (I guess they should potentially just preserve
all xattrs - not certain).
> > although this can often be done with PAM plugins, which is a standard way
> > to do this kind of thing in modern Unix & Linux OSs.
>
> PAM plugins in vi and emacs? Scary idea.
>
Err, no. I don't think that is what James was suggesting.
> And what do you do if someone decides to use OpenOffice to edit their
> /etc/resolv.conf? For a lot of people that's the only text editor
> they know.
>
Yeah right, I'm certain there are a lot of users (even clueless ones)
that use OO for files in /etc. I assume that line wrapping alone would
make this impossible and running a huge X application as root is
obviously not the best idea. Actually, it seems unlikely that a clueless
user would know how to run OO as root.
Anyway, general concerns aside, for a targeted system this would likely
just work depending on how OO saves files or whether it preserves
labels.
It would also be possible to create a small policy that defined a domain
for OO that would allow editing resolv.conf. If you went that route the
policy could set the label correctly. This is actually one of the major
advantages of SELinux. You can create multiple domains for the same app
that allow different actions depending on the circumstances.
Karl
next prev parent reply other threads:[~2007-04-17 22:29 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-04-16 21:33 AppArmor FAQ John Johansen
2007-04-17 0:20 ` James Morris
2007-04-17 15:03 ` David Safford
2007-04-17 16:00 ` Karl MacMillan
2007-04-17 18:05 ` Andi Kleen
2007-04-17 17:47 ` James Morris
2007-04-17 18:10 ` Andi Kleen
2007-04-17 20:19 ` Casey Schaufler
2007-04-17 20:50 ` James Morris
2007-04-17 21:16 ` Andi Kleen
2007-04-17 21:41 ` Karl MacMillan
2007-04-17 22:12 ` Andi Kleen
2007-04-17 22:29 ` Karl MacMillan
2007-04-17 21:58 ` Alan Cox
2007-04-18 13:45 ` James Morris
2007-04-18 14:33 ` Shaya Potter
2007-04-18 19:41 ` Crispin Cowan
2007-04-18 20:03 ` Shaya Potter
2007-04-18 21:14 ` James Morris
2007-04-19 17:14 ` Stephen Smalley
2007-06-09 21:01 ` Pavel Machek
2007-06-09 21:28 ` david
2007-06-09 23:02 ` Pavel Machek
2007-06-10 0:06 ` david
2007-04-18 20:15 ` David Lang
2007-04-19 17:27 ` Stephen Smalley
2007-04-17 21:48 ` Karl MacMillan
2007-04-17 23:12 ` Casey Schaufler
2007-04-17 22:26 ` Karl MacMillan [this message]
2007-04-19 17:46 ` Stephen Smalley
2007-04-20 18:45 ` David Lang
2007-04-20 19:23 ` Karl MacMillan
2007-04-17 23:09 ` Crispin Cowan
2007-04-17 23:20 ` Karl MacMillan
2007-04-19 17:56 ` Stephen Smalley
2007-04-17 21:55 ` Karl MacMillan
2007-04-17 22:55 ` Crispin Cowan
2007-04-17 23:13 ` Karl MacMillan
2007-06-09 14:11 ` Pavel Machek
2007-04-18 7:21 ` Rob Meijer
2007-04-18 7:08 ` David Lang
2007-04-18 13:33 ` James Morris
2007-04-18 12:15 ` Joshua Brindle
2007-04-18 13:31 ` Casey Schaufler
2007-04-18 14:05 ` Rob Meijer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1176848784.5946.101.camel@localhost.localdomain \
--to=kmacmill@redhat.com \
--cc=andi@firstfloor.org \
--cc=jjohansen@suse.de \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=safford@watson.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).