From mboxrd@z Thu Jan  1 00:00:00 1970
From: Joshua Brindle <method@manicmethod.com>
Subject: Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation,
 pathname matching
Date: Sat, 09 Jun 2007 11:33:07 -0400
Message-ID: <466AC833.5070306@manicmethod.com>
References: <20070514110607.549397248@suse.de> <200706042303.28785.agruen@suse.de> <1181136386.3699.70.camel@moss-spartans.epoch.ncsc.mil> <200706090003.57722.agruen@suse.de> <20070609001703.GA17644@kroah.com> <Pine.LNX.4.64.0706082207260.6675@asgard.lang.hm> <20070609014644.9ed4fa29.seanlkml@sympatico.ca> <Pine.LNX.4.64.0706090004290.6675@asgard.lang.hm>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Sean <seanlkml@sympatico.ca>, Greg KH <greg@kroah.com>,
	Andreas Gruenbacher <agruen@suse.de>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	Pavel Machek <pavel@ucw.cz>, jjohansen@suse.de,
	linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-fsdevel@vger.kernel.org
To: david@lang.hm
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from tresys.irides.com ([216.250.243.126]:36023 "HELO
	exchange.columbia.tresys.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with SMTP id S1753873AbXFIPr3 (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Sat, 9 Jun 2007 11:47:29 -0400
In-Reply-To: <Pine.LNX.4.64.0706090004290.6675@asgard.lang.hm>
Sender: linux-fsdevel-owner@vger.kernel.org
List-Id: linux-fsdevel.vger.kernel.org

david@lang.hm wrote:
> On Sat, 9 Jun 2007, Sean wrote:
> <snip>
>
> what SELinux cannot do is figure out what label to assign a new file.
>

Nit: SELinux figures out what to label new files fine, just not based on 
the name. This works in most cases, eg., when user_t creates a file in 
/tmp it becomes user_tmp_t, incidentally this is something that AA 
cannot handle, if the filenames aren't normalized (they normally 
aren't). For example, my ssh agent socket is stored in 
/tmp/ssh-XXXXXXXX, where the X's are random characters, AA can't 
differentiate admin ssh agents from unprivileged user ssh agents, 
showing a serious flaw in their model.

The complaint is that name-based labeling doesn't currently exist (and 
as Sean has stated that doesn't mean it _can't_ exist, just that it 
doesn't currently). In practice this has not been as big of an issue as 
you are making it out to be. Granted restorecond has a tiny race, and I 
wouldn't recommend using it on very security sensitive files but for 
usability having it relabel user_home_t to user_http_content_t isn't a 
problem (and causes no security issues).