Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks

[Nix]

On 20 Apr 2006, Stephen Smalley yowled:
> - Approved tools/libraries are instrumented to specify the desired label
> for passwd vs. shadow (and backup files), since the same code re-creates
> both on a transaction (at least when adding/removing users), so the
> kernel can't make that distinction automatically; only the tool knows
> that.  This is consistent with how DAC mode is handled for passwd vs.
> shadow. 

So... every program which may modify labelled entities (e.g., for files,
by unlink()/creat()) needs modification for SELinux?

This strikes me as rather impractical if you want to be able to label
files that users may edit: there are a lot of programs users run that
`modify' files in that way. For starters, every web browser, every text
editor...  is it really sensible to require modification of *almost
everything* that can overwrite files lest you magically lose labels that
you thought you had?

(With AppArmor, of course, you never lose labels at all, because there
aren't any.)

(I may be missing something, but I know that when I've tried to use
SELinux to constrain what such programs could manipulate, I was
losing labels to unlink()/creat() left right and centre.)

-- 
`On a scale of 1-10, X's "brokenness rating" is 1.1, but that's only
 because bringing Windows into the picture rescaled "brokenness" by
 a factor of 10.' --- Peter da Silva
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/