On Tue, 2006-03-28 at 11:02 -0500, Daniel J Walsh wrote:
> Should also be wrapped in SELinux to make sure some random app does not
> ask for this. If I am a user and NetworkManager pops a window saying
> somethine like
> "In order to run correctly I need your computer to turn purple, and run
> the Hypervizor at Warp 3" I am going to answer the question, "Yes"
>
> So only apps with a security policy should even be able to do this.
And, I might add, this would be a another perfect showcase of why
SELinux is important on the desktop.
Btw, with the PolicyKit bits I'm writing it will be easy to do this even
without user interaction other than turning g-u-s on; basically it goes
like this
1. label /usr/libexec/gnome-user-share with a label so it runs in a
well-known and specific security domain
2. write a small system-level daemon for punching holes in the firewall
and start it on boot up (when we get activation on the D-BUS system
message bus we don't even need to start it on boot up)
3. g-u-s starts; pokes system-level daemon for punching a hole via
D-BUS
4. system-level daemon checks security domain; rejects anything but
the domain we labeled /usr/libexec/gnome-user-share with; if OK
punches a hole in the firewall and reconfigures SELinux on the
fly so /usr/sbin/httpd is allowed to listen to the given port.
5. if rejected, g-u-s brings up a dialog asking for privileges;
either the users own password or the super user password (this is
a feature of PolicyKit); probably only wants this when starting
from the "Personal File Sharing" capplet, e.g. not on login
So this should be trivial once PolicyKit is finished. Specifically the
system-level helper for punching holes in the firewall would be
distributed with g-u-s. In fact, when PolicyKit is ready for this, I'm
going to try to write this patch for g-u-s... it shouldn't take more
than a day or two..
Btw, this should be upstream friendly too; the fact that we're using
SELinux just means we don't need the user to auth when starting g-u-s.
David
