Thread taken from fedora-selinux-list to fedora-devel-list for a wider audience. The general concept is that a daemon should never create a directory under /var/cache (or similar non-specific places on the file system) at run-time. If /var/cache/$DAEMON is needed then the package of $DAEMON should provide that directory. This prevents the possible problem of name conflicts and allows more restrictive SE Linux access control (preventing a compromised daemon from performing a trivial DOS attack on other daemons). On Tuesday 13 September 2005 01:30, Tom London <selinux@xxxxxxxxx> wrote: > OK, so the rubric here is that daemon-like services need to have their > 'major' directory entries in places like /var created and labeled by their > package, not created upon startup. This sounds quite reasonable. Yes, that's my idea. > So, the normal 'name space' conflicts will likely be detected during > package install. One of several benefits of it. > Do we need to be concerned with possible 'widening' conflicts on such > directories (e.g., two packages wanting to 'own' the same directory, one > with a 'wider' label)? What do you mean "wider"? Do you mean less restrictive permissions? If so then it certainly would be a problem if two packages desired different permissions for a single file system object, whether one is a superset of the other or whether they are disjoint. It is something that we need to be concerned about, but it will hopefully be rare and we can just fix it when it occurs. Detecting and solving such problems is an advantage of my suggestion. When we have such directories in packages we can easily check for such conflicts. At the moment I suspect that such daemon behavior is not uncommon and don't know in what situations it may potentially bite us. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-devel-list
