On 9/12/05, Russell Coker <russell@xxxxxxxxxxxx> wrote: > Thread taken from fedora-selinux-list to fedora-devel-list for a wider > audience. The general concept is that a daemon should never create a > directory under /var/cache (or similar non-specific places on the file > system) at run-time. If /var/cache/$DAEMON is needed then the package of > $DAEMON should provide that directory. This prevents the possible problem of > name conflicts and allows more restrictive SE Linux access control > (preventing a compromised daemon from performing a trivial DOS attack on > other daemons). > > On Tuesday 13 September 2005 01:30, Tom London <selinux@xxxxxxxxx> wrote: > > OK, so the rubric here is that daemon-like services need to have their > > 'major' directory entries in places like /var created and labeled by their > > package, not created upon startup. This sounds quite reasonable. > > Yes, that's my idea. > > > So, the normal 'name space' conflicts will likely be detected during > > package install. > > One of several benefits of it. > > > Do we need to be concerned with possible 'widening' conflicts on such > > directories (e.g., two packages wanting to 'own' the same directory, one > > with a 'wider' label)? > > What do you mean "wider"? Do you mean less restrictive permissions? If so > then it certainly would be a problem if two packages desired different > permissions for a single file system object, whether one is a superset of the > other or whether they are disjoint. It is something that we need to be > concerned about, but it will hopefully be rare and we can just fix it when it > occurs. > > Detecting and solving such problems is an advantage of my suggestion. When we > have such directories in packages we can easily check for such conflicts. At > the moment I suspect that such daemon behavior is not uncommon and don't know > in what situations it may potentially bite us. > What I'm concerned about are situations (like, e.g., /usr/lib/mozilla) where two packages (e.g., mozplugger and firefox, on my machine) seem to 'provide' the same directory (at least as reported by 'rpm -qif /usr/lib/mozilla'). In such a case, if 'the first to install' package created the directory with a less restrictive context (or some such), would we have a chance for a problem? Do we need some way to coordinate/check this? tom -- Tom London -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-devel-list
