Bruno Wolff III wrote:
On Fri, Feb 24, 2006 at 05:23:05 -0500,
"Mike A. Harris" <mharris@xxxxxxxxxx> wrote:
Davide Bolcioni wrote:
Mike A. Harris wrote:
Both ATI and Nvidia's proprietary video driver installation utilities
replace the Red Hat supplied libGL library with their own libGL.
Could SELinux be used to prevent this and, more generally, disallow
replacement of rpm-controlled files even by the root user ?
Yes it should be possible to do this. However, you need some way to distinguish
updates of those libraries when done normally as opposed to being done by
ATI or Nvidia code. What you would probably like to do is only let rpm
change those files. However if ATI and Nvidia are supplying rpms, selinux
isn't going to be able to tell the difference.
You could also go by what role the person who runs rpm had. Then it would be
up to you to change your role based on whose rpms you were installing.
Another issue is that files only have one tag for selinux and if you use
a tag that indicates just that it was installed by rpm, that isn't going to
play nice with other selinux policies. You might be able to get away with
restricting how files with a number of different types are updated. You
may cover some files you don't want doing this, but I think you could get
close.
Another approach would be to have rpm not allow rpms to stomp on files
from other rpms if they weren't signed by the same key (perhaps --force
would override that).
Except:
1) It would be an ugly hack, and would not actually stop people from
doing what they really want to anyway.
2) Would make people get upset at SElinux and probably disable it if
they don't already.
3) Would probably result in FAQ's and other "advice" to fix the
problem recommending disabling SElinux.
4) Would require significant additional work to implement and test.
5) Even if it was implemented, many people already do not use
SElinux, and would thus not be affected by the changes anyway.
6) Would not really bring any real world gain in the end.
I can't really envision anyone coming up with any viable rationale
to really consider this as an option.
Everyone is given an OS to install and use, and with that freedom
comes responsibility. You're given the rope to hang yourself with
in thousands of places in Linux and Linux-like OSs. It is entirely
the responsibility of the system administrator, or user responsible
for the computer system to ensure that they are installing software
wisely.
However, it is always possible to hang one's self with the rope one
is given. Trying to make the OS prevent all possible manners in
which a user can hang themselves is simply not possible, fruitless
to waste time on, and generally speaking, is more likely to cause
more problems than it solves.
idea.veto = 1;
--
Mike A. Harris * Open Source Advocate * http://mharris.ca
Proud Canadian.
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
