Re: Security contexts for the contexts directory?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2004-05-27 at 07:54, Daniel J Walsh wrote:
> With the new design of the policy tree, we have moved the "contexts" 
> files into
> /etc/selinux/*/contexts/
> 
> These files include default_contexts, file_contexts, default_type, 
> failsafe_contexts ...
> as well as contexts for individual users like users/root.  Currently the 
> security contexts for these files is etc_t.   Should we change them so 
> something else? default_contexts_t?  Should file_contexts be marked 
> differently then the others?

I'd suggest a single type (other than etc_t) for default_contexts,
default_type, failsafe_context, and the other files installed from
policy/appconfig.  file_contexts should likely have a different type to
allow different access, so perhaps it should have its own directory and
type.  With the old layout and policy, it ends up in policy_config_t,
but I think we want to distinguish it from the binary policy file as
well as from the appconfig files.

> Also since policy is determined by /etc/sysconfig/selinux, should we set 
> a special security context on it?  If we do should we move it to a 
> directory where it would be easier to maintain the security context?  
> Maybe rename it to /etc/selinux/config?

I would prefer having a distinct type on it (and moving it to a
directory with that type so that we can easily preserve the type), as
the integrity of that file is critical to SELinux, at least in the
Fedora Core implementation.

-- 
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux