On Tue, 2005-01-04 at 11:25, Mike Hearn wrote: > OK, so what would Colins proposed daemon actually do then? Is kernel-level > context propagation enough and if so why does install have to be modified? > > I'm a little confused now and feel I'm missing some key bit of > understanding ... I'm not in favor of the daemon idea. "install" is akin to "rpm" in the sense of installing a file, so it may make sense to initialize its security context based on pathname at that time, because we have no real runtime knowledge of its security properties and have presumably checked its integrity in some manner prior to installation. But for normal day-to-day file copying, the kernel (or some daemon) has no way of knowing whether: a) the context of the original should be preserved (e.g. making a backup copy of /etc/shadow), b) the context of the target location should be used (e.g. copying a file from /home to /var/www to export it via apache), c) the context should factor in information about the copying process, reflecting its own confidentiality or integrity properties. Hence, any "automagic" technique based on pathname is not suitable. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
