On Thu, Jul 16, 2015, at 12:47 AM, Eric W. Biederman wrote: > With that said desktop environments have for a long time been > automatically mounting whichever filesystem you place in your computer, > so in practice what this is really about is trying to align the kernel > with how people use filesystems. There is a large attack surface difference between mounting a device that someone physically plugged into the computer (and note typically it's required that the active console be unlocked as well[1]) versus allowing any "unprivileged" process at any time to do it. Many server setups use "unprivileged" uids that otherwise wouldn't be able to exploit bugs in filesystem code. [1] https://bugzilla.gnome.org/show_bug.cgi?id=653520 "AutomountManager also keeps track of the current session availability (using the ConsoleKit and gnome-screensaver DBus interfaces) and inhibits mounting if the current session is locked, or another session is in use instead." _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
