Re: [RFC] [PATCH] Replace security fields with hashtable

From: Valdis.Kletnieks@private
Date: Wed Oct 27 2004 - 11:12:43 PDT

On Wed, 27 Oct 2004 13:50:23 EDT, Stephen Smalley said:

> That is actually a common aspect of SELinux policies:  don't let trusted
> domains follow untrustworthy symlinks, just based on security types
> rather than uids.

The point is that in this case, *no* domains are trusted - we don't want
end users compiling their Fortran programs to have stuff hijacked out from
under them when they build in /tmp.  Similarly, we care about *other* directories
as well - /tmp and /var/tmp are just *two* places things live, there's other
world-writable directories as well.

As another example - how would you implement "don't remove other user's files
in a +t directory" in SELinux?  Note that nobody seems to think that *that*
semantic isn't sane and desireable - but it's equally hard to state in SELinux,
for the same reasons.

This archive was generated by hypermail 2.1.3 : Wed Oct 27 2004 - 11:13:15 PDT