From: Dominick Grift <dac.override@gmail.com>
To: selinux@tycho.nsa.gov
Subject: Re: [PATCH v2 0/3] Add support for extracting modules
Date: Fri, 7 Aug 2015 16:14:46 +0200 [thread overview]
Message-ID: <20150807141445.GC1576@x250> (raw)
In-Reply-To: <55C4B482.5050208@quarksecurity.com>
[-- Attachment #1: Type: text/plain, Size: 761 bytes --]
On Fri, Aug 07, 2015 at 09:37:06AM -0400, Joshua Brindle wrote:
>
> There is definitely an integrity violation with having such a privileged
> program read from user directories but I suppose that ship has sailed.
>
generic user content, to me, is meant to be the share-able, and widely accessible user content (compared to private user content types) and if anything in home or /tmp is sharable/accessible it should be them
when protecting the user content, things that shouldnt be sharable or be widely accessible should get a private user content type.
In my personal policy, i dont make a fuss about stuff manage generic user content (if they need it ofcourse). However i do make it a point to give any sensitive user content a private type
[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]
next prev parent reply other threads:[~2015-08-07 14:14 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-06 14:30 [PATCH v2 0/3] Add support for extracting modules Yuli Khodorkovskiy
2015-08-06 14:30 ` [PATCH v2 1/3] libsemanage: Add ability to extract modules Yuli Khodorkovskiy
2015-08-06 14:30 ` [PATCH v2 2/3] libsemanage: Fix null pointer dereference in semanage_module_key_destroy Yuli Khodorkovskiy
2015-08-06 14:30 ` [PATCH v2 3/3] policycoreutils/semodule: update semodule to allow extracting modules Yuli Khodorkovskiy
2015-08-06 15:04 ` [PATCH v2 0/3] Add support for " James Carter
2015-08-07 8:09 ` Sven Vermeulen
2015-08-07 13:28 ` Stephen Smalley
2015-08-07 13:37 ` Joshua Brindle
2015-08-07 14:14 ` Dominick Grift [this message]
2015-08-07 15:39 ` Christopher J. PeBenito
2015-08-07 13:47 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150807141445.GC1576@x250 \
--to=dac.override@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.