Re: dir permissions
On Fri, 12 Jul 2002 17:16, Daniel Burrows wrote:
> On Fri, Jul 12, 2002 at 04:47:43PM +0200, Russell Coker
<firstname.lastname@example.org> was heard to say:
> > On Fri, 12 Jul 2002 14:01, Andreas Metzler wrote:
> > > Michael Koch <email@example.com> wrote:
> > > [packaging a game]
> > >
> > > > to make this dir writeable by the game there are two possibilities:
> > > > 1) adding the gamer to the group "games" or
> > > > 2) making /usr/games/uclient set-group-id
> > > >
> > > > What is the preferred way ?
> > >
> > > 2.
> > > See Policy 12.11.
> > > cu andreas
> > For SE Linux I am thinking of making all programs in /usr/games trigger a
> > domain transition to a domain that can't write to regular files in a
> > user's home directory (only to user_home_games_t not user_home_t), can't
> > kill, ptrace, or otherwise molest regular user processes, but can write
> > to /var/games etc.
> A lot of games need to write to the user's home directory (eg, to
> store configuration options, saved games, etc) -- aside from that, it
> might be useful.
I plan to solve that by having the following rule:
file_type_auto_trans(user_games_t, user_home_dir_t, user_home_games_t)
So when the user_games_t domain (entered by executing a games_exec_t program
from the user_t domain) creates a file under the user_home_dir_t directory
(the user's home dir) then a new file or directory can be created with type
user_home_games_t (and user_games_t gets full access to that type).
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com