Re: dir permissions

To: Joseph Carter <knghtbrd@bluecherry.net>
Cc: debian-mentors@lists.debian.org, debian-devel@lists.debian.org
Subject: Re: dir permissions
From: Russell Coker <russell@coker.com.au>
Date: Sat, 13 Jul 2002 01:15:59 +0200
Message-id: <[🔎] 20020712231600.1E7B9329@lyta.coker.com.au>
Reply-to: Russell Coker <russell@coker.com.au>
In-reply-to: <[🔎] 20020712162846.GB5995@bluecherry.net>
References: <E17Sz7L-0000N8-00@chuzpe.logic.univie.ac.at> <[🔎] 20020712152657.4518A148B@lyta.coker.com.au> <[🔎] 20020712162846.GB5995@bluecherry.net>

On Fri, 12 Jul 2002 18:28, Joseph Carter wrote:
> On Fri, Jul 12, 2002 at 05:26:56PM +0200, Russell Coker wrote:
> > >   A lot of games need to write to the user's home directory (eg, to
> > > store configuration options, saved games, etc) -- aside from that, it
> > > might be useful.
> >
> > I plan to solve that by having the following rule:
> > file_type_auto_trans(user_games_t, user_home_dir_t, user_home_games_t)
> >
> > So when the user_games_t domain (entered by executing a games_exec_t
> > program from the user_t domain) creates a file under the user_home_dir_t
> > directory (the user's home dir) then a new file or directory can be
> > created with type user_home_games_t (and user_games_t gets full access to
> > that type).
>
> If I have to recompile all of my games which use ~/.foorc or ~/.foo/bar
> and move everything around, I will be somewhat annoyed.  It might be a
> good thng to do anyway (I have some 200+ dotfiles/dotdirs in ~) but I will
> still be annoyed.  =)

If all goes well you don't need to change anything.

However, if you have the games already installed and they have already 
created ~/.game files then those files would have to be labelled 
appropriately when SE Linux is installed (which would be a bit of a pain).  
Labelling the files is equivalent to chown, so imagine that you had to chown 
the game config files in your home directory without changing the rest.  It's 
annoying, it'll take 10 minutes, but it will provide serious security 
benefits.

I'll make it an option to skip this for people who don't want it, people who 
use my SE Linux packages can make their own decisions about where to do the 
security vs usability trade-off.

Like many things about SE Linux this may sound difficult, but once you know 
how it works and try it out it'll seem easy enough.

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: dir permissions
  - From: Joseph Carter <knghtbrd@bluecherry.net>

References:
- Re: dir permissions
  - From: Russell Coker <russell@coker.com.au>
- Re: dir permissions
  - From: Joseph Carter <knghtbrd@bluecherry.net>

Prev by Date: Re: Bug#152667: ITP: picalib -- Set of PICA helper scripts and configuration files
Next by Date: Re: Shouldn't desktop environments use *term -ls? (Re: The best recommendation [...])
Previous by thread: Re: dir permissions
Next by thread: Re: dir permissions
Index(es):
- Date
- Thread