[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dir permissions

On Fri, 12 Jul 2002 18:28, Joseph Carter wrote:
> On Fri, Jul 12, 2002 at 05:26:56PM +0200, Russell Coker wrote:
> > >   A lot of games need to write to the user's home directory (eg, to
> > > store configuration options, saved games, etc) -- aside from that, it
> > > might be useful.
> >
> > I plan to solve that by having the following rule:
> > file_type_auto_trans(user_games_t, user_home_dir_t, user_home_games_t)
> >
> > So when the user_games_t domain (entered by executing a games_exec_t
> > program from the user_t domain) creates a file under the user_home_dir_t
> > directory (the user's home dir) then a new file or directory can be
> > created with type user_home_games_t (and user_games_t gets full access to
> > that type).
> If I have to recompile all of my games which use ~/.foorc or ~/.foo/bar
> and move everything around, I will be somewhat annoyed.  It might be a
> good thng to do anyway (I have some 200+ dotfiles/dotdirs in ~) but I will
> still be annoyed.  =)

If all goes well you don't need to change anything.

However, if you have the games already installed and they have already 
created ~/.game files then those files would have to be labelled 
appropriately when SE Linux is installed (which would be a bit of a pain).  
Labelling the files is equivalent to chown, so imagine that you had to chown 
the game config files in your home directory without changing the rest.  It's 
annoying, it'll take 10 minutes, but it will provide serious security 

I'll make it an option to skip this for people who don't want it, people who 
use my SE Linux packages can make their own decisions about where to do the 
security vs usability trade-off.

Like many things about SE Linux this may sound difficult, but once you know 
how it works and try it out it'll seem easy enough.

I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: