On Fri, 12 Jul 2002 17:16, Daniel Burrows wrote: > On Fri, Jul 12, 2002 at 04:47:43PM +0200, Russell Coker <[EMAIL PROTECTED]> was heard to say: > > On Fri, 12 Jul 2002 14:01, Andreas Metzler wrote: > > > Michael Koch <[EMAIL PROTECTED]> wrote: > > > [packaging a game] > > > > > > > to make this dir writeable by the game there are two possibilities: > > > > 1) adding the gamer to the group "games" or > > > > 2) making /usr/games/uclient set-group-id > > > > > > > > What is the preferred way ? > > > > > > 2. > > > See Policy 12.11. > > > cu andreas > > > > For SE Linux I am thinking of making all programs in /usr/games trigger a > > domain transition to a domain that can't write to regular files in a > > user's home directory (only to user_home_games_t not user_home_t), can't > > kill, ptrace, or otherwise molest regular user processes, but can write > > to /var/games etc. > > A lot of games need to write to the user's home directory (eg, to > store configuration options, saved games, etc) -- aside from that, it > might be useful.
I plan to solve that by having the following rule: file_type_auto_trans(user_games_t, user_home_dir_t, user_home_games_t) So when the user_games_t domain (entered by executing a games_exec_t program from the user_t domain) creates a file under the user_home_dir_t directory (the user's home dir) then a new file or directory can be created with type user_home_games_t (and user_games_t gets full access to that type). -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
