> -----Original Message----- > From: Patrick Ohly [mailto:[email protected]] > Sent: Tuesday, April 15, 2014 11:36 PM > To: Schaufler, Casey > Cc: Le Foll, Dominique; Lukasz Wojciechowski; Carsten Haitzler (The > Rasterman); [email protected] > Subject: Re: [Dev] Cynara + multi-user + HOME > > On Tue, 2014-04-15 at 18:03 +0000, Schaufler, Casey wrote: > > > EDS gets started via D-Bus auto-activation. The data is following > > > XDG standards and thus ends up in $HOME. It runs with "User" label. > > > > > > Will that service have to be modified? > > > > Is it managing "privileged" resources? If it Is it will have to start > > using Cynara to determine if requests for "privileged" > > resources should be served. > > It stores contact data, so yes, it has to implement the checks. I was > wondering whether further changes will be necessary, like using other data > locations or running it differently. The answer to that seems to be no. > > > > I looks to me like there is work going on about separating apps from > > > the three domains. Not knowing about that work is what caused this > > > confusion here for the rest of us (including me) who were not > > > involved in that effort. May I suggest that the Wiki page gets > > > extended to cover also these additional, per-app labels, and that > > > more communication regarding that effort happens here on the mailing > list? > > > > Yes. There is still design being done with the crosswalk installation > > and application launch components that will influence what this will > > really look like. I would hate to document details that turn out to be > > incorrect. > > Then perhaps start by removing or striking out the parts of the current > documentation which are known already to be incorrect. For example, this > section here about Tizen 3 seems wrong to me. Instead the section about > Tizen 2 seems to apply again: > > Differences Between Tizen 2 and Tizen 3 > In Tizen 2 security domains are assigned based on installation > packages. All files and directories created by the package are > put into a domain specified in the package manifest file. All > programs in the package are installed to execute in that domain > using the SMACK64EXEC file attribute. > > In Tizen 3 security domains are explicitly defined in advance by > a crack team of security experts. Domains are defined in terms > of the function they perform. Rather than assuming that a > package defines a domain specific domains are initiated by > systemd as it launches services. The role of packaging is > significantly reduced. System files are stored where they can be > used by any domain and only domain specific data needs to be > identified.
I can see where some clarification is in order. The discussion above is about RPM installation of system packages, not user installation of downloaded applications. > -- > Best Regards, Patrick Ohly > > The content of this message is my personal opinion only and although I am an > employee of Intel, the statements I make here in no way represent Intel's > position on the issue, nor am I authorized to speak on behalf of Intel on this > matter. > > _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
