-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stewart Stremler wrote: > Why should applications be aware of SE Linux? I don't like the idea of > applications changing behavior to adapt to my security policies... they > should complain with useful error messages when denied access to a resource, > and degrade gracefully.
Well, they really shouldn't. But they should complain with a useful error message and degrade gracefully as you point out. The problem is that they currently do not do this due to SE Linux blocking things in ways that the application does not expect or check for. I think the problem may actually be libc. If you call open() on a file and a unix permission causes a denial you get ERRNO set to EPERM and you can check for that. But if SE Linux denies the operation ERRNO does not get set and the application goes happily on its way behaving erratically. > (Even uid-0 checks are troublesome. If I don't wanna run a program as > root, why should the program force me to? Especially if I've arranged > things so that it has read/write permission in all the places it needs?) I suspect they are coding with the best of intentions although it inconveniences you as you are a special case. Most people will accidentally start the program as a normal user and then wonder why it doesn't work so they code in a uid 0 check. > Yeah, getting feedback is annoying. > > Hm... perhaps pop up an xconsole-like window if the DISPLAY is set to > report on the SELinux-related error messages when a program is run.... Not a bad idea although what would pop up the xconsole-like window? Something somewhere has to be notified. I guess you could have a daemon tailing the log or watching dmesg or something. > Perhaps better inspection tools as well? > > GUI _and_ CLI? Yes, better tools are definitely needed and they are being worked on. > -Stewart "Visualizing a filesystem as a graph of RBAC nodes" Stremler Now that would be interesting. - -- Tracy R Reed http://ultraviolet.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFC5ozY9PIYKZYVAq0RAgs+AJ90IIBeNXAh2shPpcttgb8wg3C0eQCeIGSn VdNGLAYhjmdAUWJU5w6VC7g= =Kv/n -----END PGP SIGNATURE----- -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
