[prev in list] [next in list] [prev in thread] [next in thread]
List: apparmor-general
Subject: Re: [Apparmor-general] usr.X11R6.bin.acroread causes error message
From: John Johansen <jjohansen () suse ! de>
Date: 2007-01-18 4:44:49
Message-ID: 20070118044449.GE24094 () suse ! de
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On Thu, Jan 18, 2007 at 12:50:09PM +1100, Crispin Cowan wrote:
> jesse michael wrote:
> > logprof currently gets this wrong because it thinks that a superset of the
> > required permissions is sufficient when it has to be exact-match instead.
> >
> > the exact-match requirement is a little unfortunate for the case where you
> > have rules like--
> >
> > /home/*/.adobe/** rwl,
> > /usr/X11R6/lib/Acrobat7/Reader/** r,
> >
> > because the permission for the files in the home directory has an additional
> > w bit, creating links that point at the system directory will cause REJECT
> > messages and the answer is to either (1) delete the "w" bit from the /home
> > rule or (2) add a "w" bit to the /usr rule.
> >
> > going with option 1 will cause problems when the app wants to update config
> > files in .adobe, but going with option 2 means that you're granting write
> > access to the system directory. ick.
> >
> So how about option (3): relax the module requirement to be a superset
> of permissions instead of exact match? Can anyone remember why we
> require an exact match? I.e. is there a semantic reason, or is it just a
> bug?
>
because creating a hardlink creates a name alias and its nice if all name
aliases have the exact same permission. Of course there is nothing
wrong with having the link be a subset and it would make situations like
this much nicer.
[Attachment #5 (application/pgp-signature)]
_______________________________________________
Apparmor-general mailing list
Apparmor-general@forge.novell.com
http://forge.novell.com/mailman/listinfo/apparmor-general
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic