[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apparmor-general
Subject:    Re: [Apparmor-general] usr.X11R6.bin.acroread causes error message
From:       John Johansen <jjohansen () suse ! de>
Date:       2007-01-18 4:44:49
Message-ID: 20070118044449.GE24094 () suse ! de
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


On Thu, Jan 18, 2007 at 12:50:09PM +1100, Crispin Cowan wrote:
> jesse michael wrote:
> > logprof currently gets this wrong because it thinks that a superset of the
> > required permissions is sufficient when it has to be exact-match instead.
> >
> > the exact-match requirement is a little unfortunate for the case where you
> > have rules like--
> >
> >   /home/*/.adobe/** rwl,
> >   /usr/X11R6/lib/Acrobat7/Reader/** r,
> >
> > because the permission for the files in the home directory has an additional
> > w bit, creating links that point at the system directory will cause REJECT
> > messages and the answer is to either (1) delete the "w" bit from the /home 
> > rule or (2) add a "w" bit to the /usr rule.  
> >
> > going with option 1 will cause problems when the app wants to update config
> > files in .adobe, but going with option 2 means that you're granting write 
> > access to the system directory.  ick.
> >   
> So how about option (3): relax the module requirement to be a superset
> of permissions instead of exact match? Can anyone remember why we
> require an exact match? I.e. is there a semantic reason, or is it just a
> bug?
> 
because creating a hardlink creates a name alias and its nice if all name
aliases have the exact same permission.  Of course there is nothing
wrong with having the link be a subset and it would make situations like
this much nicer.

[Attachment #5 (application/pgp-signature)]

_______________________________________________
Apparmor-general mailing list
Apparmor-general@forge.novell.com
http://forge.novell.com/mailman/listinfo/apparmor-general

[prev in list] [next in list] [prev in thread] [next in thread]