Helge Hafting <[email protected]> wrote:
> [email protected] wrote:
> >The part that you managed to miss is that this is MAC - *Mandatory*
> >Access Control. This means that the *sysadmin* gets to say "this user
> >can't look at that file" - and there's nothing(*) either the owner of the
> >file or the user can do about it. There's no chmod or chattr or chacl
> >command that the owner can issue to let somebody else read it - that's
> >the whole *point* of MAC.
> >
> >(*) Well.. almost nothing. The owner *may* be able to copy the contents
> >of the file to another file that the other user is allowed to read. On the
> >other hand, the ability to do this would generally indicate a buggy policy....
> Seems to me there is no use taking away the owners ability to chmod,
> precisely because the owner always can get around that. (Unless
> the owner doesn't even have the right to read his own file.)
No. The point is that a (correct, complete) policy will prevent the user
from copying the contents to a file with less protection, by any means. No,
I did emphatically /not/ try to imply this is easy to set up (or use).
[...]
> Company policy may of course forbid the user to bring a camera, just as it
> might forbid the user to do "chmod o+r" on important files. I am not
> sure that we need the OS to try to enforce such things.
If you don't trust your (typically fat-fingered) users and sysadmins...
Besides, the point behind the targeted policy in Red Hat/Fedora is to
forbid certain daemons to do nasty stuff. It is an additional protection
against misconfiguration or processes taken over by crackers.
--
Dr. Horst H. von Brand User #22616 counter.li.org
Departamento de Informatica Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria +56 32 654239
Casilla 110-V, Valparaiso, Chile Fax: +56 32 797513
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]