On Mon, 2007-08-27 at 21:55 +0100, Alan Cox wrote: > > It is funny that I read this question when I was going to look at > > AppArmor myself. > > > > I read an article about AppArmor finding that Skype on Linux reads > > /etc/passwd and firefox settings today. Did Selinux stop this from > > happening as well? > > > > http://forum.skype.com/index.php?showtopic=95261 > > > > I like SELINUX and will continue using it. > > The passwd file isn't considered secret in any way. Its public readable > data. The /etc/shadow file holds passwords and is root only. > > You can certainly set skype up not to be allowed anywhere near your > firefox settings (my guess is its looking for an address book to import > or plugin data nothing too sinister). > > The problem with stuff like apparmor is you can say things like > "/etc/passwd" is not accessible to program XYZ. But program XYZ can then > do things to access it via another path (eg by renaming a copy of itself > ".eric" and adding that to your .profile). SELinux puts labels on actual > objects, not on paths so renaming itself .eric doesn't help, nor does > finding another path to /etc/passwd (eg by running a program to create a > link). Eric? Like my pet fish, Eric? Or my pet parrot, Eric? "I'd like a fish license, please." (with apologies to John Cleese) ---------------------------------------------------------------------- - Rick Stevens, Principal Engineer rstevens@xxxxxxxxxxxx - - CDN Systems, Internap, Inc. http://www.internap.com - - - - If Windows isn't a virus, then it sure as hell is a carrier! - ----------------------------------------------------------------------
