In my Fedora 10 system, all fonts under /usr/share/fonts are of the fonts_t type, while the fontconfig files under /etc/fonts are of the default etc_t type. I think it would make sense to move the whole /etc/fonts directory under the fonts_t type, so that user can easily say "this domain can use fonts" and be done without allowing the domain to read the whole /etc directory and files.
What do you think about it? Does it make sense to modify the default Fedora policy according to these lines?
-Yenya
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jan Kasprzak wrote:
In my Fedora 10 system, all fonts under /usr/share/fonts are of the fonts_t type, while the fontconfig files under /etc/fonts are of the default etc_t type. I think it would make sense to move the whole /etc/fonts directory under the fonts_t type, so that user can easily say "this domain can use fonts" and be done without allowing the domain to read the whole /etc directory and files.
What do you think about it? Does it make sense to modify the default Fedora policy according to these lines?
-Yenya
yes. If there are fonts in /etc/fonts it should be labeled fonts_t
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Daniel J Walsh wrote:
Jan Kasprzak wrote:
In my Fedora 10 system, all fonts under /usr/share/fonts are of the fonts_t type, while the fontconfig files under /etc/fonts are of the default etc_t type. I think it would make sense to move the whole /etc/fonts directory under the fonts_t type, so that user can easily say "this domain can use fonts" and be done without allowing the domain to read the whole /etc directory and files.
What do you think about it? Does it make sense to modify the default Fedora policy according to these lines?
-Yenya
yes. If there are fonts in /etc/fonts it should be labeled fonts_t
if they are not fonts though lots of domains can write to fonts_t
- -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Daniel J Walsh wrote: : -----BEGIN PGP SIGNED MESSAGE----- : Hash: SHA1 : : Daniel J Walsh wrote: : > Jan Kasprzak wrote: : >> In my Fedora 10 system, all fonts under /usr/share/fonts : >> are of the fonts_t type, while the fontconfig files under /etc/fonts : >> are of the default etc_t type. I think it would make sense to move : >> the whole /etc/fonts directory under the fonts_t type, so that user : >> can easily say "this domain can use fonts" and be done without allowing : >> the domain to read the whole /etc directory and files. : > : > yes. If there are fonts in /etc/fonts it should be labeled fonts_t : if they are not fonts though lots of domains can write to fonts_t
These are configuration files for fontconfig-based fonts (used by GNOME/KDE, xetex, ...). Virtual fonts like "mono" or "serif" are described here, etc. It probably makes sense that everybody who can legally write /usr/share/fonts should also be able to write to /etc/fonts.
-Yenya
selinux@lists.fedoraproject.org