On Tue, May 26, 2020 at 10:43 PM Przemek Klosowski via devel <
devel@lists.fedoraproject.org> wrote:
> On 5/23/20 12:18 AM, Nico Kadel-Garcia wrote:
> > Would the time be better spent enhancing SELinux?
>
> ThatSELinux already labels everything in /bin and /usr/libexec as
>
> system_u:object
On 5/23/20 12:18 AM, Nico Kadel-Garcia wrote:
Would the time be better spent enhancing SELinux?
ThatSELinux already labels everything in /bin and /usr/libexec as
system_u:object_r:bin_t:s0
so maybe it could be leveraged to cover everything you are considering?
Is there something fundam
On Fri, May 22, 2020 at 09:31:25PM -0400, Steve Grubb wrote:
> My question now is how can we determine what is meant to be
> executable by system applications vs examples and other cruft? (This might be
> relevant to people minimizing systems/containers.)
Theoretically the examples are a documen
Le vendredi 22 mai 2020 à 21:31 -0400, Steve Grubb a écrit :
>
> Over a couple emails I kind of realized that originally this was
> framing the
> question wrong. My question now is how can we determine what is meant
> to be
> executable by system applications vs examples and other cruft?
There
Le vendredi 22 mai 2020 à 16:48 -0400, Steve Grubb a écrit :
> On Friday, May 22, 2020 4:23:50 PM EDT Przemek Klosowski via devel
> wrote:
> >
> > In general, data is code is data.
>
> I know this argument well (Weird Machines). I was making the same
> argument 10 years ago. :-)
It got true
Le vendredi 22 mai 2020 à 20:41 +0200, Nicolas Mailhot via devel a
écrit :
>
> So, no use looking for non-executable /usr/share. A lot of /usr/share
> is executable and will stay that way.
Also moving executable things somewhere else would make multiarch (more
of) a major hassle. Because the somw
On Fri, May 22, 2020 at 3:20 PM David Malcolm wrote:
> Hi Steve
>
> Your email talks about "application whitelisting" and "executables",
> and this thread seems to be getting in to the weeds about things like
> the distinction between scripts vs machine code, and modules vs
> scripts; code vs dat
Hello,
On Friday, May 22, 2020 6:38:55 PM EDT Kevin Kofler wrote:
> > But what I'm finding in practice is that cinnamon places its javascript
> > there, there are libexec dirs that contain executable code, there are
> > python and byte compiled python over there. In short, the system doesn't
> > w
On 5/22/20 3:54 PM, Michel Alexandre Salim wrote:
On 5/22/20 7:30 AM, Steve Grubb wrote:
Hello,
I am working on our application whitelisting daemon. It uses the rpmdb to
derive trust in what's on disk. If we use the whole rpmdb, then the
number of
files is large. So, to prune the amount of ent
On 5/22/20 7:30 AM, Steve Grubb wrote:
Hello,
I am working on our application whitelisting daemon. It uses the rpmdb to
derive trust in what's on disk. If we use the whole rpmdb, then the number of
files is large. So, to prune the amount of entries in the trust db down to a
reasonable number, I
Steve Grubb wrote:
> But what I'm finding in practice is that cinnamon places its javascript
> there, there are libexec dirs that contain executable code, there are
> python and byte compiled python over there. In short, the system doesn't
> work because critical executables are in /usr/share.
>
>
On Friday, May 22, 2020 3:19:20 PM EDT David Malcolm wrote:
> Your email talks about "application whitelisting" and "executables",
> and this thread seems to be getting in to the weeds about things like
> the distinction between scripts vs machine code, and modules vs
> scripts; code vs data.
But
On Friday, May 22, 2020 4:23:50 PM EDT Przemek Klosowski via devel wrote:
> On 5/22/20 1:24 PM, Nico Kadel-Garcia wrote:
>
> > On Fri, May 22, 2020 at 10:31 AM Steve Grubb wrote:
> >
> >> I am working on our application whitelisting daemon.
>
> Interesting concept---could you please elaborate o
On 5/22/20 1:24 PM, Nico Kadel-Garcia wrote:
On Fri, May 22, 2020 at 10:31 AM Steve Grubb wrote:
I am working on our application whitelisting daemon.
Interesting concept---could you please elaborate on your design? It
sounds useful but also challenging, as Nico points out.
On what level do
On Fri, 22 May 2020 at 15:20, David Malcolm wrote:
> On Fri, 2020-05-22 at 10:30 -0400, Steve Grubb wrote:
> > Hello,
> >
> > I am working on our application whitelisting daemon. It uses the
> > rpmdb to
> > derive trust in what's on disk. If we use the whole rpmdb, then the
> > number of
> > fil
On Fri, 2020-05-22 at 10:30 -0400, Steve Grubb wrote:
> Hello,
>
> I am working on our application whitelisting daemon. It uses the
> rpmdb to
> derive trust in what's on disk. If we use the whole rpmdb, then the
> number of
> files is large. So, to prune the amount of entries in the trust db
>
Le vendredi 22 mai 2020 à 10:30 -0400, Steve Grubb a écrit :
> The /usr/share hierarchy is for all read-only architecture
> independent data
> files.
The important part of the FHS definition is “read-only architecture
independent“. Because everything on computing storage is data depending
on how
* Petr Viktorin:
> Does "read-only architecture independent data" mean the files must not
> be programs?
Not according to the FHS. From the FHS perspective, /usr/share is just
like RPM's noarch architecture: completely portable across all
architectures. It can even be machine code if it does no
On Fri, May 22, 2020 at 10:31 AM Steve Grubb wrote:
>
> Hello,
>
> I am working on our application whitelisting daemon. It uses the rpmdb to
> derive trust in what's on disk. If we use the whole rpmdb, then the number of
> files is large. So, to prune the amount of entries in the trust db down to
On 2020-05-22 17:31, Steve Grubb wrote:
On Friday, May 22, 2020 10:39:43 AM EDT Petr Viktorin wrote:
On 2020-05-22 16:30, Steve Grubb wrote:
Hello,
I am working on our application whitelisting daemon. It uses the rpmdb to
derive trust in what's on disk. If we use the whole rpmdb, then the
numb
On Friday, May 22, 2020 10:39:43 AM EDT Petr Viktorin wrote:
> On 2020-05-22 16:30, Steve Grubb wrote:
> > Hello,
> >
> > I am working on our application whitelisting daemon. It uses the rpmdb to
> > derive trust in what's on disk. If we use the whole rpmdb, then the
> > number of files is large.
On 2020-05-22 16:30, Steve Grubb wrote:
Hello,
I am working on our application whitelisting daemon. It uses the rpmdb to
derive trust in what's on disk. If we use the whole rpmdb, then the number of
files is large. So, to prune the amount of entries in the trust db down to a
reasonable number, I
Hello,
I am working on our application whitelisting daemon. It uses the rpmdb to
derive trust in what's on disk. If we use the whole rpmdb, then the number of
files is large. So, to prune the amount of entries in the trust db down to a
reasonable number, I thought we could jettison anything in
23 matches
Mail list logo
