FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 07-27-2011, 10:43 AM
Nicolas Mailhot
 
Default XDG and default directories ( Adding ~/.local/bin to default PATH)

Le mercredi 27 juillet 2011 à 12:26 +0200, Stijn Hoop a écrit :
> Hi,
>
> aside from the merits of adding ~/.local/bin, I just wanted to point
> out:
>
> On Wed, 27 Jul 2011 12:19:51 +0200
> Nicolas Mailhot <nicolas.mailhot@laposte.net> wrote:
> > It's all been done to make nautilus happy with "user-friendly"
> > "localized" names on the user desktop (aping the windows mess). And
> > now gnome3 people have decided shortcuts on the desktop are a bad
> > idea so the whole justification for those choices does not exist
> > anymore.
>
> I disagree with this personal assessment; I and some of our users
> instead like the fact that there is now a standard area where to put
> downloads,

I didn't say it was bad that some conventions have started to emerge.
Quite the contrary. However, I *do* regret some of the choices made and
they're already starting to bite us to bite us.

> and even better is the fact that I can now put that area
> somewhere else than on our default stupidly-expensive backupped NFS
> filesystem.

And what will happen to your users when selinux starts enforcing
download jails and the directory it applies settings to is not the one
you use? Do you really thinks that's hypothetical? Browsers are looking
hard at sandboxing nowadays. Note that other security frameworks do not
even have the path/label separation they work directly on paths.

Really if there was a need (for nfs users for example) for the download
area to reside on a different root it should have been defined on a
different root from the start up (like the rest of the filesystem layout
was done) instead of trying to variabilize the layout. Now the default
locations are just going to be hardcoded right and left with subtle
difficult to debug failures when one tries to move one of them like
proposed by the spec.

--
Nicolas Mailhot

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 07-27-2011, 02:52 PM
Stijn Hoop
 
Default XDG and default directories ( Adding ~/.local/bin to default PATH)

Hi,

On Wed, 27 Jul 2011 12:43:09 +0200
Nicolas Mailhot <nicolas.mailhot@laposte.net> wrote:
> Le mercredi 27 juillet 2011 à 12:26 +0200, Stijn Hoop a écrit :
> > and even better is the fact that I can now put that area
> > somewhere else than on our default stupidly-expensive backupped NFS
> > filesystem.
>
> And what will happen to your users when selinux starts enforcing
> download jails and the directory it applies settings to is not the one
> you use? Do you really thinks that's hypothetical? Browsers are
> looking hard at sandboxing nowadays. Note that other security
> frameworks do not even have the path/label separation they work
> directly on paths.

Why would selinux / apparmor NOT respect the same environment that is
used for the live user?

If the root cause is because selinux / apparmor is technically not able
to use per-user environment variables for non-standard subdirectories
of /home, I submit that I simply need to be capable to not only set the
environment variable, but also modify our selinux configuration to
match.

I already accepted the premise that having an NFS mounted /home (where
I preferably do not want to store the newest HQ movies) is not a
standard Linux environment anymore, by having to set the variable in
the first place.

> Really if there was a need (for nfs users for example) for the
> download area to reside on a different root it should have been
> defined on a different root from the start up (like the rest of the
> filesystem layout was done) instead of trying to variabilize the
> layout.

I agree, that would also work in this specific case. However I note
that the defaults make sense in a personal workstation case, which is
fine by me. Having /home and /localhome (examples) for a single
workstation is more confusing.

> Now the default locations are just going to be hardcoded
> right and left with subtle difficult to debug failures when one tries
> to move one of them like proposed by the spec.

Exactly my point as well, let's get those fixed.

--Stijn
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 07-28-2011, 01:39 PM
Daniel J Walsh
 
Default XDG and default directories ( Adding ~/.local/bin to default PATH)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/27/2011 10:52 AM, Stijn Hoop wrote:
> Hi,
>
> On Wed, 27 Jul 2011 12:43:09 +0200 Nicolas Mailhot
> <nicolas.mailhot@laposte.net> wrote:
>> Le mercredi 27 juillet 2011 à 12:26 +0200, Stijn Hoop a écrit :
>>> and even better is the fact that I can now put that area
>>> somewhere else than on our default stupidly-expensive backupped
>>> NFS filesystem.
>>
>> And what will happen to your users when selinux starts enforcing
>> download jails and the directory it applies settings to is not the
>> one you use? Do you really thinks that's hypothetical? Browsers
>> are looking hard at sandboxing nowadays. Note that other security
>> frameworks do not even have the path/label separation they work
>> directly on paths.
>
> Why would selinux / apparmor NOT respect the same environment that
> is used for the live user?
>
> If the root cause is because selinux / apparmor is technically not
> able to use per-user environment variables for non-standard
> subdirectories of /home, I submit that I simply need to be capable to
> not only set the environment variable, but also modify our selinux
> configuration to match.
>
> I already accepted the premise that having an NFS mounted /home
> (where I preferably do not want to store the newest HQ movies) is not
> a standard Linux environment anymore, by having to set the variable
> in the first place.
>
>> Really if there was a need (for nfs users for example) for the
>> download area to reside on a different root it should have been
>> defined on a different root from the start up (like the rest of
>> the filesystem layout was done) instead of trying to variabilize
>> the layout.
>
> I agree, that would also work in this specific case. However I note
> that the defaults make sense in a personal workstation case, which
> is fine by me. Having /home and /localhome (examples) for a single
> workstation is more confusing.
>
>> Now the default locations are just going to be hardcoded right and
>> left with subtle difficult to debug failures when one tries to move
>> one of them like proposed by the spec.
>
> Exactly my point as well, let's get those fixed.
>
> --Stijn

SELinux will work with variable paths, as long as you setup the labeling
correctly. SELinux really does not care about the paths, other then if
you relabel the system.

So if you want to move files around within a homedir, and we care about
securing the content differently you can change the label.

Most of the labels in the users homedir are for System Services that
need to use content in the home dir. (~/.ssh, ~/public_html,
~/public_git) Or setuid apps like gnome-sandbox, nsplugin that need to
use directories in the homedir. Then we are doing some experimental
stuff like confining telepathy apps, but those are turned off for most
users.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4xZqsACgkQrlYvE4MpobPGiwCgkXoWbuzP/Y5ay3T/LtxG5URz
3LQAn38gToz+Lu6fFmP7BUHnIDm8dF/4
=4dF4
-----END PGP SIGNATURE-----
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 07-28-2011, 01:39 PM
Daniel J Walsh
 
Default XDG and default directories ( Adding ~/.local/bin to default PATH)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/27/2011 10:52 AM, Stijn Hoop wrote:
> Hi,
>
> On Wed, 27 Jul 2011 12:43:09 +0200 Nicolas Mailhot
> <nicolas.mailhot@laposte.net> wrote:
>> Le mercredi 27 juillet 2011 à 12:26 +0200, Stijn Hoop a écrit :
>>> and even better is the fact that I can now put that area
>>> somewhere else than on our default stupidly-expensive backupped
>>> NFS filesystem.
>>
>> And what will happen to your users when selinux starts enforcing
>> download jails and the directory it applies settings to is not the
>> one you use? Do you really thinks that's hypothetical? Browsers
>> are looking hard at sandboxing nowadays. Note that other security
>> frameworks do not even have the path/label separation they work
>> directly on paths.
>
> Why would selinux / apparmor NOT respect the same environment that
> is used for the live user?
>
> If the root cause is because selinux / apparmor is technically not
> able to use per-user environment variables for non-standard
> subdirectories of /home, I submit that I simply need to be capable to
> not only set the environment variable, but also modify our selinux
> configuration to match.
>
> I already accepted the premise that having an NFS mounted /home
> (where I preferably do not want to store the newest HQ movies) is not
> a standard Linux environment anymore, by having to set the variable
> in the first place.
>
>> Really if there was a need (for nfs users for example) for the
>> download area to reside on a different root it should have been
>> defined on a different root from the start up (like the rest of
>> the filesystem layout was done) instead of trying to variabilize
>> the layout.
>
> I agree, that would also work in this specific case. However I note
> that the defaults make sense in a personal workstation case, which
> is fine by me. Having /home and /localhome (examples) for a single
> workstation is more confusing.
>
>> Now the default locations are just going to be hardcoded right and
>> left with subtle difficult to debug failures when one tries to move
>> one of them like proposed by the spec.
>
> Exactly my point as well, let's get those fixed.
>
> --Stijn

SELinux will work with variable paths, as long as you setup the labeling
correctly. SELinux really does not care about the paths, other then if
you relabel the system.

So if you want to move files around within a homedir, and we care about
securing the content differently you can change the label.

Most of the labels in the users homedir are for System Services that
need to use content in the home dir. (~/.ssh, ~/public_html,
~/public_git) Or setuid apps like gnome-sandbox, nsplugin that need to
use directories in the homedir. Then we are doing some experimental
stuff like confining telepathy apps, but those are turned off for most
users.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4xZqsACgkQrlYvE4MpobPGiwCgkXoWbuzP/Y5ay3T/LtxG5URz
3LQAn38gToz+Lu6fFmP7BUHnIDm8dF/4
=4dF4
-----END PGP SIGNATURE-----
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 10:03 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org