SELinux and /proc
Dawid Gajownik
gajownik at fedora.pl
Tue Mar 14 18:03:13 UTC 2006
Dnia 03/14/2006 05:18 PM, Użytkownik Stephen Smalley napisał:
> What precisely did you like about it?
Better security - user does not know what other users are doing on such
a machine.
> If you use -strict or -mls
> policy, then unprivileged users should be restricted in what they can
> see in /proc (and thus ps output).
Shure, but -targeted is almost transparent to the users and it seems
to be more user friendly. Actually, I have never been using -strict
policy so this last part may not be true ;)
> For -targeted, users aren't supposed to be confined (just specific
> daemons)
Yes, I know that, but you have been also experimenting lately with
allow_execstack or allow_execmod booleans which break this rule ;) Why
not to have another exception? This feature is so interesting that
admins will rethink twice whether to disable SELinux.
Regards,
Dawid
--
^_*
More information about the selinux
mailing list