Good point.<br>I probably can live with that.<br><br>Still I am not sure if I would like it to have full access to all files labelled etc_t . It would be nice to be able to single out only a few of them. Perhaps I should look at something other than the targeted policy.
<br><br><div><span class="gmail_quote">On 9/17/07, <b class="gmail_sendername">Daniel J Walsh</b> <<a href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a>> wrote:</span><blockquote class="gmail_quote" style="margin-top: 0; margin-right: 0; margin-bottom: 0; margin-left: 0; margin-left: 0.80ex; border-left-color: #cccccc; border-left-width: 1px; border-left-style: solid; padding-left: 1ex">
-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA1<br><br>Torbjørn Lindahl wrote:<br>> Hello, I am writing an application that I want to limit using selinux.<br>><br>> audit.log shows that it wants access to /etc/nsswitch.conf and /etc/hosts -
<br>> which doesn't seem to unreasonable, however both these have types etc_t ,<br>> and allowing myapp_t to read etc_t would also give it access to for example<br>> /etc/passwd, which i do not want.<br>><br>
><br>> Do I have to invent a new type for these two files to be able to keep my<br>> application from the other etc_t files in /etc ?<br>><br>><br>><br>><br>><br>> ------------------------------------------------------------------------
<br>><br>> --<br>> fedora-selinux-list mailing list<br>> <a href="mailto:fedora-selinux-list@redhat.com">fedora-selinux-list@redhat.com</a><br>> <a href="https://www.redhat.com/mailman/listinfo/fedora-selinux-list">
https://www.redhat.com/mailman/listinfo/fedora-selinux-list</a><br>Yes you can, but the more different file_context that you have in /etc,<br>the harder they will be to maintain.<br><br>Reading /etc/passwd is not as dangerous as being able to read
<br>/etc/shadow. So consider if this is really necessary.<br>-----BEGIN PGP SIGNATURE-----<br>Version: GnuPG v1.4.7 (GNU/Linux)<br>Comment: Using GnuPG with Fedora - <a href="http://enigmail.mozdev.org">http://enigmail.mozdev.org
</a><br><br>iD8DBQFG7uxvrlYvE4MpobMRAk+5AJ9UZPJZq++LfpMZMRyF62bvWCOTqQCgsdly<br>+DO1I81MDsGkD0L3p3RiV/4=<br>=WV5q<br>-----END PGP SIGNATURE-----<br></blockquote></div><br><br clear="all"><br>-- <br>mvh<br>Torbjørn Lindahl