On 2007-04-24, Al Pacifico <adpacifico(a)users.sourceforge.net> wrote:
> That depends on your security goals. If you want the
slimserver-scanner
> to have the same privs as slimserver you would label it sbin_t and allow
> slimserver to corecmd_exec_sbin(). If you want to go with least privs,
> you would create a new policy for slimserver-scanner
> (slimserver_scanner_t with file context of slimserver_scanner_exec_t)
> and then add a rule to slimserver_t to domtrans
> slimserver_scanner_domtrans(slimserver_t)
I'm a little confused about this. I want to limit privileges of slimserver
and slimserver-scanner to accessing only certain files. If I label
slimserver-scanner as 'sbin_t', when a user executes slimserver-scanner,
won't he/she have more privileges than slimserver then?
Yes.
If you want slimserver-scanner to have less privileges when executed
interactively by a user, you'll need to create a new domain for (i.e.
not sbin_t), and transition into this domain when the user exec it.
But, why would you want that? All it's doing is reading the mp3-files,
and updating a database. If you limit the scanners privileges, your
users can still step outside of this by "cp /usr/sbin/slimserver-scanner
/tmp/slimserver-scanner"..
I would aim at confining the main web-based slimserver, and make sure
the slimserver-scanner executed within this process doesn't get more
privileges than absolutely necessary.
-jf