On Mon, 2006-01-30 at 22:19 +0000, Martin Ebourne wrote:
Further to this, I note that I don't even need the
inetd_child_disable_trans boolean set now. By default nrpe running under
xinetd is allowed to sudo. Should this not be controlled?
What protection does running xinetd under selinux give?
IIRC, the default targeted policy in Fedora leaves inetd children who do
not have a specific domain defined for them unconfined, as otherwise all
external (outside of Fedora) inetd-based services that lack policy would
immediately break. The strict policy takes the more conservative
approach for security, at the risk of greater application breakage.
--
Stephen Smalley
National Security Agency