Re: New Policy Doesn't Fix It
On Fri, 2005-06-17 at 08:03 -0400, Stephen Smalley wrote:
Hmm...well, if so, please limit to the
targeted/domains/unconfined.te
file and don't alter the unconfined_domain() macro. Looks like you are
already allowing execmod to a variety of types in the targeted
unconfined.te, but not to all file types.
We also need to do so for initrc_t at least, because that is now the
domain that services run under by default in FC4. It would be nice
though if we could go back to using unconfined_t there, but it seems
complicated. Could we do something like:
domain_auto_trans(initrc_t, exec_type - targeted_exec_type, unconfined_t)
Would need to give e.g. httpd_exec_t the targeted_exec_type attribute,
and I'm not sure attribute subtraction works.
Given the permissive nature of targeted policy (e.g. boolean
defaults
for apache and execmem/execmod are permissive), I think the release
notes or SELinux FAQ should in the future give instructions on how to
tighten up the settings for admins who want to do so. Otherwise, they
aren't likely to even think about it.
Absolutely, this would make a good entry in the FAQ. Although I'd
personally really like to see a Fedora security guide, these booleans
would me mentioned there too.