Perhaps a bit off topic.
But since it is security related i might aswell ask it.
What does the diverse exec-shield settings 3,11,9 mean?
Default i have exec-shield =9, Setting it to 2 works too.
kind regards,
Peter
On 7/22/06, Paul Howarth <paul(a)city-fan.org> wrote:
On Fri, 2006-07-21 at 14:14 -0700, Michael Thomas wrote:
> > You should check that the transition has happened by running ps with the
> > "-Z" option to show the process context when you're running the
> > application.
>
> It shows up as crossfire_exec_t because...
crossfire_exec_t? Not crossfire_t?
> > Note that most things running confined under targeted policy are started
> > from initscripts and there is no transition from unconfined_t needed (or
> > wanted). That's not the case here though.
>
> ...it is started from an init script. Normal (unconfined) users should
> not be starting this by hand. Instead, normal users will run the client
> application which connects to this server. In this case, it sounds like
> I don't need the rule to transition from unconfined_t.
Right; I must have missed the initscript in the files list.
So yes, you are correct that you don't need (or even want) the transition from
unconfined_t.
> >>Some things that would be nice to clarify:
> >>
> >>Should selinux be added as a subpackage or automatically included in the
> >>base package?
> >
> >
> > I don't have a strong opinion either way on this. I've tended to stick
> > to keeping everything together because I find it easier to manage that
> > way. As long as the SELinux bits don't get in the way of people not
> > using them, I don't think it's a problem.
>
> I think I would prefer to use a separate package (not integrated with
> the base package), so that the policy can be turned on and off by simply
> installing/uninstalling the -selinux package.
Bear in mind that there should be a crossfire_disable_trans boolean that
would turn off the policy (or rather the transition to crossfire_t) when
set, without having to uninstall the policy.
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
I have made this letter longer than usual, because i lack the time to
make it short.