On Tue, 2004-12-07 at 11:50 -0500, Valdis.Kletnieks(a)vt.edu wrote:
On Tue, 07 Dec 2004 10:24:54 EST, Daniel J Walsh said:
> Can you try this patch
Will let you know after I get a chance to test at a reboot, but at first
eyeball it looks close to workable, if not elegant. Probably be tomorrow
before I have feedback on this one...
> +can_exec(fsdaemon_t, { sbin_t bin_t shell_exec_t }
Definitely more sledgehammer than elegance here. :)
Note that in general allowing a domain to exec a shell or random binary
isn't really a big deal; the new binary retains the original domain and
all of its restrictions.
I'm wondering if it would make more sense to push a patch
upstream to the
kernel-utils crew. Reading the smartd manpage in more detail, it looks like
feeding it a '-M exec /usr/sbin/sendmail' (or building with that as the
default) would let us only have to add sendmail_exec_t rather than all those.
It's always useful to reduce the permissions needed for a particular
program, but I don't see this particular instance as a large win.
Better to spend the time e.g. helping with refactoring HAL to not need
direct block device access in the main process.
Where should sites that need to add
other 'can_exec' entries be putting them?
On my personal server which still runs FC2, I put most of my rules in
domains/misc/local.te, and then try to redo it as a diff later against
the latest FC3 policy where applicable. When I'm directly doing
development of course I edit the original file and send a direct diff,
assuming it will be upstreamed.