On Sat, 4 Sep 2004 11:12, Erich Schubert erich@debian.org wrote:
The next two rule sets are for the statistic tools "bindgraph" and "mailgraph". The first parses bind query logs and does nice graphs out of them, the second does the same for postfix+amavis logs.
Do we need to have two different domains for programs that do the same thing?
Both bindgraph and mailgraph can read the same file types as input and their output can be accessed by cgi-bin scripts. It seems that there is little (if any) benefit in isolating them.
If we were to assign different types to different log files (may require code changes in syslogd) then we could deny the mailgraph program the ability to read log files other than mail.log and deny the bindgraph program the ability to read mail.log.
Also note that in your policy both those programs can read /var/log/auth.log (Debian) and /var/log/secure (Fedora). This is not desirable, we probably should make changes to the syslog setup.
One possible change is greater use of sub-directories in /var/log. We could have /var/log/security/ for auth.log, secure, and any other security critical log files and /var/log/mail/ for mail server log files (including POP server, and maybe webmail), etc. Doing this would allow different types for the log files with no code changes to syslogd, and this would make it more beneficial to have separate domains for mailgraph and bindgraph.
I've CC'd this to fedora-selinux and debian-devel because if we make such changes then we want to get some cross-distribution agreement on file names.
Is anyone using Selinux for VOIP applications at present? If so please contact me off the list. I am looking at Asterisk, Ser etc.
Joop
On Sun, 5 Sep 2004 21:59, "Joop" joop@fttp.ca wrote:
Is anyone using Selinux for VOIP applications at present? If so please contact me off the list. I am looking at Asterisk, Ser etc.
I've written SE Linux policy for Asterisk. I haven't had the time to set it up fully though, so some aspects of Asterisk functionality probably don't work yet.
Try it out and let me know how it goes. I'll fix any bugs you report in the Asterisk policy.
selinux@lists.fedoraproject.org