Usercreation-policy
Stephen Smalley
sds at epoch.ncsc.mil
Thu Sep 25 14:31:44 UTC 2003
On Thu, 2003-09-25 at 02:42, Nils Philippsen wrote:
> Anyway, you need to make daemons SELinux aware to utilize it so
> you'd have to allow only e.g. "accepting network connections", "writing
> files" or something similar to the processes which needed to do it.
You don't have to make the daemon aware of SELinux in order to confine
it with SELinux. In some cases, you may choose to make the daemon
SELinux-aware in order to better leverage the security mechanisms and
provide finer-grained control, but that isn't a fundamental
requirement. SELinux can transparently transition the daemon into its
own security domain based on the calling domain and the entrypoint
executable without any awareness by the daemon itself.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the devel
mailing list