Nils Philippsen nphilipp at
Fri Sep 26 10:57:21 UTC 2003

On Thu, 2003-09-25 at 16:31, Stephen Smalley wrote:
> On Thu, 2003-09-25 at 02:42, Nils Philippsen wrote:
> > Anyway, you need to make daemons SELinux aware to utilize it so
> > you'd have to allow only e.g. "accepting network connections", "writing
> > files" or something similar to the processes which needed to do it.
> You don't have to make the daemon aware of SELinux in order to confine
> it with SELinux.  In some cases, you may choose to make the daemon
> SELinux-aware in order to better leverage the security mechanisms and
> provide finer-grained control, but that isn't a fundamental
> requirement.  SELinux can transparently transition the daemon into its
> own security domain based on the calling domain and the entrypoint
> executable without any awareness by the daemon itself.

Even better.

     Nils Philippsen    /    Red Hat    /    nphilipp at
"They that can give up essential liberty to obtain a little temporary
 safety deserve neither liberty nor safety."     -- B. Franklin, 1759
 PGP fingerprint:  C4A8 9474 5C4C ADE3 2B8F  656D 47D8 9B65 6951 3011
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : 

More information about the devel mailing list