Lower Process Capabilities
Steve Grubb
sgrubb at redhat.com
Wed Jul 29 14:10:01 UTC 2009
On Tuesday 28 July 2009 10:22:56 am Serge E. Hallyn wrote:
> > You can create an selinux context that is not allowed to exec, or only
> > allowed to exec certain things. Or not allowed to connect to TCP
> > sockets. Or pretty much anything else a normal user would otherwise be
> > allowed to do.
>
> This has little to do with what Steve is trying to do.
Right. All I am doing at this point is going over the daemons running as root
and patching them to lower their capabilities. With libcap-ng, its generally
2-3 lines of code.
As for directory perms...I'm still mulling it over. Changing perms on shadow
and gshadow to 0000 should press forward, though.
-Steve
More information about the devel
mailing list