Yee-HAH! 'smartd' issues 70 avc's when it tries to send mail...
Colin Walters
walters at redhat.com
Wed Dec 8 17:08:38 UTC 2004
On Tue, 2004-12-07 at 11:50 -0500, Valdis.Kletnieks at vt.edu wrote:
> On Tue, 07 Dec 2004 10:24:54 EST, Daniel J Walsh said:
>
> > Can you try this patch
>
> Will let you know after I get a chance to test at a reboot, but at first
> eyeball it looks close to workable, if not elegant. Probably be tomorrow
> before I have feedback on this one...
>
> > +can_exec(fsdaemon_t, { sbin_t bin_t shell_exec_t }
>
> Definitely more sledgehammer than elegance here. :)
Note that in general allowing a domain to exec a shell or random binary
isn't really a big deal; the new binary retains the original domain and
all of its restrictions.
> I'm wondering if it would make more sense to push a patch upstream to the
> kernel-utils crew. Reading the smartd manpage in more detail, it looks like
> feeding it a '-M exec /usr/sbin/sendmail' (or building with that as the
> default) would let us only have to add sendmail_exec_t rather than all those.
It's always useful to reduce the permissions needed for a particular
program, but I don't see this particular instance as a large win.
Better to spend the time e.g. helping with refactoring HAL to not need
direct block device access in the main process.
> Where should sites that need to add
> other 'can_exec' entries be putting them?
On my personal server which still runs FC2, I put most of my rules in
domains/misc/local.te, and then try to redo it as a diff later against
the latest FC3 policy where applicable. When I'm directly doing
development of course I edit the original file and send a direct diff,
assuming it will be upstreamed.
More information about the selinux
mailing list