Here is an interesting one
Russell Coker
russell at coker.com.au
Fri Apr 8 11:22:57 UTC 2005
On Saturday 05 March 2005 16:17, Ivan Gyurdiev <ivg2 at cornell.edu> wrote:
> --- snmpd.te 2005-03-05 00:13:17.000000000 -0500
> +++ snmpd.new 2005-03-05 00:13:46.000000000 -0500
> @@ -45,6 +45,7 @@
> allow snmpd_t proc_t:dir search;
> allow snmpd_t proc_t:file r_file_perms;
> allow snmpd_t self:file { getattr read };
> +allow snmpd_t self:fifo_file { read write };
In a case such as this I suggest using rw_file_perms instead of { read
write }. The reason is that restricting access of a domain to itself is of
little benefit and that once the main access is granted you may as well grant
the other accesses for the same class. ioctl access is commonly requested,
often a child process inherits the file handle and does not know that it's a
pipe and will perform an ioctl to find out.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the selinux
mailing list