Experiences with selinux enabled targetted on Fedora Core 3
Russell Coker
russell at coker.com.au
Tue Apr 19 04:20:58 UTC 2005
On Tuesday 19 April 2005 12:25, Valdis.Kletnieks at vt.edu wrote:
> > In those cases a dontaudit rule will usually do the job. If the file
> > system is not mounted then there's nothing that the application can
> > usefully do under the mount point and usually ENOENT and EACCESS usually
> > get the same code paths in most applications that try to open files.
>
> In my case, actually labelling the directories correctly was the better
> fix.
For you maybe. In a general sense it isn't. We have no automatic system for
using umount or mount --bind to allow labelling of such mount points and we
can't expect most users to be able to do it.
> Personally, I'm not thrilled by the idea of sticking in dontaudit rules to
> quiet complaints at boot time that are caused by directories that are
> mislabelled.
Why not?
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the selinux
mailing list