New Policy Doesn't Fix It
Colin Walters
walters at redhat.com
Fri Jun 17 12:18:36 UTC 2005
On Fri, 2005-06-17 at 08:03 -0400, Stephen Smalley wrote:
> Hmm...well, if so, please limit to the targeted/domains/unconfined.te
> file and don't alter the unconfined_domain() macro. Looks like you are
> already allowing execmod to a variety of types in the targeted
> unconfined.te, but not to all file types.
We also need to do so for initrc_t at least, because that is now the
domain that services run under by default in FC4. It would be nice
though if we could go back to using unconfined_t there, but it seems
complicated. Could we do something like:
domain_auto_trans(initrc_t, exec_type - targeted_exec_type, unconfined_t)
Would need to give e.g. httpd_exec_t the targeted_exec_type attribute,
and I'm not sure attribute subtraction works.
> Given the permissive nature of targeted policy (e.g. boolean defaults
> for apache and execmem/execmod are permissive), I think the release
> notes or SELinux FAQ should in the future give instructions on how to
> tighten up the settings for admins who want to do so. Otherwise, they
> aren't likely to even think about it.
Absolutely, this would make a good entry in the FAQ. Although I'd
personally really like to see a Fedora security guide, these booleans
would me mentioned there too.
More information about the selinux
mailing list