SELinux and /proc

Dawid Gajownik gajownik at
Tue Mar 14 18:03:13 UTC 2006

Dnia 03/14/2006 05:18 PM, Użytkownik Stephen Smalley napisał:

> What precisely did you like about it?

Better security - user does not know what other users are doing on such 
a machine.

> If you use -strict or -mls 
> policy, then unprivileged users should be restricted in what they can
>  see in /proc (and thus ps output).

Shure, but -targeted is almost transparent to the users and it seems
to be more user friendly. Actually, I have never been using -strict
policy so this last part may not be true ;)

> For -targeted, users aren't supposed to be confined (just specific
> daemons)

Yes, I know that, but you have been also experimenting lately with
allow_execstack or allow_execmod booleans which break this rule ;) Why
not to have another exception? This feature is so interesting that
admins will rethink twice whether to disable SELinux.




More information about the selinux mailing list