more fine grained access in /etc
Daniel J Walsh
dwalsh at redhat.com
Fri Sep 21 17:06:54 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jason L Tibbitts III wrote:
>>>>>> "DJW" == Daniel J Walsh <dwalsh at redhat.com> writes:
>
> DJW> We could do something like this with attributes.
>
> I wonder if this would help my situation with denyhosts. The problem
> with denyhosts is that it needs to write to /etc/hosts.deny, which
> means that from the standpoint of selinux it needs to write to etc_t,
> which means it gets to write to /etc/passwd as well. I've not
> bothered to even attempt to write a policy for denyhosts given that it
> would be mostly pointless if it would still get to trash /etc.
>
> - J<
You would change the context of denyhosts to denyhosts_etc_rw_t and they
write a rule saying
allpw denyhost_t denyhost_etc_rw_t:file manage_file_perms
files_etc_filetrans(denyhost_t, denyhost_etc_rw_t; file)
This would allow denyhost_t to only write to files labeled
denyhost_etc_rw_t, and be able to create files in /etc/ labeled
denyhost_etc_rw_t. It will not allow you to write to files labeled
etc_t, So you cannot overwrite /etc/passwd.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFG8/ourlYvE4MpobMRAuk0AJkB+G9WeyRgEd2uPpZgFHTFkmZZtACgk0YY
OS5p0HAdXGfY/uLWB8Fi3PQ=
=hlPZ
-----END PGP SIGNATURE-----
More information about the selinux
mailing list