Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: [patch] Re: chattr
From: Russell Coker <russell_at_coker.com.au>
Date: Mon, 22 Jul 2002 20:06:56 +0200
# Write to /var/lib/slocate.db.
Does writing to slocate.db really require setattr access? # Used for /sbin/tmpwatch -allow system_crond_t tmpfile:dir rw_dir_perms; +allow system_crond_t tmpfile:dir { setattr rw_dir_perms }; allow system_crond_t tmpfile:dir rmdir; allow system_crond_t tmpfile:notdevfile_class_set link_file_perms; allow system_crond_t catman_t:dir rw_dir_perms; What is /sbin/tmpwatch? Is this a program that periodically removes old files from /tmp? If so then it probably doesn't need setattr access, and should be run in my tmpreaper_t domain.
# Update /etc/mail.
I changed the above to the following in my tree:
ifdef(`sendmail.te', `
Currently postfix.te depends on sendmail.te, but not for long. This /etc/mail is a sendmail specific thing apparently not used by other mail servers. Also giving initrc access to that directory/file is a bad idea anyway, the sendmail start script in question should be run in the sendmail_t domain IMHO (as I have done for devfsd in Debian). # Rules for /proc/sys/kernel/tainted -allow insmod_t sysctl_kernel_t:file rw_file_perms; -allow insmod_t sysctl_t:file write; +allow insmod_t sysctl_kernel_t:file { setattr rw_file_perms }; Is this really what you desire, removing the sysctl_t access? I'm sure it was added for a reason... -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in theReceived on Mon 22 Jul 2002 - 14:18:13 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |