Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: exim4 policy
From: Russell Coker <russell_at_coker.com.au>
Date: Tue, 20 Apr 2004 22:52:31 +1000
For the most desirable support of Exim we need some minor changes to the way it works. I have spoken to the author about this and he has a positive attitude towards this, all that is necessary is for me (or someone else) to write some patches, test them, and send them to him. Once we get Exim working the way we desire doing the policy will be easy. What we want is to have different parts of Exim running in different domains. Exim is comprised of a single program that performs multiple tasks, but it re-exec's itself for each task. I think that the best way to do this is to have (for non-SE systems) multiple hard links to the main executable and have it use different names for each exec call. This just takes up a few extra directory entries on a non-SE system and has no noticeable overhead. For a SE system we could have small wrapper programs (a few K in size - they would provide little overhead) that just exec the main executable. So when a new Exim task is launched it would exec the appropriate name which would trigger a domain transition, that new domain would then execute the main program to do the work. This way Exim itself need know nothing about SE Linux, but we can get all the functionality we want. I believe that this would probably be acceptable to the author. In a month or so I may have time to code this. If someone else makes an appropriate patch to Exim I'll write the SE Linux policy immediately. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Tue 20 Apr 2004 - 08:54:05 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |