Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: ssh policy hassles
From: Diyab <diyab_at_diyab.net>
Date: Thu, 25 Sep 2003 20:16:11 -0400
> On Thu, 25 Sep 2003 22:55, Diyab wrote: > >>Dale Amon wrote: >> >>>On Thu, Sep 25, 2003 at 08:46:17AM +0200, Tom wrote: >>> >>>>You might want to define a special type for the empty dir, so you can >>>>move it around and don't have to give sshd access to all of /var >> >>I did this when I installed it on slackware. In ssh.fc I added >> >> /var/empty system_u:object_r:sshd_privsep_dir_t >> >>and in sshd.te I added >> >> type sshd_privsep_dir_t, file_type, sysadmfile; >> >>and >> >> allow sshd_t sshd_privsep_dir_t:dir { getattr search }; > > > Why not just label it as var_run_t? When I initially setup sshd with the default setting of /var/empty I decided to just give it it's own type in case there was ever a need to change the privsep location or the permissions it needs. > In my latest policy I have the privsep directory (which is under /var/run in > Debian) labeled as var_run_t. In the case of sshd as a daemon it can create > files under that, but in the case of sshd run from inetd (which is what you > will be doing if you want to lock down sshd) then it gets { getattr search } > access. What do you get by running sshd through inetd that you don't get by running sshd alone? Timothy, -- I put instant coffee in a microwave and almost went back in time. -- Steven Wright -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Thu 25 Sep 2003 - 20:16:19 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |