SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: ssh policy hassles This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Diyab <diyab_at_diyab.net> Date: Thu, 25 Sep 2003 20:16:11 -0400 Russell Coker wrote: > On Thu, 25 Sep 2003 22:55, Diyab wrote: > >>Dale Amon wrote: >> >>>On Thu, Sep 25, 2003 at 08:46:17AM +0200, Tom wrote: >>> >>>>You might want to define a special type for the empty dir, so you can >>>>move it around and don't have to give sshd access to all of /var >> >>I did this when I installed it on slackware. In ssh.fc I added >> >> /var/empty system_u:object_r:sshd_privsep_dir_t >> >>and in sshd.te I added >> >> type sshd_privsep_dir_t, file_type, sysadmfile; >> >>and >> >> allow sshd_t sshd_privsep_dir_t:dir { getattr search }; > > > Why not just label it as var_run_t? When I initially setup sshd with the default setting of /var/empty I decided to just give it it's own type in case there was ever a need to change the privsep location or the permissions it needs. > In my latest policy I have the privsep directory (which is under /var/run in > Debian) labeled as var_run_t. In the case of sshd as a daemon it can create > files under that, but in the case of sshd run from inetd (which is what you > will be doing if you want to lock down sshd) then it gets { getattr search } > access. What do you get by running sshd through inetd that you don't get by running sshd alone? Timothy, -- I put instant coffee in a microwave and almost went back in time. -- Steven Wright -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Thu 25 Sep 2003 - 20:16:19 EDT This message: [ Message body ] Next message: Russell Coker: "Re: ssh policy hassles" Previous message: David Caplan: "Re: policy language extensions" In reply to: Russell Coker: "Re: ssh policy hassles" Next in thread: Russell Coker: "Re: ssh policy hassles" Reply: Russell Coker: "Re: ssh policy hassles" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom