Needs to prevent executing su.
Russell Coker
russell at coker.com.au
Sat Jun 12 08:18:20 UTC 2004
On Sat, 12 Jun 2004 04:59, Thomas Bleher <bleher at informatik.uni-muenchen.de>
wrote:
> Setting the uid in a program should be covered by the setuid capability,
> so this is controllable by SELinux policy. What is not covered (IIRC)
> are setuid executables.
Yes, the setuid capability covers the ability to call the setuid() system
call. If a setuid binary has a type that triggers a domain_auto_trans() rule
then the target domain will be checked for setuid capability.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list