Usercreation-policy
Nils Philippsen
nphilipp at redhat.com
Thu Sep 25 06:42:54 UTC 2003
On Wed, 2003-09-24 at 22:06, Enrico Scholz wrote:
> * within a SELinux context, you can need several helper-daemons
> (e.g. identd, or a monitoring-daemon) which would run with the
> same uid like the main-daemon and could access this daemon itself
> (kill(2), ptrace(2)) or its files.
I don't think you would allow the daemons to ptrace() things, would you?
Having kill() is another thing, but being the naïve person that I am I
suspect that you can restrict kill() to children of the respective
process. Anyway, you need to make daemons SELinux aware to utilize it so
you'd have to allow only e.g. "accepting network connections", "writing
files" or something similar to the processes which needed to do it.
But I'm a complete newbie w.r.t. SELinux so maybe I'm talking nonsense
here -- in that case feel free to be entertained ;-).
Nils
--
Nils Philippsen / Red Hat / nphilipp at redhat.com
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." -- B. Franklin, 1759
PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20030925/7347cf6b/attachment.sig>
More information about the fedora-devel-list
mailing list