[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Yee-HAH! 'smartd' issues 70 avc's when it tries to send mail...

On Tue, 07 Dec 2004 10:24:54 EST, Daniel J Walsh said:

> Can you try this patch

Will let you know after I get a chance to test at a reboot, but at first
eyeball it looks close to workable, if not elegant.  Probably be tomorrow
before I have feedback on this one...

> +can_exec(fsdaemon_t, { sbin_t bin_t shell_exec_t }

Definitely more sledgehammer than elegance here. :)

I'm wondering if it would make more sense to push a patch upstream to the
kernel-utils crew.  Reading the smartd manpage in more detail, it looks like
feeding it a '-M exec /usr/sbin/sendmail' (or building with that as the
default) would let us only have to add sendmail_exec_t rather than all those.

I'll try your patch, and then see where I can get with the 'invoke sendmail
directly' route.

I'm not sure what we want to do here - even if we fix the flood of avc's for
the default case, the smartmontools documentation has examples of invoking
arbitrary shell scripts with -M (which of course means the obvious).  What
direction do we want to take here?  Where should sites that need to add
other 'can_exec' entries be putting them?

Attachment: pgp00004.pgp
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]