Script to check security?
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Fri May 28 17:11:14 UTC 2004
On Fri, 28 May 2004 11:51:38 CDT, Bob Gustafson <bobgus at rcn.com> said:
> >/datastore/mydata(/.*)? system_u:object_r:mysqld_db_t
> >/datastore(/.*)? system_u:object_r:mysqld_db_t
> >
> > (Hint - what happens if there's a /datastore/otherstuff directory?)
> Assuming that /datastore/mydata(/.*) is more restrictive than
> /datastore(/.*), the testing probe could be a small program that 'looks
> like' mysqld (assumes same roles with same selinux tags as mysqld) which
> tries to access files in the 'crack' between /datastore/mydata and
> /datastore. As part of the testing procedure, files could be dropped in the
> 'crack' for this test program to access.
Yes. However, you just forgot to verify that SAS still works when accessing
its datasets in /datastore/otherstuff because it's labeled mysql_db_t instead
of whatever it should have been for SAS...
Or maybe it wasn't SAS, but Mathematica. Or was it that other app???
(Yes, it was a trick question to make a point....)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040528/b78082af/attachment.sig>
More information about the fedora-selinux-list
mailing list