[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Experiences with selinux enabled targetted on Fedora Core 3



On Tuesday 19 April 2005 12:25, Valdis Kletnieks vt edu wrote:
> > In those cases a dontaudit rule will usually do the job.  If the file
> > system is not mounted then there's nothing that the application can
> > usefully do under the mount point and usually ENOENT and EACCESS usually
> > get the same code paths in most applications that try to open files.
>
> In my case, actually labelling the directories correctly was the better
> fix.

For you maybe.  In a general sense it isn't.  We have no automatic system for 
using umount or mount --bind to allow labelling of such mount points and we 
can't expect most users to be able to do it.

> Personally, I'm not thrilled by the idea of sticking in dontaudit rules to
> quiet complaints at boot time that are caused by directories that are
> mislabelled.

Why not?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]