[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: New policy for DCC



On Monday 25 April 2005 21:14, David Hampton <hampton-rh rainbolthampton net> 
wrote:
> On Fri, 2005-04-22 at 00:54 +1000, Russell Coker wrote:
> > Firstly daemons should not be started with su.
>
> Agreed, but thats how the designer of DCC implemented it.

So it's up to the distribution maintainers (people such as us) to correct this 
mistake.

> > Why do you use init_service_domain() and domain_auto_trans(initrc_t,
> > dcc_script_exec_t, dcc_script_t)?
> >
> > Surely the daemon is to be started either from inittab or from an
> > /etc/init.d script but not both.
>
> Its started from /etc/init.d or by hand.  I'll correct the policy to
> remove init_service_domain.

OK, then daemon_base_domain() or daemon_domain() is what you want.

> > Putting a unix domain socket in /etc is wrong.  Among other things it
> > will probably break things for anyone who wants to run with a read-only
> > root file system.
>
> Agreed.  This was moved from /var/dcc to /etc by the packager.  I've
> submitted a patch to restore it to the /var/dcc directory.  In the mean
> time I wrote the policy to work with either location.

OK, but when you publish policy please publish it to work with the fixed 
package.

> > I feel confident in guessing that it's not
> > nearly half as complex as Postfix and doesn't need so many domains.
> > Excessive domains makes the policy difficult to analyse.  For starters
> > dccifd_t and dccm_t can be merged.
>
> I have no problem reducing the number of domains.  I got the impression
> somewhere that each executable should be its own domain.  Would three
> domains be reasonable (the server, clients that connect to the server,
> everything else), or just two (executables that access the network and
> the utility programs)?

Try it with three.  Once I see working policy for three domains I can make a 
better judgement as to whether it would be best expressed as two domains.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]