New policy for DCC
Russell Coker
russell at coker.com.au
Mon Apr 25 20:39:33 UTC 2005
On Monday 25 April 2005 21:14, David Hampton <hampton-rh at rainbolthampton.net>
wrote:
> On Fri, 2005-04-22 at 00:54 +1000, Russell Coker wrote:
> > Firstly daemons should not be started with su.
>
> Agreed, but thats how the designer of DCC implemented it.
So it's up to the distribution maintainers (people such as us) to correct this
mistake.
> > Why do you use init_service_domain() and domain_auto_trans(initrc_t,
> > dcc_script_exec_t, dcc_script_t)?
> >
> > Surely the daemon is to be started either from inittab or from an
> > /etc/init.d script but not both.
>
> Its started from /etc/init.d or by hand. I'll correct the policy to
> remove init_service_domain.
OK, then daemon_base_domain() or daemon_domain() is what you want.
> > Putting a unix domain socket in /etc is wrong. Among other things it
> > will probably break things for anyone who wants to run with a read-only
> > root file system.
>
> Agreed. This was moved from /var/dcc to /etc by the packager. I've
> submitted a patch to restore it to the /var/dcc directory. In the mean
> time I wrote the policy to work with either location.
OK, but when you publish policy please publish it to work with the fixed
package.
> > I feel confident in guessing that it's not
> > nearly half as complex as Postfix and doesn't need so many domains.
> > Excessive domains makes the policy difficult to analyse. For starters
> > dccifd_t and dccm_t can be merged.
>
> I have no problem reducing the number of domains. I got the impression
> somewhere that each executable should be its own domain. Would three
> domains be reasonable (the server, clients that connect to the server,
> everything else), or just two (executables that access the network and
> the utility programs)?
Try it with three. Once I see working policy for three domains I can make a
better judgement as to whether it would be best expressed as two domains.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list