New Policy Doesn't Fix It

Colin Walters walters at
Fri Jun 17 12:18:36 UTC 2005

On Fri, 2005-06-17 at 08:03 -0400, Stephen Smalley wrote:

> Hmm...well, if so, please limit to the targeted/domains/unconfined.te
> file and don't alter the unconfined_domain() macro.  Looks like you are
> already allowing execmod to a variety of types in the targeted
> unconfined.te, but not to all file types.

We also need to do so for initrc_t at least, because that is now the
domain that services run under by default in FC4.  It would be nice
though if we could go back to using unconfined_t there, but it seems
complicated.  Could we do something like:

domain_auto_trans(initrc_t, exec_type - targeted_exec_type, unconfined_t) 

Would need to give e.g. httpd_exec_t the targeted_exec_type attribute,
and I'm not sure attribute subtraction works.

> Given the permissive nature of targeted policy (e.g. boolean defaults
> for apache and execmem/execmod are permissive), I think the release
> notes or SELinux FAQ should in the future give instructions on how to
> tighten up the settings for admins who want to do so.  Otherwise, they
> aren't likely to even think about it.

Absolutely, this would make a good entry in the FAQ.  Although I'd
personally really like to see a Fedora security guide, these booleans
would me mentioned there too.

More information about the fedora-selinux-list mailing list