New policy for yam
Daniel J Walsh
dwalsh at redhat.com
Thu Mar 17 19:30:31 UTC 2005
David Hampton wrote:
>On Tue, 2005-03-15 at 09:20 -0500, Daniel J Walsh wrote:
>
>
>
>>Why did you create a yam_crond_t? Why not just transition to yam_t from
>>crond?
>>
>>
>
>When I first started working on the policy I was trying to be as
>restrictive as possible and differentiate between what peripheral files
>could be opened when running yam from the command line vs. when running
>from cron. For example, the cron version requires less access to the
>terminal and no access to a ssh file descriptor. The two instances also
>try reading their dot files from different directories.
>
>I wrote this policy just after writing an exim policy that distinguished
>between user, sysadm, and system invocations of the program. Perhaps I
>went overboard here.
>
>David
>
>P.S. I'm still tweaking the exim policy. I'll probably post it in a
>week or so.
>
>
>
>
I was just question almost doubling of rules and increase in complexity
for little gain in security.
Dan
--
More information about the fedora-selinux-list
mailing list