/sbin/restorecon and hard links
John Reiser
jreiser at BitWagon.com
Wed Feb 15 15:44:43 UTC 2006
Stephen Smalley wrote:
> BTW, it is important to remember here that targeted policy doesn't try
> to confine users (just specific programs and daemons) and that
> relabeling /etc/passwd or other system files doesn't give the user any
> greater access since he is already unconfined as far as SELinux is
> concerned.
That's true for SELinux policy itself. However, the linux kernel _does_
confine users, independent of "external [to the kernel]" SELinux policy,
as an unavoidable part of the complete selinux package. Namely, the
restrictions on execmod and execmem can make life difficult for legitimate
software which uses non-mainstream techniques to achieve higher performance
and/or create a richer debugging environment. Even in targeted mode,
SELinux has greater-than-zero operational costs for non-targeted software.
--
More information about the fedora-selinux-list
mailing list