package review?
Peter Harmsen
phaceton at gmail.com
Sat Jul 22 13:21:10 UTC 2006
Perhaps a bit off topic.
But since it is security related i might aswell ask it.
What does the diverse exec-shield settings 3,11,9 mean?
Default i have exec-shield =9, Setting it to 2 works too.
kind regards,
Peter
On 7/22/06, Paul Howarth <paul at city-fan.org> wrote:
> On Fri, 2006-07-21 at 14:14 -0700, Michael Thomas wrote:
> > > You should check that the transition has happened by running ps with the
> > > "-Z" option to show the process context when you're running the
> > > application.
> >
> > It shows up as crossfire_exec_t because...
>
> crossfire_exec_t? Not crossfire_t?
>
> > > Note that most things running confined under targeted policy are started
> > > from initscripts and there is no transition from unconfined_t needed (or
> > > wanted). That's not the case here though.
> >
> > ...it is started from an init script. Normal (unconfined) users should
> > not be starting this by hand. Instead, normal users will run the client
> > application which connects to this server. In this case, it sounds like
> > I don't need the rule to transition from unconfined_t.
>
> Right; I must have missed the initscript in the files list.
>
> So yes, you are correct that you don't need (or even want) the transition from unconfined_t.
>
> > >>Some things that would be nice to clarify:
> > >>
> > >>Should selinux be added as a subpackage or automatically included in the
> > >>base package?
> > >
> > >
> > > I don't have a strong opinion either way on this. I've tended to stick
> > > to keeping everything together because I find it easier to manage that
> > > way. As long as the SELinux bits don't get in the way of people not
> > > using them, I don't think it's a problem.
> >
> > I think I would prefer to use a separate package (not integrated with
> > the base package), so that the policy can be turned on and off by simply
> > installing/uninstalling the -selinux package.
>
> Bear in mind that there should be a crossfire_disable_trans boolean that
> would turn off the policy (or rather the transition to crossfire_t) when
> set, without having to uninstall the policy.
>
> Paul.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
--
I have made this letter longer than usual, because i lack the time to
make it short.
More information about the fedora-selinux-list
mailing list