SELinux and /proc
Stephen Smalley
sds at tycho.nsa.gov
Tue Mar 14 16:20:13 UTC 2006
On Tue, 2006-03-14 at 17:10 +0100, Dawid Gajownik wrote:
> Dnia 03/06/2006 01:02 PM, Użytkownik Ron Yorston napisał:
> > I found that several processes weren't being listed by 'ps ax' when
> > run as an ordinary user but were when run as root.
>
> I like this feature! Unfotunately, it's disabled in new
> selinux-policy package :/ Would it be possible to turn it on via
> setsebool or semanage?
What precisely did you like about it? If you use -strict or -mls
policy, then unprivileged users should be restricted in what they can
see in /proc (and thus ps output). For -targeted, users aren't supposed
to be confined (just specific daemons), and the MCS component in
-targeted is really a discretionary model, unlike MLS.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list