more fine grained access in /etc
Torbjørn Lindahl
torbjorn.lindahl at gmail.com
Tue Sep 18 11:03:13 UTC 2007
Good point.
I probably can live with that.
Still I am not sure if I would like it to have full access to all files
labelled etc_t . It would be nice to be able to single out only a few of
them. Perhaps I should look at something other than the targeted policy.
On 9/17/07, Daniel J Walsh <dwalsh at redhat.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Torbjørn Lindahl wrote:
> > Hello, I am writing an application that I want to limit using selinux.
> >
> > audit.log shows that it wants access to /etc/nsswitch.conf and
> /etc/hosts -
> > which doesn't seem to unreasonable, however both these have types etc_t
> ,
> > and allowing myapp_t to read etc_t would also give it access to for
> example
> > /etc/passwd, which i do not want.
> >
> >
> > Do I have to invent a new type for these two files to be able to keep my
> > application from the other etc_t files in /etc ?
> >
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Yes you can, but the more different file_context that you have in /etc,
> the harder they will be to maintain.
>
> Reading /etc/passwd is not as dangerous as being able to read
> /etc/shadow. So consider if this is really necessary.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFG7uxvrlYvE4MpobMRAk+5AJ9UZPJZq++LfpMZMRyF62bvWCOTqQCgsdly
> +DO1I81MDsGkD0L3p3RiV/4=
> =WV5q
> -----END PGP SIGNATURE-----
>
--
mvh
Torbjørn Lindahl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20070918/1aa40877/attachment.htm>
More information about the fedora-selinux-list
mailing list