more fine grained access in /etc

Torbjørn Lindahl torbjorn.lindahl at gmail.com
Wed Sep 19 09:09:14 UTC 2007 

I see. In that case I am not going to push this topic much further. Thanks
for your assistance!

But wouldn't it be nice to have an allow mechanism in SELinux in which I
could grant access based on it's existing access. What I want to achieve is
to be able to add a rule like "If process can read etc_t, then it can also
read etc_foo_t"

That would allow me to change context of individual files, and grant access
to them by process who already have etc_t, and I wouldn't have to redefine
almost the entire selinux context tree just to target a few individual files
in /etc for my app.

T.

On 9/18/07, Daniel J Walsh <dwalsh at redhat.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Torbjørn Lindahl wrote:
> > Good point.
> > I probably can live with that.
> >
> > Still I am not sure if I would like it to have full access to all files
> > labelled etc_t . It would be nice to be able to single out only a few of
> > them. Perhaps I should look at something other than the targeted policy.
> >
> > On 9/17/07, Daniel J Walsh <dwalsh at redhat.com> wrote:
> > Torbjørn Lindahl wrote:
> >>>> Hello, I am writing an application that I want to limit using
> selinux.
> >>>>
> >>>> audit.log shows that it wants access to /etc/nsswitch.conf and
> > /etc/hosts -
> >>>> which doesn't seem to unreasonable, however both these have types
> etc_t
> > ,
> >>>> and allowing myapp_t to read etc_t would also give it access to for
> > example
> >>>> /etc/passwd, which i do not want.
> >>>>
> >>>>
> >>>> Do I have to invent a new type for these two files to be able to keep
> my
> >>>> application from the other etc_t files in /etc ?
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> ------------------------------------------------------------------------
> >>>>
> >>>> --
> >>>> fedora-selinux-list mailing list
> >>>> fedora-selinux-list at redhat.com
> >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > Yes you can, but the more different file_context that you have in /etc,
> > the harder they will be to maintain.
> >
> > Reading /etc/passwd is not as dangerous as being able to read
> > /etc/shadow.  So consider if this is really necessary.
> >>
>
> > ------------------------------------------------------------------------
>
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> All of the current policies including mls allow reading of etc_t for
> most domains, and /etc/passwd is labeled etc_t.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFG8AFbrlYvE4MpobMRAtxMAKCXrwFqgATmTBQoNip52wmaHXFowQCgj0Ld
> Jz2zh2M8ID/nkU4Rgod4UVw=
> =8+JV
> -----END PGP SIGNATURE-----
>



-- 
mvh
Torbjørn Lindahl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20070919/05566a1e/attachment.htm>

More information about the fedora-selinux-list mailing list