Selinux Question
Daniel J Walsh
dwalsh at redhat.com
Wed Apr 6 18:32:41 UTC 2005
Alan J. Gagne wrote:
>Based on audit2allow I added the following to the audit policy
>temporarily ( allow ifconfig_t usr_t:lnk_file read; ) so I could
>start the agent both with and without these errors.
>
>Checking the agents log and trace files showed no difference between the
>two. It looks like the process completes successfully either way.
>
>Do you have any recommendations for dontaudit I can try ?
>
>Alan
>
>
>
Change
allow ifconfig_t usr_t:lnk_file read;
to
dontaudit ifconfig_t usr_t:lnk_file read;
This way a hacker could not trick ifconfig to follow a symlink under /usr.
Dan
--
More information about the fedora-test-list
mailing list