On Wed, 2003-09-24 at 22:06, Enrico Scholz wrote:
> * within a SELinux context, you can need several helper-daemons
> (e.g. identd, or a monitoring-daemon) which would run with the
> same uid like the main-daemon and could access this daemon itself
> (kill(2), ptrace(2)) or its files.
I don't think you would allow the daemons to ptrace() things, would you?
Having kill() is another thing, but being the naïve person that I am I
suspect that you can restrict kill() to children of the respective
process. Anyway, you need to make daemons SELinux aware to utilize it so
you'd have to allow only e.g. "accepting network connections", "writing
files" or something similar to the processes which needed to do it.
But I'm a complete newbie w.r.t. SELinux so maybe I'm talking nonsense
here -- in that case feel free to be entertained ;-).
Nils
--
Nils Philippsen / Red Hat / nphilipp redhat com
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." -- B. Franklin, 1759
PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011
Attachment:
signature.asc
Description: This is a digitally signed message part