Usercreation-policy
Stephen Smalley
sds at epoch.ncsc.mil
Thu Sep 25 14:24:55 UTC 2003
On Wed, 2003-09-24 at 16:06, Enrico Scholz wrote:
> * within a SELinux context, you can need several helper-daemons
> (e.g. identd, or a monitoring-daemon) which would run with the
> same uid like the main-daemon and could access this daemon itself
> (kill(2), ptrace(2)) or its files.
Each of those helper daemons can be transparently transitioned into its
own security domain by SELinux, separate from the main daemon's security
domain. And even within a single security domain, you can just refrain
from granting permission to ptrace; such permission must be explicitly
granted even within a security domain, or it is denied by default.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-devel-list
mailing list