[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Usercreation-policy

From: Stephen Smalley <sds epoch ncsc mil>
To: fedora-devel-list redhat com
Subject: Re: Usercreation-policy
Date: 25 Sep 2003 10:24:55 -0400

On Wed, 2003-09-24 at 16:06, Enrico Scholz wrote:
> * within a SELinux context, you can need several helper-daemons
>   (e.g. identd, or a monitoring-daemon) which would run with the
>   same uid like the main-daemon and could access this daemon itself
>   (kill(2), ptrace(2)) or its files.

Each of those helper daemons can be transparently transitioned into its
own security domain by SELinux, separate from the main daemon's security
domain.  And even within a single security domain, you can just refrain
from granting permission to ptrace; such permission must be explicitly
granted even within a security domain, or it is denied by default.

-- 
Stephen Smalley <sds epoch ncsc mil>
National Security Agency

References:
- Usercreation-policy
  - From: Enrico Scholz
- Re: Usercreation-policy
  - From: Bill Nottingham
- Re: Usercreation-policy
  - From: Enrico Scholz
- Re: Usercreation-policy
  - From: Bill Nottingham
- Re: Usercreation-policy
  - From: Enrico Scholz
- Re: Usercreation-policy
  - From: Bill Nottingham
- Re: Usercreation-policy
  - From: Michael K. Johnson
- Re: Usercreation-policy
  - From: Enrico Scholz

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]