Usercreation-policy
Nils Philippsen
nphilipp at redhat.com
Fri Sep 26 10:57:21 UTC 2003
On Thu, 2003-09-25 at 16:31, Stephen Smalley wrote:
> On Thu, 2003-09-25 at 02:42, Nils Philippsen wrote:
> > Anyway, you need to make daemons SELinux aware to utilize it so
> > you'd have to allow only e.g. "accepting network connections", "writing
> > files" or something similar to the processes which needed to do it.
>
> You don't have to make the daemon aware of SELinux in order to confine
> it with SELinux. In some cases, you may choose to make the daemon
> SELinux-aware in order to better leverage the security mechanisms and
> provide finer-grained control, but that isn't a fundamental
> requirement. SELinux can transparently transition the daemon into its
> own security domain based on the calling domain and the entrypoint
> executable without any awareness by the daemon itself.
Even better.
Nils
--
Nils Philippsen / Red Hat / nphilipp at redhat.com
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." -- B. Franklin, 1759
PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20030926/9ba03659/attachment.sig>
More information about the fedora-devel-list
mailing list