Re: Helper program for a daemon

[Jan-Frode Myklebust <janfrode tanso net>]

On 2007-04-24, Al Pacifico <adpacifico users sourceforge net> wrote:
>> That depends on your security goals.  If you want the slimserver-scanner
>> to have the same privs as slimserver you would label it sbin_t and allow
>> slimserver to corecmd_exec_sbin().  If you want to go with least privs,
>> you would create a new policy for slimserver-scanner
>> (slimserver_scanner_t with file context of slimserver_scanner_exec_t)
>> and then add a rule to slimserver_t to domtrans
>> slimserver_scanner_domtrans(slimserver_t)
>
>
> I'm a little confused about this. I want to limit privileges of slimserver
> and slimserver-scanner to accessing only certain files. If I label
> slimserver-scanner as 'sbin_t', when a user executes slimserver-scanner,
> won't he/she have more privileges than slimserver then?

Yes.

If you want slimserver-scanner to have less privileges when executed 
interactively by a user, you'll need to create a new domain for (i.e. 
not sbin_t), and transition into this domain when the user exec it.
But, why would you want that? All it's doing is reading the mp3-files,
and updating a database. If you limit the scanners privileges, your
users can still step outside of this by "cp /usr/sbin/slimserver-scanner
/tmp/slimserver-scanner".. 

I would aim at confining the main web-based slimserver, and make sure
the slimserver-scanner executed within this process doesn't get more
privileges than absolutely necessary.


   -jf