[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: more fine grained access in /etc

From: Daniel J Walsh <dwalsh redhat com>
To: Torbjørn Lindahl <torbjorn lindahl gmail com>
Cc: fedora-selinux-list redhat com
Subject: Re: more fine grained access in /etc
Date: Tue, 18 Sep 2007 12:48:27 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Torbjørn Lindahl wrote:
> Good point.
> I probably can live with that.
> 
> Still I am not sure if I would like it to have full access to all files
> labelled etc_t . It would be nice to be able to single out only a few of
> them. Perhaps I should look at something other than the targeted policy.
> 
> On 9/17/07, Daniel J Walsh <dwalsh redhat com> wrote:
> Torbjørn Lindahl wrote:
>>>> Hello, I am writing an application that I want to limit using selinux.
>>>>
>>>> audit.log shows that it wants access to /etc/nsswitch.conf and
> /etc/hosts -
>>>> which doesn't seem to unreasonable, however both these have types etc_t
> ,
>>>> and allowing myapp_t to read etc_t would also give it access to for
> example
>>>> /etc/passwd, which i do not want.
>>>>
>>>>
>>>> Do I have to invent a new type for these two files to be able to keep my
>>>> application from the other etc_t files in /etc ?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list redhat com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Yes you can, but the more different file_context that you have in /etc,
> the harder they will be to maintain.
> 
> Reading /etc/passwd is not as dangerous as being able to read
> /etc/shadow.  So consider if this is really necessary.
>>

> ------------------------------------------------------------------------

> --
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
All of the current policies including mls allow reading of etc_t for
most domains, and /etc/passwd is labeled etc_t.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFG8AFbrlYvE4MpobMRAtxMAKCXrwFqgATmTBQoNip52wmaHXFowQCgj0Ld
Jz2zh2M8ID/nkU4Rgod4UVw=
=8+JV
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: more fine grained access in /etc
  - From: Torbjørn Lindahl

References:
- more fine grained access in /etc
  - From: Torbjørn Lindahl
- Re: more fine grained access in /etc
  - From: Daniel J Walsh
- Re: more fine grained access in /etc
  - From: Torbjørn Lindahl

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]