[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Here is an interesting one



On Saturday 05 March 2005 16:17, Ivan Gyurdiev <ivg2 cornell edu> wrote:
> --- snmpd.te    2005-03-05 00:13:17.000000000 -0500
> +++ snmpd.new   2005-03-05 00:13:46.000000000 -0500
> @@ -45,6 +45,7 @@
>  allow snmpd_t proc_t:dir search;
>  allow snmpd_t proc_t:file r_file_perms;
>  allow snmpd_t self:file { getattr read };
> +allow snmpd_t self:fifo_file { read write };

In a case such as this I suggest using rw_file_perms instead of { read 
write }.  The reason is that restricting access of a domain to itself is of 
little benefit and that once the main access is granted you may as well grant 
the other accesses for the same class.  ioctl access is commonly requested, 
often a child process inherits the file handle and does not know that it's a 
pipe and will perform an ioctl to find out.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]