Adding two new booleans to httpd to tighten it's security.

Nicolas Mailhot nicolas.mailhot at laposte.net
Sat Dec 10 20:59:23 UTC 2005


On Sam 10 décembre 2005 21:37, Ulrich Drepper wrote:
> Nicolas Mailhot wrote:
>> avc:  denied  { execmem } for  pid=2950 comm="thunderbird-bin"
>> scontext=user_u:system_r:unconfined_t:s0-s0:c0.c255
>> tcontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tclass=process
>
> If this really happens then this is a terrible bug in tbird.  It's
> nothing which should be patched with the policy.  By not adding the
> support to catch these problems early the code won't be fixed.
>
> New rules are often added for a specific purpose: discover bugs in
> programs and stop existing threats.  It would be wrong to not attack
> these as soon as possible.

It really happens, at least there (and thunderbird hasn't been updated,
only selinux was - so it was happening before).

So there are lots of work to do with existing rules before even thinking
of moving to new bits like httpd port policy.

-- 
Nicolas Mailhot




More information about the fedora-selinux-list mailing list