Nagios nrpe and sudo
Stephen Smalley
sds at tycho.nsa.gov
Tue Jan 31 12:12:07 UTC 2006
On Mon, 2006-01-30 at 22:19 +0000, Martin Ebourne wrote:
> Further to this, I note that I don't even need the
> inetd_child_disable_trans boolean set now. By default nrpe running under
> xinetd is allowed to sudo. Should this not be controlled?
>
> What protection does running xinetd under selinux give?
IIRC, the default targeted policy in Fedora leaves inetd children who do
not have a specific domain defined for them unconfined, as otherwise all
external (outside of Fedora) inetd-based services that lack policy would
immediately break. The strict policy takes the more conservative
approach for security, at the risk of greater application breakage.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list