[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: package review?



Perhaps a bit off topic.
But since it is security related i might aswell ask it.

What does the diverse exec-shield settings 3,11,9 mean?
Default i have exec-shield =9, Setting it to 2 works too.

kind regards,

Peter

On 7/22/06, Paul Howarth <paul city-fan org> wrote:
On Fri, 2006-07-21 at 14:14 -0700, Michael Thomas wrote:
> > You should check that the transition has happened by running ps with the
> > "-Z" option to show the process context when you're running the
> > application.
>
> It shows up as crossfire_exec_t because...

crossfire_exec_t? Not crossfire_t?

> > Note that most things running confined under targeted policy are started
> > from initscripts and there is no transition from unconfined_t needed (or
> > wanted). That's not the case here though.
>
> ...it is started from an init script.  Normal (unconfined) users should
> not be starting this by hand.  Instead, normal users will run the client
> application which connects to this server.  In this case, it sounds like
> I don't need the rule to transition from unconfined_t.

Right; I must have missed the initscript in the files list.

So yes, you are correct that you don't need (or even want) the transition from unconfined_t.

> >>Some things that would be nice to clarify:
> >>
> >>Should selinux be added as a subpackage or automatically included in the
> >>base package?
> >
> >
> > I don't have a strong opinion either way on this. I've tended to stick
> > to keeping everything together because I find it easier to manage that
> > way. As long as the SELinux bits don't get in the way of people not
> > using them, I don't think it's a problem.
>
> I think I would prefer to use a separate package (not integrated with
> the base package), so that the policy can be turned on and off by simply
> installing/uninstalling the -selinux package.

Bear in mind that there should be a crossfire_disable_trans boolean that
would turn off the policy (or rather the transition to crossfire_t) when
set, without having to uninstall the policy.

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list



--
I have made this letter longer than usual, because i lack the time to
make it short.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]