[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: more fine grained access in /etc



Good point.
I probably can live with that.

Still I am not sure if I would like it to have full access to all files labelled etc_t . It would be nice to be able to single out only a few of them. Perhaps I should look at something other than the targeted policy.

On 9/17/07, Daniel J Walsh <dwalsh redhat com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Torbjørn Lindahl wrote:
> Hello, I am writing an application that I want to limit using selinux.
>
> audit.log shows that it wants access to /etc/nsswitch.conf and /etc/hosts -
> which doesn't seem to unreasonable, however both these have types etc_t ,
> and allowing myapp_t to read etc_t would also give it access to for example
> /etc/passwd, which i do not want.
>
>
> Do I have to invent a new type for these two files to be able to keep my
> application from the other etc_t files in /etc ?
>
>
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Yes you can, but the more different file_context that you have in /etc,
the harder they will be to maintain.

Reading /etc/passwd is not as dangerous as being able to read
/etc/shadow.  So consider if this is really necessary.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFG7uxvrlYvE4MpobMRAk+5AJ9UZPJZq++LfpMZMRyF62bvWCOTqQCgsdly
+DO1I81MDsGkD0L3p3RiV/4=
=WV5q
-----END PGP SIGNATURE-----



--
mvh
Torbjørn Lindahl
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]