[redhat-lspp] New pam src rpm with namespace
Stephen Smalley
sds at tycho.nsa.gov
Thu Feb 16 15:46:37 UTC 2006
On Thu, 2006-02-16 at 10:28 -0500, JANAK DESAI wrote:
> Do ordinary users have access to all type and level names?
Depends on the policy, naturally, and I don't think the current policies
specifically try to prevent this. Some of the current policies (e.g.
-strict, -mls) may prevent direct reading of the kernel policy file but
may leak this information from context configuration files (e.g. so that
users can run restorecon), other config files, or selinuxfs. I also
expect that in practice, the only names that may be sensitive would be
the translated names, not the kernel's primitive names (e.g. s0, s1,
etc) for the levels. In that case, you want libsetrans talking to a
daemon to get the translated names rather than directly reading the
entire setrans.conf.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list