[redhat-lspp] PATCH[1/1]: patch to ipsec module
Joy Latten
latten at austin.ibm.com
Fri Jan 26 21:12:49 UTC 2007
Dan,
In redhat's latest selinux policy, the setkey command
is allowed to read ipsec config from users' home
directories. My mistake, I don't think setkey should be obtaining
ipsec configuration from regular users' files.
So, I removed that and added ability to read config from /etc and from /tmp.
Is /tmp ok or just as bad as reading from regular user files?
setkey should only be run by a sysadm.
Regards,
Joy
diff -urpN serefpolicy-2.4.6.orig/policy/modules/system/ipsec.te serefpolicy-2.4.6.patch/policy/modules/system/ipsec.te
--- serefpolicy-2.4.6.orig/policy/modules/system/ipsec.te 2007-01-19 13:52:12.000000000 -0600
+++ serefpolicy-2.4.6.patch/policy/modules/system/ipsec.te 2007-01-26 15:13:40.000000000 -0600
@@ -309,7 +309,8 @@ domain_setcontext(setkey_t)
# allow setkey to read a config files in any directory.
userdom_read_sysadm_home_content_files(setkey_t)
-userdom_read_all_users_home_content_files(setkey_t)
+files_read_generic_tmp_files(setkey_t)
+files_read_etc_files(setkey_t)
# setkey will be run by sysadm, thus setkey needs access to sysadm ttys.
userdom_use_sysadm_ttys(setkey_t)
More information about the redhat-lspp
mailing list