Re: Selinux error help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2007-02-07 at 16:34 +0000, Dan Track wrote:
> Hi Stephen
> 
> Firstly apologies for sending to the wrong list.

Ok, then take follow-ups to fedora-selinux-list please.

> Thanks for the advice it was really an eye opener. I trawlled through
> the assert.te file in my selinux src directory, however I can tell
> which rule to remove, could you please guide to which rule it is.
> Currently my file looks like this:
> 
> neverallow { domain -unrestricted -snmpd_t -pegasus_t }
> unconfined_t:process ~sigchld;

The rule above.  Rather than removing it entirely, you could adjust it
to make a specific exception for this case.  What do you truly need your
process to be able to do?

> # Confined domains must never see unconfined domain's /proc/pid entries.
> neverallow { domain -unrestricted -snmpd_t -pegasus_t }
> unconfined_t:dir { getattr search };

This one will also get in your process' way if it truly needs to operate
on unconfined processes.

Naturally, if you go too far in this direction, you are effectively
removing any real restriction on httpd and might as well just disable
its protection altogether (via the corresponding boolean).

-- 
Stephen Smalley
National Security Agency

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux