On Wed, 2006-08-09 at 13:42 -0300, Rodrigo Barbosa wrote: > As a side not, I have started playing with SELinux to try and improve > the security of my servers. My main problem is that you simply > can't find a working rule set for Exim, and I'm working hard on > creating one while learning SELinux at the same time. Slightly OT: I have been playing a bit with the Simplified Policy Description Language (SPDL), that is part of the SEEdit project[1]. The language looks like AppArmor policies. I still use the 'targeted' policy on servers, but on the other hand using SPDL seems better than turning SELinux off completely[2]. E.g., this is a simple quick sample policy, quite readable if you know UNIX DAC semantics. --- { domain vsftpd_t; program /usr/sbin/vsftpd; include common-relaxed.sp; include daemon.sp; include nameservice.sp; allow /etc/shadow r,s; allow /etc/pam.d/vsftpd r,s; allow /etc/security/pam_env.conf r,s; allow /etc/vsftpd.user_list r,s; allow /etc/vsftpd/vsftpd.conf r,s; allow /var/log/xferlog a,r,s; allow ~/** rw,s; allowpriv netlink; allowpriv cap_sys_chroot; allowpriv audit_write; allow /etc/selinux/config r,s; allownet -protocol tcp -port 20 server; allownet -protocol tcp -port 21 server; allownet -protocol tcp -port 1024- server; } --- -- Daniel [1] http://seedit.sourceforge.net/ [2] I think that the majority of the current system administrators will never bother to learn to understand the current policy or the new 'reference policy', and will simply turn it off when the default policy gets in the way. _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos