On Tuesday 28 July 2009 10:22:56 am Serge E. Hallyn wrote: > > You can create an selinux context that is not allowed to exec, or only > > allowed to exec certain things. Or not allowed to connect to TCP > > sockets. Or pretty much anything else a normal user would otherwise be > > allowed to do. > > This has little to do with what Steve is trying to do. Right. All I am doing at this point is going over the daemons running as root and patching them to lower their capabilities. With libcap-ng, its generally 2-3 lines of code. As for directory perms...I'm still mulling it over. Changing perms on shadow and gshadow to 0000 should press forward, though. -Steve -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
