On Sat, 20 Mar 2004 20:19, Ronny Buchmann <ronny-vlug@xxxxxxxxxxx> wrote: > > You can't allow applications to issue raw commands without privileges > > by either interface. Not using ide-scsi makes it much easier to handle > > IDE burning - because the device has one name, but doesn't really deal > > with the fact that scsi level command access allows you to do stuff like > > 'erase firmware', which normally suggests root only is good ) > > Shouldn't setuid root cdrecord be safe with SELinux? SETUID means nothing to SE Linux. To allow extra privs in SE Linux you also need a domain transition. This can be done, but then we need appropriate policy for CD burning. In FC2 the loose policy for user domains should permit this. But for RHEL we need something better. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
