Paul Howarth wrote: > On Fri, 05 Sep 2008 16:54:43 -0400 (EDT) > "David A. Wheeler" <dwheeler@xxxxxxxxxxxx> wrote: > >> I think it'd better to create an SELinux security context that grants >> additional memory privileges that can be used ONLY when the >> program actually _NEEDS_ those privileges (e.g., it uses >> a gcl runtime requiring additional privileges). >> You could document a "recipe" for how to create such a >> thing would be a good idea - but you'd need to recreate it for >> every program compiled by gcl, ugh. I think it'd be better to >> have a standard context for this case (the current "unconfined" really >> is confined; maybe the new one is "really_unconfined"?). >> Having some processes less confined is better than disabling >> the security mechanisms for the entire system. Indeed. The SELinux approach is not to disable such features for a whole system, but to provide fine-grained access control for those parts that need it. > This is the approach taken for mono and java, which have similar issues. > > If you use a context type of java_exec_t for something using the gcl > runtime, does it work? Is it every program created by gcl that needs this access, or just gcl itself? Andrew. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
