On Sat, 12 Jun 2004 04:59, Thomas Bleher <bleher@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > Setting the uid in a program should be covered by the setuid capability, > so this is controllable by SELinux policy. What is not covered (IIRC) > are setuid executables. Yes, the setuid capability covers the ability to call the setuid() system call. If a setuid binary has a type that triggers a domain_auto_trans() rule then the target domain will be checked for setuid capability. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
