On Tue, 07 Dec 2004 10:24:54 EST, Daniel J Walsh said:
> Can you try this patch
Will let you know after I get a chance to test at a reboot, but at first
eyeball it looks close to workable, if not elegant. Probably be tomorrow
before I have feedback on this one...
> +can_exec(fsdaemon_t, { sbin_t bin_t shell_exec_t }
Definitely more sledgehammer than elegance here. :)
I'm wondering if it would make more sense to push a patch upstream to the
kernel-utils crew. Reading the smartd manpage in more detail, it looks like
feeding it a '-M exec /usr/sbin/sendmail' (or building with that as the
default) would let us only have to add sendmail_exec_t rather than all those.
I'll try your patch, and then see where I can get with the 'invoke sendmail
directly' route.
I'm not sure what we want to do here - even if we fix the flood of avc's for
the default case, the smartmontools documentation has examples of invoking
arbitrary shell scripts with -M (which of course means the obvious). What
direction do we want to take here? Where should sites that need to add
other 'can_exec' entries be putting them?
Attachment:
pgpSF9Fnf7fnS.pgp
Description: PGP signature
