On Monday 25 April 2005 21:14, David Hampton <hampton-rh@xxxxxxxxxxxxxxxxxxx> wrote: > On Fri, 2005-04-22 at 00:54 +1000, Russell Coker wrote: > > Firstly daemons should not be started with su. > > Agreed, but thats how the designer of DCC implemented it. So it's up to the distribution maintainers (people such as us) to correct this mistake. > > Why do you use init_service_domain() and domain_auto_trans(initrc_t, > > dcc_script_exec_t, dcc_script_t)? > > > > Surely the daemon is to be started either from inittab or from an > > /etc/init.d script but not both. > > Its started from /etc/init.d or by hand. I'll correct the policy to > remove init_service_domain. OK, then daemon_base_domain() or daemon_domain() is what you want. > > Putting a unix domain socket in /etc is wrong. Among other things it > > will probably break things for anyone who wants to run with a read-only > > root file system. > > Agreed. This was moved from /var/dcc to /etc by the packager. I've > submitted a patch to restore it to the /var/dcc directory. In the mean > time I wrote the policy to work with either location. OK, but when you publish policy please publish it to work with the fixed package. > > I feel confident in guessing that it's not > > nearly half as complex as Postfix and doesn't need so many domains. > > Excessive domains makes the policy difficult to analyse. For starters > > dccifd_t and dccm_t can be merged. > > I have no problem reducing the number of domains. I got the impression > somewhere that each executable should be its own domain. Would three > domains be reasonable (the server, clients that connect to the server, > everything else), or just two (executables that access the network and > the utility programs)? Try it with three. Once I see working policy for three domains I can make a better judgement as to whether it would be best expressed as two domains. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
