On Wednesday 25 May 2005 03:06, Valdis.Kletnieks@xxxxxx wrote: > On Tue, 24 May 2005 10:47:12 EDT, Stephen Smalley said: > > On Sun, 2005-05-22 at 21:53 -0400, Valdis.Kletnieks@xxxxxx wrote: > > > Am I the only one here who thinks that this is really something that > > > can't be supported in the context of the 'targeted' policy, and would > > > be much easier to do in 'strict'? > > > > It shouldn't be done at all, other than to dontaudit these attempts. No > > legitimate reason for a CGI script to be probing init's /proc/pid files. > > I've always been leery of using dontaudit to shut things up - it means that > there's a possibility that we miss the early warning signs of an actual > attack. If you want to complain about dontaudit then look for file_type - secure_file_type as the thing you want to complain about. > I wonder if the cgi script is just doing something like 'ps ax|grep > mydaemon' to see if a daemon is running... If the cgi script does "ps ax" as a regular operation then there's no way to determine the difference between that and "ps ax" for a hostile operation. Some people don't have cgi scripts running ps. We could have a boolean about this, but if so then the number of booleans would explode and become unmanagable. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
