On Fri, 2005-06-17 at 07:52 -0400, Colin Walters wrote: > For the targeted policy I think we need do need to allow it for > file_type. The original security goal of the targeted policy was that > only a few specific services were confined. We expect Fedora server > administrators to understand SELinux and read documentation about how to > secure their services using it. We cannot expect the same of all of the > many other kinds of people using Fedora; in this particular case, it > looks to me like Daniel is a free software enthusiast tracking the > latest upstream releases of OpenOffice.org. Until we can have some > reasonable expectation of ISV software installers labelling data > correctly, I don't think we can use execmod/execmem for unconfined_t at > all. Hmm...well, if so, please limit to the targeted/domains/unconfined.te file and don't alter the unconfined_domain() macro. Looks like you are already allowing execmod to a variety of types in the targeted unconfined.te, but not to all file types. Given the permissive nature of targeted policy (e.g. boolean defaults for apache and execmem/execmod are permissive), I think the release notes or SELinux FAQ should in the future give instructions on how to tighten up the settings for admins who want to do so. Otherwise, they aren't likely to even think about it. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
