On Fri, 2005-06-17 at 08:03 -0400, Stephen Smalley wrote: > Hmm...well, if so, please limit to the targeted/domains/unconfined.te > file and don't alter the unconfined_domain() macro. Looks like you are > already allowing execmod to a variety of types in the targeted > unconfined.te, but not to all file types. We also need to do so for initrc_t at least, because that is now the domain that services run under by default in FC4. It would be nice though if we could go back to using unconfined_t there, but it seems complicated. Could we do something like: domain_auto_trans(initrc_t, exec_type - targeted_exec_type, unconfined_t) Would need to give e.g. httpd_exec_t the targeted_exec_type attribute, and I'm not sure attribute subtraction works. > Given the permissive nature of targeted policy (e.g. boolean defaults > for apache and execmem/execmod are permissive), I think the release > notes or SELinux FAQ should in the future give instructions on how to > tighten up the settings for admins who want to do so. Otherwise, they > aren't likely to even think about it. Absolutely, this would make a good entry in the FAQ. Although I'd personally really like to see a Fedora security guide, these booleans would me mentioned there too. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
