On Tue, 2006-01-31 at 07:12 -0500, Stephen Smalley wrote: > On Mon, 2006-01-30 at 22:19 +0000, Martin Ebourne wrote: > > Further to this, I note that I don't even need the > > inetd_child_disable_trans boolean set now. By default nrpe running under > > xinetd is allowed to sudo. Should this not be controlled? > > > > What protection does running xinetd under selinux give? > > IIRC, the default targeted policy in Fedora leaves inetd children who do > not have a specific domain defined for them unconfined, as otherwise all > external (outside of Fedora) inetd-based services that lack policy would > immediately break. The strict policy takes the more conservative > approach for security, at the risk of greater application breakage. Ah, sorry, but your point was that nrpe should be confined since it has policy. However, it appears that the nagios and nrpe policies aren't being built as part of the Fedora policy at present. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
