Stephen Smalley wrote:
On Tue, 2006-01-31 at 07:12 -0500, Stephen Smalley wrote:
On Mon, 2006-01-30 at 22:19 +0000, Martin Ebourne wrote:
Further to this, I note that I don't even need the
inetd_child_disable_trans boolean set now. By default nrpe running under
xinetd is allowed to sudo. Should this not be controlled?
What protection does running xinetd under selinux give?
IIRC, the default targeted policy in Fedora leaves inetd children who do
not have a specific domain defined for them unconfined, as otherwise all
external (outside of Fedora) inetd-based services that lack policy would
immediately break. The strict policy takes the more conservative
approach for security, at the risk of greater application breakage.
Ah, sorry, but your point was that nrpe should be confined since it has
policy. However, it appears that the nagios and nrpe policies aren't
being built as part of the Fedora policy at present.
Those would be good candidates for loadable modules.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
