Dnia 03/14/2006 05:18 PM, Użytkownik Stephen Smalley napisał:
What precisely did you like about it?
Better security - user does not know what other users are doing on such
a machine.
If you use -strict or -mls
policy, then unprivileged users should be restricted in what they can
see in /proc (and thus ps output).
Shure, but -targeted is almost transparent to the users and it seems
to be more user friendly. Actually, I have never been using -strict
policy so this last part may not be true ;)
For -targeted, users aren't supposed to be confined (just specific
daemons)
Yes, I know that, but you have been also experimenting lately with
allow_execstack or allow_execmod booleans which break this rule ;) Why
not to have another exception? This feature is so interesting that
admins will rethink twice whether to disable SELinux.
Regards,
Dawid
--
^_*
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
