-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Torbjørn Lindahl wrote: > Good point. > I probably can live with that. > > Still I am not sure if I would like it to have full access to all files > labelled etc_t . It would be nice to be able to single out only a few of > them. Perhaps I should look at something other than the targeted policy. > > On 9/17/07, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > Torbjørn Lindahl wrote: >>>> Hello, I am writing an application that I want to limit using selinux. >>>> >>>> audit.log shows that it wants access to /etc/nsswitch.conf and > /etc/hosts - >>>> which doesn't seem to unreasonable, however both these have types etc_t > , >>>> and allowing myapp_t to read etc_t would also give it access to for > example >>>> /etc/passwd, which i do not want. >>>> >>>> >>>> Do I have to invent a new type for these two files to be able to keep my >>>> application from the other etc_t files in /etc ? >>>> >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list@xxxxxxxxxx >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Yes you can, but the more different file_context that you have in /etc, > the harder they will be to maintain. > > Reading /etc/passwd is not as dangerous as being able to read > /etc/shadow. So consider if this is really necessary. >> > ------------------------------------------------------------------------ > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list All of the current policies including mls allow reading of etc_t for most domains, and /etc/passwd is labeled etc_t. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG8AFbrlYvE4MpobMRAtxMAKCXrwFqgATmTBQoNip52wmaHXFowQCgj0Ld Jz2zh2M8ID/nkU4Rgod4UVw= =8+JV -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
