-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason L Tibbitts III wrote: >>>>>> "DJW" == Daniel J Walsh <dwalsh@xxxxxxxxxx> writes: > > DJW> We could do something like this with attributes. > > I wonder if this would help my situation with denyhosts. The problem > with denyhosts is that it needs to write to /etc/hosts.deny, which > means that from the standpoint of selinux it needs to write to etc_t, > which means it gets to write to /etc/passwd as well. I've not > bothered to even attempt to write a policy for denyhosts given that it > would be mostly pointless if it would still get to trash /etc. > > - J< You would change the context of denyhosts to denyhosts_etc_rw_t and they write a rule saying allpw denyhost_t denyhost_etc_rw_t:file manage_file_perms files_etc_filetrans(denyhost_t, denyhost_etc_rw_t; file) This would allow denyhost_t to only write to files labeled denyhost_etc_rw_t, and be able to create files in /etc/ labeled denyhost_etc_rw_t. It will not allow you to write to files labeled etc_t, So you cannot overwrite /etc/passwd. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG8/ourlYvE4MpobMRAuk0AJkB+G9WeyRgEd2uPpZgFHTFkmZZtACgk0YY OS5p0HAdXGfY/uLWB8Fi3PQ= =hlPZ -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
