On Aug 18, 2009, at 19:30, Daniel J Walsh wrote:
I can add a tunable to allow racoon to read shadow, although I would
like to see it use pam if a port is available.
I too would prefer PAM, unfortunately Fedora 11's copy of racoon is
built without --with-libpam.
There already a BZ about it from November 2008:
https://bugzilla.redhat.com/show_bug.cgi?id=470793
I will also add the ability to transition from racoon to setkey_t,
but I would prefer if you put your temporary files in /var/racoon
or /var/run/pluto or /var/run/racoon.
System Services should NEVER use /tmp for creation of interaction
with files. Users live there and users is evil :^)
Turns out that was simple enough.
I just added
TMPDIR="/var/racoon"
to the start of the bash shell script, and now bash doesn't try
putting its stuff into /tmp.
What's even better is that this already seems to be allowed by the
current policy.
So the whole extra myracoon module could be simplified as:
---------
policy_module(myracoon, 0.0.5)
require { type racoon_t, setkey_exec_t; }
auth_read_shadow(racoon_t)
can_exec(racoon_t, setkey_exec_t)
fs_dontaudit_getattr_xattr_fs(racoon_t)
---------
Are these reasonable to add to the official policy one day?
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
