On Sat, 2010-01-23 at 00:48 +0100, Dominick Grift wrote: > On 01/22/2010 01:48 PM, Daniel J Walsh wrote: > > Any comments? What should we add? What should we remove? > > > > http://sradvan.fedorapeople.org/SELinux_FAQ/#id2654720 > > > > > > Dan > > > 00:24 < dgrift> reading http://sradvan.fedorapeople.org/SELinux_FAQ/ > > 00:25 < dgrift> two comments. first one i think most will agree with > regard to "Now, su/sudo only change the Linux identity." > 00:25 < dgrift> sudo does domain transitions afaik (i use it every day) > 00:27 < dgrift> its easier by default than the newrole command with su > as this requires you to type two passwords. one to identify as the > user (newrole) and one to identify as root (su) > > 00:28 < dgrift> second comment i do not think may will agree and i dont > know why: "What is the difference between a domain and a type? " > 00:28 < dgrift> a domain is not a type. a domain type is a type > 00:29 < dgrift> a domain is like an environment: it is all the rules > where a particular domain type is the source in an interaction. The term "domain" was used in the original descriptions of Type Enforcement to refer to the subject/process security label, while "type" was used for the object security label. In SELinux, we dropped the distinction and used "type" for everything, but continue to call types that are used as subject/process labels "domains" or "domain types". http://www.nsa.gov/research/_files/selinux/papers/policy2/x86.shtml http://www.nsa.gov/research/_files/selinux/papers/ottawa01/node3.shtml > 00:38 < dgrift> "How do I enable/disable SELinux protection on specific > daemons under the targeted policy?" that answer also does not > apply on all systems. > 00:39 < dgrift> workaround is to label apaches executable file with type > bin_t. That will cause apache to run in the init script > domain/environment. which is unconfined by default > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- Stephen Smalley National Security Agency -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
