Christopher J. PeBenito wrote: > On Wed, 2008-05-21 at 11:59 -0400, Daniel J Walsh wrote: >> Remove all init programs calls to >> sysadm_dontaudit_list_home_dirs and put that call in the >> >> init_system_domain and init_daemon_domain > Well the whole cause of this avc is apps doing a getcwd() call when they start up. Which seems to be build into glibc? Or just executables in Linux. So any app that gets started by an administrator sitting in the /root directory requires this dontaudit rule. If you look though the policy this rule is everywhere for both types of init domains. > I might be able to buy that for the latter, but I don't see it for the > former. > >> That way we can think about making role/sysadm a module. >> >> Of course I believe the /root should have a special context of >> admin_home_t and not be affected by whether or not you have sysadm >> policy defined. > > In the RBAC separation branch I was planning to have all the roles have > the same home directory type anyway (owned by the userdomain module). > If it ends up that we still need to have a type-based separation between > unpriv user and admin user home directories, then it will end up being > as you suggest above. > As long as they are different. Allowing any confined app to write to /root should be heavily constrained while writing to random users home directories is a lot more common. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
