On Thu, 19 Feb 2009, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > The problem with treating /root as the same as every other homedir, is > confined daemons all consider /root their home dir, so they want to be > able to read/write contents in the homedir. We should not be allowing confined daemons to write to /root. There is little point in confining a daemon if it can write to a file such as /root/.bashrc which is likely to be executed as unconfined_t. The only reason a confined daemon should access /root is if the sysadmin starts it immediately after logging in without changing directory. A daemon starting with a cwd that is not accessible should not be a problem, if it is then there are other usage cases that will get you. -- russell@xxxxxxxxxxxx http://etbe.coker.com.au/ My Main Blog http://doc.coker.com.au/ My Documents Blog -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
