-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Russell Coker wrote:
> On Thu, 19 Feb 2009, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
>> The problem with treating /root as the same as every other homedir, is
>> confined daemons all consider /root their home dir, so they want to be
>> able to read/write contents in the homedir.
>
> We should not be allowing confined daemons to write to /root.
>
> There is little point in confining a daemon if it can write to a file such
> as /root/.bashrc which is likely to be executed as unconfined_t.
>
> The only reason a confined daemon should access /root is if the sysadmin
> starts it immediately after logging in without changing directory. A daemon
> starting with a cwd that is not accessible should not be a problem, if it is
> then there are other usage cases that will get you.
>
There is potential to allow confine domains to write to subdirs of
/root. or at least read it.
sshd_t needs to be able to read /root/.ssh/*
Others like xauth_t need to be able to write but this is more a confined
helper app then a real confined app.
In current targeted policy I see the following
# sesearch --allow -t admin_home_t -c dir | grep write | awk '{ print
$2 " " $3 }'
sysadm_t admin_home_t
rpm_t admin_home_t
rpm_script_t admin_home_t
xauth_t admin_home_t
nfsd_t admin_home_t
nmbd_t admin_home_t
smbd_t admin_home_t
ftpd_t admin_home_t
kernel_t admin_home_t
Where these are either an unconfined_domain or have a boolean that
allows them to write anywhere.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmoZGoACgkQrlYvE4MpobPtjQCfYRtnQvjRxdEwk5Fugev1fs+M
33sAoN+LFFJS37gpGNAY/MIMSr5vlick
=DiAa
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
