On Thu, 2009-08-27 at 11:02 -0400, Stephen Smalley wrote: > On Thu, 2009-08-27 at 10:16 -0400, Christopher J. PeBenito wrote: > > On Thu, 2009-08-27 at 09:04 -0400, Daniel J Walsh wrote: > > > https://bugzilla.redhat.com/show_bug.cgi?id=518569 > > > > > > The discussion surrounds potentially adding setcon function to vstfpd > > > to drop level to a level appropriate the the user when he logs in. > > > The discussion is around using MCS for this, but I guess I could see > > > some utilization around MLS. > > > > > > Not sure MLS would go for it though since there is a potential for > > > information leak. > > > > I'm not sure I like it this idea, but I wanted to throw it out anyway: > > why not just change to the user's complete login context (or a context > > that is a subset of it), rather than just the level? > > What happens if we just add pam_selinux entries to /etc/pam.d/vsftpd, > and add a system_r:ftpd_t entry to the default_contexts configuration? Oh, obviously that only affects subsequent execve() calls. Which should help with e.g. executing /bin/ls, but not with direct accesses by the main daemon. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
