On 10/07/11 14:24, Daniel J Walsh wrote:
> Right now, every domain that transitions to another domain gets the
> following rule written.
>
> dontaudit SOURCE TARGET : process { noatsecure siginh rlimitinh } ;
>
> In Fedora 17 policy right now we have 2152 rules, out of Dontaudit:
> 9415
>
>
> sesearch --dontaudit -p noatsecure | wc -l
> 2152
>
> We could rewrite this with one rule.
>
> dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
>
> Of course this is more lenient then what we have now, although since
> it is dontaudit rules, not sure it matters.
>
> Comments?
I'm on the fence. On one hand, I hate to overspecify the policy, but on the other hand, these perms can only be hit on a domain transition. How much does this save?
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
