[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The possibility of SELinux targeted policy in the default install



Hi,
On Fri, 15 Sep 2006 02:21:18 -0700, Steve Langasek <vorlon@debian.org> said: 

> Ok.  What about cron, su, *dm, sudo, samba, ftp servers...?  All of
> these processes change uids as well after authentication, do they
> also need selinux support?

        Cron runs properly in crond_t already, ther are domain
 transition set up since the cron deamon file is labelled on the disk,
 and the transition from contd_exec_t to crond_t etc is already
 cone. Same goes for ftp servers and all.

        *.dm I am not sure about, but I think they called pam.d/login
 to manage things (I'll need to look that up; been a while since I
 submitted the xdm patch).

        ssh and login are different in that knowing the it is ssh
 accepting connections does not tell you what domain the resulting
 shell should be created under (sysadmin_t, user_t, staff_t?), and an
 extra lookup is required based on the user logging in, the domains
 permitted, and the users choice.

        Hope this helps.

       manoj 
-- 
The end of the human race will be that it will eventually die of
civilization. Ralph Waldo Emerson
Manoj Srivastava     <srivasta@acm.org>    <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C



Reply to: