Re: The possibility of SELinux targeted policy in the default install
Hi,
On Fri, 15 Sep 2006 02:21:18 -0700, Steve Langasek <vorlon@debian.org> said:
> Ok. What about cron, su, *dm, sudo, samba, ftp servers...? All of
> these processes change uids as well after authentication, do they
> also need selinux support?
Cron runs properly in crond_t already, ther are domain
transition set up since the cron deamon file is labelled on the disk,
and the transition from contd_exec_t to crond_t etc is already
cone. Same goes for ftp servers and all.
*.dm I am not sure about, but I think they called pam.d/login
to manage things (I'll need to look that up; been a while since I
submitted the xdm patch).
ssh and login are different in that knowing the it is ssh
accepting connections does not tell you what domain the resulting
shell should be created under (sysadmin_t, user_t, staff_t?), and an
extra lookup is required based on the user logging in, the domains
permitted, and the users choice.
Hope this helps.
manoj
--
The end of the human race will be that it will eventually die of
civilization. Ralph Waldo Emerson
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: