Re: Fixing up SELinux reference policy for Debian
On Saturday 19 May 2007 02:00, Manoj Srivastava <srivasta@debian.org> wrote:
> > We'd also need people to work on e.g. an exim and a tomcat policy.
>
> I don't use exim, or tomcat, so this is likely to take me
> longer. The version I uploaded last night now fixes all the problems I
> saw last time, and includes the changes that Russell posted (updated
For Exim we need code changes to get it working in the best possible manner.
Upstream is interested in accepting patches.
Exim periodically re-exec's itself for different tasks. What we want is for
it to execute exim-FOO instead where FOO is the task in question. On a
non-SE system exim-FOO could be a sym-link to exim, on a SE system it would
be a wrapper program that executes the main exim program in a different
domain.
> localStrict.te included below). I can compile my packages, and run
Does localStrict.te really provide a benefit?
> However, I noticed that installing packages can still cause AVC
> denials (like, flashplayer non-free packages download files from the
> internet, installing auditd caused a whole flurry of denials). I think
Yes, there is still work to be done there.
> I think a number of these things that happen in post install
> scripts might require Debian specific policy, since I suspect Debian
> does far more in the postinst phase than does Fedora.
Yes, it does more things and requires more access.
Now further changes:
It's probably best to permit getattr access when read access is permitted, I
omitted this in the fs_allow_tmpfs_file_read patch I sent you.
I'll send other patches soon.
--
russell@coker.com.au
http://etbe.coker.com.au/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
Reply to: