[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Should selinux be standard?

This one time, at band camp, Manoj Srivastava said:
> On Tue, Sep 16 2008, Stephen Gran wrote:
> > This is a sid install of the default policy in non-enforcing mode.  I
> > can't guarantee that every one of those complaints would have
> > generated errors that matter, but it doesn't look like we're tuned for
> > a normal install just yet.
>         Well, seems like I reach a different conclusion:
> __> audit2allow <~/selinux-denials-3.txt | egrep -v '(^$)|(^#)' | wc -l
> 13
>         13 lines of policy to get it into enforcing mode, assuming all
>  of these actions are safe to allow.
> --8<---------------cut here---------------start------------->8---


> --8<---------------cut here---------------end--------------->8---
>         So, pretty close. Why is logrotate looking into user home
>  directories? there is the mount and /etc/mtab thingy, and ifconfig
>  writing to ifstate, these should really be changed.
>         I think dhcpd policy does need some loving.
>         I would much rather we chased down these last outlier bits of
>  policy, and let the local admin decide if they really want logrotate to
>  look into every single user directory, or not (me, I would prefer to
>  create a separate lable for log files in my home dir, but that is
>  perhaps just me).

I actually agree with you - I just don't think it's there yet.  mtab and
ifstate in particular seem like they will definitely disrupt normal
operation, and quite likely the ntp and dhclient issues will prove to be
a problem.  The logrotate issue I haven't investigated - it may just be
a mislabelled file for all I know (some system users have homes under
/var, and I'm guessing something like that could have gone wrong).

|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |

Attachment: signature.asc
Description: Digital signature

Reply to: