[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: LSM-based systems and debian packages

On Tue, 02 Dec 2003, Russell Coker wrote:

> On Tue, 2 Dec 2003 18:32, Peter Palfrader <weasel@debian.org> wrote:
> > > There is currently no uucp policy (it seems that no SE Linux users are
> > > using it).
> >
> > I have one, but it does only allow what I need for uucp, which is
> > certainly just a small subset of possible uucp uses.
> I've attached a modified version, please check it out.  I've changed some of 
> the things to do it in the recommended manner (eg the system_crond_entry() 
> macro), and removed some things.
> The part for running ssh looked suspect, I think it's probably best to just 
> have can_exec(uucp_t, ssh_exec_t).

The ssh port, which is often used to establish a secure line to the
remote peer, needs to run ssh to connect to a remote host.

Just using can_exec(uucp_t, ssh_exec_t) is not sufficient, we would also
need to read random devices, open network connections, etc.  For a more
general policy, using the network might be necessary for the tcp port
anyway, but I don't use that.

I have added the ssh parts back to my policy, the rest seems to work.

What is mta_user_agent for and why would it need to write to our spool?
| allow mta_user_agent uucp_spool_t:file rw_file_perms;

 PGP signed and encrypted  |  .''`.  ** Debian GNU/Linux **
    messages preferred.    | : :' :      The  universal
                           | `. `'      Operating System
 http://www.palfrader.org/ |   `-    http://www.debian.org/

Attachment: signature.asc
Description: Digital signature

Reply to: