[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: LSM-based systems and debian packages

On Wed, 03 Dec 2003, Russell Coker wrote:

> On Wed, 3 Dec 2003 00:56, Peter Palfrader <weasel@debian.org> wrote:
> > > I've attached a modified version, please check it out.  I've changed some
> > > of the things to do it in the recommended manner (eg the
> > > system_crond_entry() macro), and removed some things.
> > >
> > > The part for running ssh looked suspect, I think it's probably best to
> > > just have can_exec(uucp_t, ssh_exec_t).
> >
> > The ssh port, which is often used to establish a secure line to the
> > remote peer, needs to run ssh to connect to a remote host.
> >
> > Just using can_exec(uucp_t, ssh_exec_t) is not sufficient, we would also
> > need to read random devices, open network connections, etc.  For a more
> > general policy, using the network might be necessary for the tcp port
> > anyway, but I don't use that.
> Why not just permit the uucp domain to do that?  Or if you really want to 
> create a new domain then do it in a way that does not overload "home" in type 
> names (confusion over what constitutes a USER home directory is not something 
> we want).

I started doing this, but it turned out to need a lot of things for
which I did not have time at that time.

> > I have added the ssh parts back to my policy, the rest seems to work.
> >
> > What is mta_user_agent for and why would it need to write to our spool?
> postfix_postdrop_t has the attribute mta_user_agent.  If you want to ever get 
> it working on other mail servers then using attributes such as mta_user_agent 
> is necessary.  If you use the attributes correctly then it should be possible 
> to have it work with any mail server.
> Please send me a new copy of your policy.

Let me try to get going without an uucp ssh domain, I'll send the result

 PGP signed and encrypted  |  .''`.  ** Debian GNU/Linux **
    messages preferred.    | : :' :      The  universal
                           | `. `'      Operating System
 http://www.palfrader.org/ |   `-    http://www.debian.org/

Attachment: signature.asc
Description: Digital signature

Reply to: