On Tue, 02 Dec 2003, Russell Coker wrote:
> On Tue, 2 Dec 2003 18:32, Peter Palfrader <weasel@debian.org> wrote:
> > > There is currently no uucp policy (it seems that no SE Linux users are
> > > using it).
> >
> > I have one, but it does only allow what I need for uucp, which is
> > certainly just a small subset of possible uucp uses.
>
> I've attached a modified version, please check it out. I've changed some of
> the things to do it in the recommended manner (eg the system_crond_entry()
> macro), and removed some things.
>
> The part for running ssh looked suspect, I think it's probably best to just
> have can_exec(uucp_t, ssh_exec_t).
The ssh port, which is often used to establish a secure line to the
remote peer, needs to run ssh to connect to a remote host.
Just using can_exec(uucp_t, ssh_exec_t) is not sufficient, we would also
need to read random devices, open network connections, etc. For a more
general policy, using the network might be necessary for the tcp port
anyway, but I don't use that.
I have added the ssh parts back to my policy, the rest seems to work.
What is mta_user_agent for and why would it need to write to our spool?
| allow mta_user_agent uucp_spool_t:file rw_file_perms;
Peter
--
PGP signed and encrypted | .''`. ** Debian GNU/Linux **
messages preferred. | : :' : The universal
| `. `' Operating System
http://www.palfrader.org/ | `- http://www.debian.org/
Attachment:
signature.asc
Description: Digital signature