On Tue, 02 Dec 2003, Russell Coker wrote: > On Tue, 2 Dec 2003 18:32, Peter Palfrader <weasel@debian.org> wrote: > > > There is currently no uucp policy (it seems that no SE Linux users are > > > using it). > > > > I have one, but it does only allow what I need for uucp, which is > > certainly just a small subset of possible uucp uses. > > I've attached a modified version, please check it out. I've changed some of > the things to do it in the recommended manner (eg the system_crond_entry() > macro), and removed some things. > > The part for running ssh looked suspect, I think it's probably best to just > have can_exec(uucp_t, ssh_exec_t). The ssh port, which is often used to establish a secure line to the remote peer, needs to run ssh to connect to a remote host. Just using can_exec(uucp_t, ssh_exec_t) is not sufficient, we would also need to read random devices, open network connections, etc. For a more general policy, using the network might be necessary for the tcp port anyway, but I don't use that. I have added the ssh parts back to my policy, the rest seems to work. What is mta_user_agent for and why would it need to write to our spool? | allow mta_user_agent uucp_spool_t:file rw_file_perms; Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred. | : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `- http://www.debian.org/
Attachment:
signature.asc
Description: Digital signature