On Wed, 2003-04-30 at 11:42, Daniel J Walsh wrote:
I have a hard time with the previous two. Just seems to me SELinux
needs some sort
of dontallow functionality to handle these situation. Otherwise every
time I add a policy
that has a somewhat global effect on files/dir, I need to change the
all the file/directory attributes
in the policy. Has this been discussed previously?
True. The problem is more severe for exec_type than for the directory
access; IMHO, it isn't too much to ask you to enumerate the major
directory types in which binaries to be executed by sudo might live, and
most (all?) of those types should be part of the basic policy
definition, not package-specific, e.g. bin_t, sbin_t, etc. You don't
even need to define an attribute for that purpose; you can just list
them in your allow rule, or pull them from a macro definition added to
the global macros.
I am still not sure I can do this. Are you are stating that I would
have to have an allow rule for
This is a problem since with Sudo you are sharing the same terminal
between the process that rand sudo
and the sudo process. So if you change the privs of the terminal one
process or the other could have
more privs. I would prefer to leave the terminal with the current
privs (Usually lower) and make the
application run by sudo change the terminal privs if it has to.
(probably seldom). Any other ideas?
I'm not clear as to why you can't implement something akin to what
newrole does. Otherwise, what prevents another process of lower
privilege from arbitrarily accessing the privileged process' terminal?
You can't rely on the DAC protections.
Ok I just went back and read the code again and it looks like I can
implement the terminal stuff.