From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: SELinux <SELinux@tycho.nsa.gov>, Colin Walters <walters@redhat.com>
Subject: Re: Updated policy
Date: Thu, 27 Jan 2005 11:45:51 -0500 [thread overview]
Message-ID: <41F91ABF.5040101@redhat.com> (raw)
In-Reply-To: <1106841450.28623.132.camel@moss-spartans.epoch.ncsc.mil>
Stephen Smalley wrote:
>On Tue, 2005-01-25 at 14:56, Daniel J Walsh wrote:
>
>
>>Fixes for targeted crond to run as unconfined and still have transitions
>>work.
>>
>>
>
>I'm a little unclear on the current direction of the targeted policy. I
>see that you are putting more programs like login and crond into
>domains, but then adding unconfined_domain() to them and allowing them
>to transition to unconfined_t. What is the purpose of such domains?
>
>As a side note, do you truly want crond to run directly in
>system_crond_t (normally only used for system cron jobs in the strict
>policy, vs. crond_t for the daemon itself).
>
>
>
The direction of targeted policy is to attempt to lock down all of the
network daemons. The remote login ones
are prooving difficult since they have to eventually transition to
unconfined_t. So the problem we were having without
telnetd, rshd, rlogind policy these daemons were running as
inetd_child_t and not working properly so we started to add
policy.
Dan
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2005-01-27 16:45 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-25 19:56 Updated policy Daniel J Walsh
2005-01-25 21:56 ` Ivan Gyurdiev
2005-01-26 10:57 ` Ivan Gyurdiev
2005-01-26 12:35 ` Stephen Smalley
2005-01-26 12:18 ` Stephen Smalley
2005-01-26 6:54 ` Ivan Gyurdiev
2005-01-26 8:22 ` Ivan Gyurdiev
2005-01-27 15:50 ` Stephen Smalley
2005-01-27 15:57 ` Stephen Smalley
2005-01-27 16:30 ` Daniel J Walsh
2005-01-27 16:45 ` Daniel J Walsh [this message]
2005-01-27 16:22 ` Stephen Smalley
2005-01-27 16:33 ` Daniel J Walsh
2005-01-27 17:27 ` Ivan Gyurdiev
-- strict thread matches above, loose matches on Subject: below --
2005-12-10 5:26 Daniel J Walsh
2005-12-13 19:51 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41F91ABF.5040101@redhat.com \
--to=dwalsh@redhat.com \
--cc=SELinux@tycho.nsa.gov \
--cc=sds@epoch.ncsc.mil \
--cc=walters@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.