-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Torbjørn Lindahl wrote:
Good point. I probably can live with that.
Still I am not sure if I would like it to have full access to all files labelled etc_t . It would be nice to be able to single out only a few of them. Perhaps I should look at something other than the targeted policy.
On 9/17/07, Daniel J Walsh dwalsh@redhat.com wrote: Torbjørn Lindahl wrote:
Hello, I am writing an application that I want to limit using selinux.
audit.log shows that it wants access to /etc/nsswitch.conf and
/etc/hosts -
which doesn't seem to unreasonable, however both these have types etc_t
,
and allowing myapp_t to read etc_t would also give it access to for
example
/etc/passwd, which i do not want.
Do I have to invent a new type for these two files to be able to keep my application from the other etc_t files in /etc ?
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Yes you can, but the more different file_context that you have in /etc, the harder they will be to maintain.
Reading /etc/passwd is not as dangerous as being able to read /etc/shadow. So consider if this is really necessary.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
All of the current policies including mls allow reading of etc_t for most domains, and /etc/passwd is labeled etc_t.