On Tue, 2004-12-07 at 11:50 -0500, Valdis.Kletnieks@vt.edu wrote:
On Tue, 07 Dec 2004 10:24:54 EST, Daniel J Walsh said:
Can you try this patch
Will let you know after I get a chance to test at a reboot, but at first eyeball it looks close to workable, if not elegant. Probably be tomorrow before I have feedback on this one...
+can_exec(fsdaemon_t, { sbin_t bin_t shell_exec_t }
Definitely more sledgehammer than elegance here. :)
Note that in general allowing a domain to exec a shell or random binary isn't really a big deal; the new binary retains the original domain and all of its restrictions.
I'm wondering if it would make more sense to push a patch upstream to the kernel-utils crew. Reading the smartd manpage in more detail, it looks like feeding it a '-M exec /usr/sbin/sendmail' (or building with that as the default) would let us only have to add sendmail_exec_t rather than all those.
It's always useful to reduce the permissions needed for a particular program, but I don't see this particular instance as a large win. Better to spend the time e.g. helping with refactoring HAL to not need direct block device access in the main process.
Where should sites that need to add other 'can_exec' entries be putting them?
On my personal server which still runs FC2, I put most of my rules in domains/misc/local.te, and then try to redo it as a diff later against the latest FC3 policy where applicable. When I'm directly doing development of course I edit the original file and send a direct diff, assuming it will be upstreamed.