Stewart Stremler wrote:
>>allow httpd_sys_script_t self:capability { chown dac_override fowner
>>fsetid };
>>allow httpd_sys_script_t devpts_t:chr_file { read write };
>>allow httpd_sys_script_t devpts_t:chr_file { getattr ioctl };
>>allow httpd_sys_script_t devpts_t:dir search;
>
> The finer-grained the control, the harder the rules are to read. :-/
They are only hard to read insofar as C code is difficult for someone
who does not know C. The above rules are fairly straightforward to
someone who has glanced at the SE Linux docs and is familiar with the
various Linux capabilities.
> Surely you'd want to disable access to gcc as well. Or is that just for
> the previous worm?
Access to gcc is already disallowed. SE Linux is really much like a
firewall. Everything is denied and then selected things are allowed.
--
Tracy R Reed
http://copilotconsulting.com
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
