Mathew Pullar wrote:
No i am not using the strict policy because the xserver will not start
after applying the policy and rebooting for relabelling. I am
currently enforcing the targetted policy.
On 7/13/05, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
Mathew Pullar wrote:
Hi,
I have just started to experiment with selinux and noticed the "User
Privs" section in system-config-securitylevel-gui and unticked allow
users to ping and allow users to read default system files. I then
created a new normal user account to test the changes i had made.
The new user was able to ping to and to read default system files such
as /etc/inittab.
I then thought perhaps relabelling was required so rebooted and
relabeled. This however still allowed normal users to ping.
My current selinux config is set to enabled and enforcing.
Any help would be greatly appreciated.
Users are not transitioning to the ping domain, so they are staying in
the unconfined domain. So this boolean would
have no effect and should not be present in targeted policy. I will
remove. to prevent confusion. Similarly the default
boolean should not be in targeted policy.
In targeted policy we are protecting the user space from "targeted"
system processes, usually daemons. We allow users
to run in the same way they would run without SELinux.
Thanks for pointing out this problem.
Dan
Are you running strict policy?
default system files are files that are marked with file context
default_t. You should not
have many of them on the system.
Dan
--
