On Wed, 2007-02-07 at 16:34 +0000, Dan Track wrote:
> Hi Stephen
>
> Firstly apologies for sending to the wrong list.
Ok, then take follow-ups to fedora-selinux-list please.
> Thanks for the advice it was really an eye opener. I trawlled through
> the assert.te file in my selinux src directory, however I can tell
> which rule to remove, could you please guide to which rule it is.
> Currently my file looks like this:
>
> neverallow { domain -unrestricted -snmpd_t -pegasus_t }
> unconfined_t:process ~sigchld;
The rule above. Rather than removing it entirely, you could adjust it
to make a specific exception for this case. What do you truly need your
process to be able to do?
> # Confined domains must never see unconfined domain's /proc/pid entries.
> neverallow { domain -unrestricted -snmpd_t -pegasus_t }
> unconfined_t:dir { getattr search };
This one will also get in your process' way if it truly needs to operate
on unconfined processes.
Naturally, if you go too far in this direction, you are effectively
removing any real restriction on httpd and might as well just disable
its protection altogether (via the corresponding boolean).
--
Stephen Smalley
National Security Agency
