| 1 |
Hi Chris and all, |
| 2 |
|
| 3 |
Thanks, Chris for the information on process permissions. This helps a lot |
| 4 |
more than Google, which had only a handful of obscure references. |
| 5 |
|
| 6 |
--On Sunday, February 01, 2004 11:23 PM -0600 Chris PeBenito |
| 7 |
<pebenito@g.o> wrote: |
| 8 |
|
| 9 |
> All of the policy regarding noatsecure, siginh, and rlimitinh are all |
| 10 |
> from the NSA example policy, and I haven't modified it. What programs |
| 11 |
> are you having problems with noatsecure? |
| 12 |
|
| 13 |
Oh! I didn't mean to imply problems with existing NSA or Gentoo policies. |
| 14 |
Sorry! |
| 15 |
|
| 16 |
In particular, I'm building policies for Tripwire and Samhain, and |
| 17 |
continuing to tweak a policy for Snort. Each of these programs seems, under |
| 18 |
some circumstances, to generate AVC denies related to noatsecure |
| 19 |
transitions, but the denies are masked by dontaudits. I believe that, in |
| 20 |
enforcing mode, the absence of noatsecure permission sometimes causes these |
| 21 |
programs to malfunction. But, now that I better understand what noatsecure |
| 22 |
is doing, I'll revisit my conclusion. Perhaps I don't need to specifically |
| 23 |
authorize such transitions. |
| 24 |
|
| 25 |
Cheers, |
| 26 |
|
| 27 |
--------------------------------------------------- |
| 28 |
Bill McCarty |
| 29 |
|
| 30 |
|
| 31 |
-- |
| 32 |
gentoo-hardened@g.o mailing list |
Archives