| 1 |
On Sun, 2004-02-01 at 18:36, Bill McCarty wrote: |
| 2 |
> More generally, is there a document that describes the various access |
| 3 |
> vector components? Most components are based on system calls and are |
| 4 |
> easily understood. |
| 5 |
|
| 6 |
I've been wanting to do this, but I have so many things going on, I |
| 7 |
haven't had a chance to really work on it. There's some docs from the |
| 8 |
NSA, but they're old, and don't have the new API stuff like the |
| 9 |
following vectors. |
| 10 |
|
| 11 |
> setexec: unknown |
| 12 |
|
| 13 |
override default context for next exec: see setexeccon() |
| 14 |
|
| 15 |
> setfscreate: permission to create filesystem? |
| 16 |
|
| 17 |
override default context for next file(s) created: see setfscreatecon() |
| 18 |
|
| 19 |
> noatsecure: unknown |
| 20 |
|
| 21 |
allowing this means glibc secure mode (sanitized environment) can be |
| 22 |
disabled on the transition/exec |
| 23 |
|
| 24 |
> siginh: inheritance of signal handler? |
| 25 |
|
| 26 |
allow signal-related state to be inherited on the transition/exec |
| 27 |
|
| 28 |
> rlimitinh: inheritance of resource limit? |
| 29 |
|
| 30 |
allow resource limits to be inherited on the transition/exec |
| 31 |
|
| 32 |
> |
| 33 |
> I find a few programs that seem to need the noatsecure permission. Because |
| 34 |
> the sample policy includes several dontaudits related to this permission, |
| 35 |
> I'm having some small difficulties developing appropriate policies for such |
| 36 |
> programs. |
| 37 |
|
| 38 |
All of the policy regarding noatsecure, siginh, and rlimitinh are all |
| 39 |
from the NSA example policy, and I haven't modified it. What programs |
| 40 |
are you having problems with noatsecure? |
| 41 |
|
| 42 |
-- |
| 43 |
Chris PeBenito |
| 44 |
<pebenito@g.o> |
| 45 |
Developer, |
| 46 |
Hardened Gentoo Linux |
| 47 |
Embedded Gentoo Linux |
| 48 |
|
| 49 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 50 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
Archives