1 |
Yes, you are right for the etc_t rules redundancy. I have added this for |
2 |
several reasons such as |
3 |
> adding all the required rules if we consider the module as an |
4 |
independent one, which means that is must be standalone. Thus, the |
5 |
redundancy is present but may prevent possibly conflict in the future |
6 |
(in the case of new domains adding) |
7 |
|
8 |
The slapd_etc_t, if I'm not wrong, is not dedicated to pamldap but more |
9 |
to LDAP server and LDAP in general (openldap, ... which do not need to |
10 |
access this file) ?. So, adding a new type dedicated to pamldap |
11 |
engenders a more precise confinement. But I can not check this for the |
12 |
moment. |
13 |
|
14 |
Otherwise, thanks for your greetings :D |
15 |
|
16 |
If you want a policy rebuilding for reference policy style compliance, |
17 |
please tell me (at least if you agree with my previous comments). |
18 |
|
19 |
Julien Thomas |
20 |
|
21 |
|
22 |
Chris PeBenito a écrit : |
23 |
> On Mon, 2007-11-19 at 01:13 +0100, julien.thomas@×××××××××××××.fr wrote: |
24 |
>> The main aspect of this SELinux module consists in defining a new |
25 |
>> domain for the |
26 |
>> confinement of the PAMLDAP module. I have created this module as when |
27 |
>> I used the |
28 |
>> PamLDAP extension for remote authentications, I discovered that it used |
29 |
>> sensitive information for LDAP connexions. |
30 |
>> |
31 |
>> The module aims to protect these datas (security enhancement in order |
32 |
>> to prevent to prevent root services from accessing these previously |
33 |
>> etc_t labelled files). |
34 |
> |
35 |
> Thanks for your submission. I especially appreciate the design document |
36 |
> you wrote. However, I don't think this particular action is required, |
37 |
> but another. |
38 |
> |
39 |
> First, the specified domains already have access to etc_t, so these |
40 |
> rules are redundant. You suggest adding a type for the ldap.conf |
41 |
> because it has authentication data, which I agree with. However, the |
42 |
> ldap policy already has a type which might be appropriate for this file, |
43 |
> slapd_etc_t. |
44 |
> |
45 |
> As for the style, the reference policy style is preferred. Please see |
46 |
> the website [1] for more details. |
47 |
> |
48 |
> [1] http://oss.tresys.com/projects/refpolicy/wiki/GettingStarted |
49 |
> |
50 |
|
51 |
|
52 |
-- |
53 |
My RSA public key for email authentication is avaiblable at |
54 |
http://www.rennes.enst-bretagne.fr/~jthomas2/ |