| 1 |
Yes, you are right for the etc_t rules redundancy. I have added this for |
| 2 |
several reasons such as |
| 3 |
> adding all the required rules if we consider the module as an |
| 4 |
independent one, which means that is must be standalone. Thus, the |
| 5 |
redundancy is present but may prevent possibly conflict in the future |
| 6 |
(in the case of new domains adding) |
| 7 |
|
| 8 |
The slapd_etc_t, if I'm not wrong, is not dedicated to pamldap but more |
| 9 |
to LDAP server and LDAP in general (openldap, ... which do not need to |
| 10 |
access this file) ?. So, adding a new type dedicated to pamldap |
| 11 |
engenders a more precise confinement. But I can not check this for the |
| 12 |
moment. |
| 13 |
|
| 14 |
Otherwise, thanks for your greetings :D |
| 15 |
|
| 16 |
If you want a policy rebuilding for reference policy style compliance, |
| 17 |
please tell me (at least if you agree with my previous comments). |
| 18 |
|
| 19 |
Julien Thomas |
| 20 |
|
| 21 |
|
| 22 |
Chris PeBenito a écrit : |
| 23 |
> On Mon, 2007-11-19 at 01:13 +0100, julien.thomas@×××××××××××××.fr wrote: |
| 24 |
>> The main aspect of this SELinux module consists in defining a new |
| 25 |
>> domain for the |
| 26 |
>> confinement of the PAMLDAP module. I have created this module as when |
| 27 |
>> I used the |
| 28 |
>> PamLDAP extension for remote authentications, I discovered that it used |
| 29 |
>> sensitive information for LDAP connexions. |
| 30 |
>> |
| 31 |
>> The module aims to protect these datas (security enhancement in order |
| 32 |
>> to prevent to prevent root services from accessing these previously |
| 33 |
>> etc_t labelled files). |
| 34 |
> |
| 35 |
> Thanks for your submission. I especially appreciate the design document |
| 36 |
> you wrote. However, I don't think this particular action is required, |
| 37 |
> but another. |
| 38 |
> |
| 39 |
> First, the specified domains already have access to etc_t, so these |
| 40 |
> rules are redundant. You suggest adding a type for the ldap.conf |
| 41 |
> because it has authentication data, which I agree with. However, the |
| 42 |
> ldap policy already has a type which might be appropriate for this file, |
| 43 |
> slapd_etc_t. |
| 44 |
> |
| 45 |
> As for the style, the reference policy style is preferred. Please see |
| 46 |
> the website [1] for more details. |
| 47 |
> |
| 48 |
> [1] http://oss.tresys.com/projects/refpolicy/wiki/GettingStarted |
| 49 |
> |
| 50 |
|
| 51 |
|
| 52 |
-- |
| 53 |
My RSA public key for email authentication is avaiblable at |
| 54 |
http://www.rennes.enst-bretagne.fr/~jthomas2/ |
Archives