On Tue, 2001-12-04 at 09:24, Stephen Smalley wrote:
> While this script should be helpful in customizing the policy
> configuration, you should carefully examine its output to ensure that the
> resulting rules do not violate your security objectives. Frequently,
> rather than granting the permission between the existing domain and type,
> you will want to define a new domain for the process and/or a new type for
> the file and only grant the permission for the new domain and/or type.
>
> --
> Stephen D. Smalley, NAI Labs
> ssmalley@nai.com
>
>

I envisioned this script as a quick and dirty way to get a system working in enforcing mode AFTER one has defined a bunch of new domains (that trigger lots of denied messages).

Naturally users should examine the output of this script to confirm that it will do what they want.

One great thing about SELinux is that it gives a detailed account of what is taking place in a system. For instance, I discovered that web users were trying to access files over symbolic links via my web server. I hadn't been aware that my web server had symbolic link access enabled.

--


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.