Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...
|
Re: Where is fixfiles.cron?: msg#00063
|
Subject: |
Re: Where is fixfiles.cron? |
Daniel J Walsh wrote:
> fixfiles.cron causes more problems than it solves. It made little sense
> in targeted policy.
<snip>
I understand.
But fixfiles.cron will be useful for users who understands SELinux well.
I hope the script is included in somewhere.
> fixfiles will report these as errors. So until someone comes up
> with a better way to handle these situations I thought it better to not
> install it any longer.
Integrity of labeling is critical for SELinux, it should be solved.
I think there are two choice, one is to modify policy and
the other is to modify fixfiles.
- Changing policy:
For example, if we do not want label of key file to be never changed by
setfiles,
declare type "key_t" with attribute, like
type key_t, dontchange;
And make setfiles(or fixfiles) run as setfiles_t.
setfiles_t are configured to be unable to modify label for neverchange
attribute.
- Changing fixfiles:
There is exclude list in fixfiles.cron.
For example the content of the list is "httpd_user_script_rw_t" and "gpgkey_t".
fixfiles skips files that have label in exclude list.
Changing policy is more "MAC" but will take more time to modify and side effect
will be bigger.
---
Yuichi Nakamura
Japan SELinux Users Group(JSELUG)
http://www.selinux.gr.jp/
|
| |
