[CentOS] Re: Learning SELINUX management, help?
Jan-Frode Myklebust
janfrode at tanso.net
Sat Apr 21 11:04:35 UTC 2007
On 2007-04-20, Ben Russo <ben at muppethouse.com> wrote:
>
> I checked in /usr/share/docs/selinux-policy-2.4.6/html
> and find no references (using grub) for "cupsd_disable_trans"
> I google on "cupsd_disable_trans" and find no references either.
All the *_disable_trans booleans means that the service will
no transition from the selinux unconfined domain, to a restricted
selinux domain (in cups's case cupsd_t). So your system will not
be protected from this service if you set the *disable_trans.
>
> How do I find out what this boolean object is or does?
> Is there a description of it somewhere?
> Is it dangerous to just run the command that sealert tells me to run?
I find that the advices sealert gives are quite often bad advice.
They will fix your problem, but you should really evaluate if you're
not opening up too much by following the advice. Here sealert is
suggesting turning off selinux-protection of cups..
> avc: denied { read, write } for comm="cupsd" dev=dm-0 egid=0 euid=0
> exe="/usr/sbin/cupsd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="__db.000"
> path="socket:[15083]" pid=5515
> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
> sgid=0 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=0 tclass=file
> tcontext=system_u:object_r:rpm_var_lib_t:s0 tty=tty1 uid=0
This seems very strange.. All the labels above seems correct to me, but why
would cupsd need to access (/var/lib/rpm/) "__db.000" ??
-jf
More information about the CentOS
mailing list