Whit Blauvelt wrote, On 05/25/2010 11:09 PM: > On Tue, May 25, 2010 at 10:03:38PM -0400, Jason Pyeron wrote: > >> If you look at it as the two different commands, then they may have different >> permissions, owners, contexts, etc... >> >> /bin/sh vs /etc/init.d/smb >> >> I am just logically guessing here but ... > > Let me follow your logic here. So the extra selinux labels differentiate > what /bin/sh, as a shell, calling the /etc/init.d/smb script, can do from > what /etc/init.d/smb, which in its first line invokes /bin/sh to run it, can > do. Okay, that sort of makes sense. > > So with selinux, in general any script that selinux would stop from running > due to the script's own extra selinux file tags can be run if Evil Intruder > simply invokes the same script with its shell first - sh or perl or python > or whatever? That counts as security? Through what? The obscurity of this > devious workaround? > At least for some of us delving into what and how selinux is working is recipe for brain explosions. :) but there are some like Daniel J Walsh & Stephen Smalley who seem to be able to manage the deep diving into that system. I am not sure if it is proper to ask RHEL/CentOS questions in the fedora list, but there is a selinux list hosted for fedora where some of the folks with the non exploding brains hang out: https://admin.fedoraproject.org/mailman/listinfo/selinux you could at least ask there about a RHEL specific list, I don't see a list specific to CentOS: http://www.centos.org/modules/tinycontent/index.php?id=16 I see Daniel's emails on fedora users and fedora test lists quite often, and he is reasonably personable in his suggestions, solutions and explanations (at least to my opinion). If you get an answer that helps, please drop a URL pointer line back on this thread. -- Todd Denniston Crane Division, Naval Surface Warfare Center (NSWC Crane) Harnessing the Power of Technology for the Warfighter