Red Hat Bugzilla – Bug 158180
Describe problem, fix, or request for release notes
Last modified: 2007-04-18 13:26:00 EDT
Description of problem, bug, incorrect information, or enhancement request:
Under Overview of This Release, for SELinux, you list daemons protected by the
targeted policy in FC4. However, the list is somewhat misleading on two counts:
1) Several of these domains are given unconfined_domain() access in the targeted
policy and only exist as separate domains to help with proper domain transitions
into other domains or can otherwise transition to unconfined_t without real
restriction; hence, they are not truly 'protected' in any real sense by the
targeted policy (unlike strict). grep 'typeattribute.*unrestricted'
/etc/selinux/targeted/src/policy/policy.conf to see at least a partial list of
domains that aren't really restricted. Examples include crond, inetd, login,
rshd, udev, ?hotplug?.
2) Several of these domains are not for daemons at all. Examples of non-daemons
include checkpolicy, chkpwd, ?compat?, consoletype, dmidecode, fsadm, hostname,
hotplug, hwclock, ifconfig, init, initrc, kudzu, ldconfig, load_policy, ?login?,
modutil, netutils, restorecon, rpm, setfiles.
Hence, I'd recommend a thorough review of the list and pruning out
domains/programs that are not truly protected by targeted policy as well as
those that are not daemons.
Version of release notes this bug refers to:
Fedora Core 4 final release
This situation here has been overcome by events. Closing as WONTFIX since we
are no longer maintaining anything about FC4. Blocking master tracker so that
it is part of our statistics and doesn't entirely disappear from memory.