> We don't require turning off SELinux do we? All the central infrastructure has it enabled. Processes with no policy just run with the unconfined label.
Actually we do (we run in Permissive mode)... :-/
> Having a targeted policy would be nice if someone wants to sit down and work out a minimal ACL.
And it exists... it's just not been rolled into the packages at all. CentOS 7 for example requires this to start up now:
allow radiusd_t self:capability sys_ptrace;
allow radiusd_t self:process ptrace;
allow radiusd_t var_lib_t:file { getattr open read write };
When it executes tidc, it requires some additional privileges too.
Stefan Paetow
Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: [log in to unmask]
skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
|