On Mon, 2005-10-03 at 10:57 -0400, Steve Grubb wrote:
On Monday 03 October 2005 10:38, Stephen Smalley wrote:
> It seems wrong to have to make a previously non-suid program suid just for
> the sake of adding audit functionality to it, thereby potentially exposing
> the system to greater risk because of the greater privilege with which the
> entire program code runs.
What I was thinking of doing was to drop capabilities on startup and leave
CAP_AUDIT_WRITE since that is all we are after. I see newrole uses pam and
that swings in a lot of code. Still, it should be safe if we drop
capabilities very early.
Even better if we put newrole into its own domain in the targeted policy
and only allow it to use that capability in the policy.
--
Stephen Smalley
National Security Agency