Christopher J. PeBenito
cpebenito at tresys.com
Wed Dec 3 07:15:07 CST 2008
On Tue, 2008-12-02 at 23:53 +0100, Konrad Azzopardi wrote:
> If I am now confining SAMHAIN integrity checker with all features
> switched on. The daemon, is spawning a "ps" , and Checking for
> hidden/fake/missing processes. The module works by searching the
> complete range of possible PIDs for processes, and comparing the list
> of processes thus found against the output of ps.
> Of course if i do not make a domain transition to bin_t everything
> failing but is it bin_t too wide ? What would be the best way to go
> around this, since ps is bin_t just like all the other binaries ?
> Sorry I am still relatively new so this may be trivial but I guess
> bin_t is allowed to do a lot of things.
bin_t isn't a domain (process) type, it is a file type. You can't
transition a process to a file type. It sounds like these two rules
would would be sufficient:
you might also need:
Tresys Technology, LLC
(410) 290-1411 x150
More information about the refpolicy