Subject: Re: veriexec: Incorrect access type.
To: None <current-users@netbsd.org>
From: Elad Efrat <elad@NetBSD.org>
List: current-users
Date: 07/27/2005 19:10:04
Hi,
The logic is fine, IMHO, preventing access to a file in a way it
was not specified for. This means that if you have an entry for
/bin/sh marked DIRECT (or not marked at all, implying DIRECT),
any indirect access to it, via shell script magic, will log a
warning.
In strict level 2, or ``IPS mode'', you will also be denied from
accessing it.
Since I do see a problem here (we have a binary that has the
potential of being accessed many times both directly and indirectly)
I suggest changing the logging to only when verbose (or highly
verbose?) mode is set.
-e.
--
Elad Efrat
PGP Key ID: 0x666EB914