On Mon, May 01, 2006 at 08:08:26AM -0400, Greg Troxel wrote:
> The only other approach I can think of is to change mtree to allow
> certain deviations, like mode 444 when it should be 644, and symlinks to
> a file/dir of the right type and mode.

I thought of this, but I suppose this will not survive an upgrade?  (i.e. I
have to redo this change after every update of the OS)  

I'd prefer some sort of config option in /etc/security.conf, like
"skip_mtree=/etc/named.conf /etc/namedb".  I'll have a look at implementing
that.  

It could be useful for other security false positives, too.  e.g., I set
looser permissions on some device nodes, like /dev/sd0* (for USB devices),
which also results in daily security messages.  

	Geert