Subject: Re: veriexec: Incorrect access type.
To: None <current-users@netbsd.org>
From: Elad Efrat <elad@NetBSD.org>
List: current-users
Date: 07/27/2005 19:10:04
Hi,

The logic is fine, IMHO, preventing access to a file in a way it
was not specified for. This means that if you have an entry for
/bin/sh marked DIRECT (or not marked at all, implying DIRECT),
any indirect access to it, via shell script magic, will log a
warning.

In strict level 2, or ``IPS mode'', you will also be denied from
accessing it.

Since I do see a problem here (we have a binary that has the
potential of being accessed many times both directly and indirectly)
I suggest changing the logging to only when verbose (or highly
verbose?) mode is set.

-e.

-- 
Elad Efrat
PGP Key ID: 0x666EB914