[redhat-lspp] multilevel cron

[Casey Schaufler]

--- Janak Desai <janak at us.ibm.com> wrote:

> So .. is there a need to make cron multi-role or
> multi-domain aware (in addition to multi level)?
> That
> is, is it desirable to allow a user joe to submit
> cron jobs from different roles/domains? Or should I
> just stick to the ability to submit jobs from
> different MLS/MCS labels?

Based on my experiance with MLS systems
I would expect that you will have to deal
with roles/domains to the same degree that
the system does in general. Cron jobs that
perform system functions (e.g. log rotation)
really ought to live within the confines of
the role/domain responsible for said action.
That said, it's issues like this combined
with "business" factors that led us to
deemphasize roles in the Unix world. A
seperate crontab for each relevent MAC
label is a pain, a crontab* for each role
at each label is serious reason to question
the wisdom of the scheme. If you really do
want the role/domain granularity that SELinux
is striving for I don't see how you would
want to skip this important part of the
system.

-------
* You may be using a mechanism other than
  a seperate crontab per label, such as
  adding a field denoting what label with
  which to run the job. The work is about
  the same either way.



Casey Schaufler
casey at schaufler-ca.com

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com