[redhat-lspp] Re: [PATCH] cron changes needed for MLS range checking (requires at least the libselinux patches)
James Antill
jantill at redhat.com
Wed Nov 8 23:47:25 UTC 2006
On Wed, 2006-11-08 at 17:13 -0500, Stephen Smalley wrote:
> Looks better. A few nits:
> + /*
> + * Since crontab files are not directly executed,
> + * crond must ensure that the crontab range has
> + * a context that is appropriate for the context of
> + * the user cron job. It performs an entrypoint
> + * permission check for this purpose.
>
> cut-and-paste
I did alter it a little, but I've altered it more now :).
> I wouldn't put tests of security_getenforce() on anything other than
> permission denials
Done.
> +
> + *ucontextp = strdup(context_str(ccon));
>
> Needs checking of both the intermediate result (context_str return
> value) and strdup to avoid seg faulting on NULL.
Ahh, I had copied the assumption that context_x() doesn't fail from
PAM ... I assumed it preallocated in context_new(). I'll fix PAM too.
Attached is the latest cron patch.
--
James Antill <jantill at redhat.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vixie-cron-4.1-_60-SELinux-contains-range.patch
Type: text/x-patch
Size: 7464 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20061108/74faf087/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20061108/74faf087/attachment.sig>
More information about the redhat-lspp
mailing list