[redhat-lspp] Re: [PATCH] cron changes needed for MLS range checking (requires at least the libselinux patches)
James Antill
jantill at redhat.com
Thu Nov 9 16:28:00 UTC 2006
On Thu, 2006-11-09 at 10:57 -0500, Stephen Smalley wrote:
> On Thu, 2006-11-09 at 10:40 -0500, James Antill wrote:
> > Because without enforcing mode we just ignore the problem and continue,
> > with it we error out. I think this is more of a theoretical assert type
> > problem anyway, but still.
>
> That's my point - it seems like it is a bug regardless of whether we are
> permissive or enforcing, and should thus always return -1. I'd only
> expect security_getenforce() to make a difference for error handling on
> permission checks.
Well get_security_context() does the same thing if fgetfilecon(),
getseuserbyname()/get_default_context_with_level() or
cron_authorize_context() fail (which would lead to u->scontext being
NULL, AIUI), so I really wouldn't want to change it unless all those
changed in some way.
> Anyway, the patch looks sane at this point, although I'm not completely
> clear how it integrates into the existing pile of selinux-related
> patches in vixie-cron (it would help to consolidate them).
I can't really do that, easily.
> What is your plan on the client (crontab program) side? The old patch
> instrumented it to automatically insert a SELINUX_ROLE_TYPE= definition
> with the caller's context if a certain option was used to crontab; will
> you replace that with your new MLS_LEVEL= definition and the caller's
> current range or just drop it altogether and require the user to
> manually specify it in the crontab file?
Atm. I've got a patch which changes the crontab command to only add the
level when -s is specified.
> Am I correct in understanding
> that there can only be one MLS_LEVEL= definition per crontab file (for
> all cron jobs in that crontab)?
Yes.
> Can it go anywhere in the crontab file?
Yes.
--
James Antill - <james.antill at redhat.com>
setsockopt(fd, IPPROTO_TCP, TCP_CONGESTION, ...);
setsockopt(fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, ...);
setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, ...);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20061109/051a4128/attachment.sig>
More information about the redhat-lspp
mailing list