Kyle Moffett wrote:
On Aug 12, 2007, at 15:41:46, Casey Schaufler wrote:
Your boolean solution requires more forthought than the Smack rule
solution, but I'll give it to you once you've fleshed out your "##"
lines.
How does it require more forethought? When I want to turn it on, I
write and load the 5 line policy then add the cronjobs. Yours
involves giving cron unconditional permission to write to your
security database (always a bad idea) and then adding similar cronjobs.
nit: without the selinux policy server (which is not production ready by
any means) we have to grant the same to cron in this case (or at least
to the domain that cron runs the cronjobs in). SELinux and Smack alike
need special permissions to modify the running policy, no surprises there.
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
