On Thu, 2006-11-09 at 10:40 -0500, James Antill wrote: > Because without enforcing mode we just ignore the problem and continue, > with it we error out. I think this is more of a theoretical assert type > problem anyway, but still.
That's my point - it seems like it is a bug regardless of whether we are permissive or enforcing, and should thus always return -1. I'd only expect security_getenforce() to make a difference for error handling on permission checks. Anyway, the patch looks sane at this point, although I'm not completely clear how it integrates into the existing pile of selinux-related patches in vixie-cron (it would help to consolidate them). What is your plan on the client (crontab program) side? The old patch instrumented it to automatically insert a SELINUX_ROLE_TYPE= definition with the caller's context if a certain option was used to crontab; will you replace that with your new MLS_LEVEL= definition and the caller's current range or just drop it altogether and require the user to manually specify it in the crontab file? Am I correct in understanding that there can only be one MLS_LEVEL= definition per crontab file (for all cron jobs in that crontab)? Can it go anywhere in the crontab file? -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
