On Thu, 2006-11-09 at 10:57 -0500, Stephen Smalley wrote: > On Thu, 2006-11-09 at 10:40 -0500, James Antill wrote: > > Because without enforcing mode we just ignore the problem and continue, > > with it we error out. I think this is more of a theoretical assert type > > problem anyway, but still. > > That's my point - it seems like it is a bug regardless of whether we are > permissive or enforcing, and should thus always return -1. I'd only > expect security_getenforce() to make a difference for error handling on > permission checks.
Well get_security_context() does the same thing if fgetfilecon(), getseuserbyname()/get_default_context_with_level() or cron_authorize_context() fail (which would lead to u->scontext being NULL, AIUI), so I really wouldn't want to change it unless all those changed in some way. > Anyway, the patch looks sane at this point, although I'm not completely > clear how it integrates into the existing pile of selinux-related > patches in vixie-cron (it would help to consolidate them). I can't really do that, easily. > What is your plan on the client (crontab program) side? The old patch > instrumented it to automatically insert a SELINUX_ROLE_TYPE= definition > with the caller's context if a certain option was used to crontab; will > you replace that with your new MLS_LEVEL= definition and the caller's > current range or just drop it altogether and require the user to > manually specify it in the crontab file? Atm. I've got a patch which changes the crontab command to only add the level when -s is specified. > Am I correct in understanding > that there can only be one MLS_LEVEL= definition per crontab file (for > all cron jobs in that crontab)? Yes. > Can it go anywhere in the crontab file? Yes. -- James Antill - <[EMAIL PROTECTED]> setsockopt(fd, IPPROTO_TCP, TCP_CONGESTION, ...); setsockopt(fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, ...); setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, ...);
signature.asc
Description: This is a digitally signed message part
-- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
