Domains, interpreted languages, and Cron scripts

Stephen Smalley sds at epoch.ncsc.mil
Mon Aug 16 18:54:44 UTC 2004


On Mon, 2004-08-16 at 14:33, Bill McCarty wrote:
> It does seem reasonable to avoid domain transitions whereby someone could 
> gain permissions. But, Cron isn't all powerful and so I must allow one or 
> more domain transitions that selectively add permissions. Otherwise, I'd 
> have to extend Cron itself an unacceptably extensive range of permissions.

True.  A better statement would be "domain transitions on scripts should
only be done when the caller is trusted not to abuse them."

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency




More information about the fedora-selinux-list mailing list