Domains, interpreted languages, and Cron scripts
Stephen Smalley
sds at epoch.ncsc.mil
Mon Aug 16 18:54:44 UTC 2004
On Mon, 2004-08-16 at 14:33, Bill McCarty wrote:
> It does seem reasonable to avoid domain transitions whereby someone could
> gain permissions. But, Cron isn't all powerful and so I must allow one or
> more domain transitions that selectively add permissions. Otherwise, I'd
> have to extend Cron itself an unacceptably extensive range of permissions.
True. A better statement would be "domain transitions on scripts should
only be done when the caller is trusted not to abuse them."
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list