[redhat-lspp] Re: [PATCH] cron changes needed for MLS range checking (requires at least the libselinux patches)
Stephen Smalley
sds at tycho.nsa.gov
Wed Nov 8 14:04:28 UTC 2006
On Tue, 2006-11-07 at 17:02 -0500, James Antill wrote:
> I think this is what we want for the cron patch. It's basically doing
> the same checks as the PAM patches. It also limits what the user can
> change to just the MLS range.
> At the moment I've just copied the original functions that need to be
> replaced, so you can see the old vs. the new. As the final commit the
> old ones should probably just die.
> I've also kept the name SELINUX_ROLE_TYPE, I'm not sure if it should be
> changed to SELINUX_ROLE_RANGE or something else?
As I understood it, you were only going to allow level specification,
not user/role/domain, so it would just be SELINUX_LEVEL or MLS_LEVEL or
similar.
As in the pam case, you should be checking between a context for the
user with the seusers-specified range and a context for the user with
the user-specified level. Your patch doesn't seem to match that
description - it refers to a file context as the target.
Also, the function that performs the setexeccon (which you call
cron_change_selinux_range) is more general - it is supposed to set the
entire user context appropriately for the user on whose behalf cron is
running a job.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list