[redhat-lspp] Re: [PATCH] cron changes needed for MLS range checking (requires at least the libselinux patches)
Stephen Smalley
sds at tycho.nsa.gov
Thu Nov 9 15:57:48 UTC 2006
On Thu, 2006-11-09 at 10:40 -0500, James Antill wrote:
> Because without enforcing mode we just ignore the problem and continue,
> with it we error out. I think this is more of a theoretical assert type
> problem anyway, but still.
That's my point - it seems like it is a bug regardless of whether we are
permissive or enforcing, and should thus always return -1. I'd only
expect security_getenforce() to make a difference for error handling on
permission checks.
Anyway, the patch looks sane at this point, although I'm not completely
clear how it integrates into the existing pile of selinux-related
patches in vixie-cron (it would help to consolidate them).
What is your plan on the client (crontab program) side? The old patch
instrumented it to automatically insert a SELINUX_ROLE_TYPE= definition
with the caller's context if a certain option was used to crontab; will
you replace that with your new MLS_LEVEL= definition and the caller's
current range or just drop it altogether and require the user to
manually specify it in the crontab file? Am I correct in understanding
that there can only be one MLS_LEVEL= definition per crontab file (for
all cron jobs in that crontab)? Can it go anywhere in the crontab file?
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list