Re: [PATCH] cron changes needed for MLS range checking (requires at least the libselinux patches)

[James Antill <jantill@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 2019 bytes --]

On Thu, 2006-11-09 at 10:57 -0500, Stephen Smalley wrote:
> On Thu, 2006-11-09 at 10:40 -0500, James Antill wrote:
> >  Because without enforcing mode we just ignore the problem and continue,
> > with it we error out. I think this is more of a theoretical assert type
> > problem anyway, but still.
> 
> That's my point - it seems like it is a bug regardless of whether we are
> permissive or enforcing, and should thus always return -1.  I'd only
> expect security_getenforce() to make a difference for error handling on
> permission checks.

 Well get_security_context() does the same thing if fgetfilecon(),
getseuserbyname()/get_default_context_with_level() or
cron_authorize_context() fail (which would lead to u->scontext being
NULL, AIUI), so I really wouldn't want to change it unless all those
changed in some way.

> Anyway, the patch looks sane at this point, although I'm not completely
> clear how it integrates into the existing pile of selinux-related
> patches in vixie-cron (it would help to consolidate them).

 I can't really do that, easily.

> What is your plan on the client (crontab program) side?  The old patch
> instrumented it to automatically insert a SELINUX_ROLE_TYPE= definition
> with the caller's context if a certain option was used to crontab; will
> you replace that with your new MLS_LEVEL= definition and the caller's
> current range or just drop it altogether and require the user to
> manually specify it in the crontab file?

 Atm. I've got a patch which changes the crontab command to only add the
level when -s is specified.

>   Am I correct in understanding
> that there can only be one MLS_LEVEL= definition per crontab file (for
> all cron jobs in that crontab)?

 Yes.

>   Can it go anywhere in the crontab file?

 Yes.

-- 
James Antill - <james.antill@redhat.com>
setsockopt(fd, IPPROTO_TCP, TCP_CONGESTION, ...);
setsockopt(fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, ...);
setsockopt(fd, SOL_SOCKET,  SO_ATTACH_FILTER, ...);


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]