On Aug 12, 2007, at 22:36:15, Joshua Brindle wrote:
Kyle Moffett wrote:
On Aug 12, 2007, at 15:41:46, Casey Schaufler wrote:
Your boolean solution requires more forthought than the Smack
rule solution, but I'll give it to you once you've fleshed out
your "##" lines.
How does it require more forethought? When I want to turn it on,
I write and load the 5 line policy then add the cronjobs. Yours
involves giving cron unconditional permission to write to your
security database (always a bad idea) and then adding similar
cronjobs.
nit: without the selinux policy server (which is not production
ready by any means) we have to grant the same to cron in this case
(or at least to the domain that cron runs the cronjobs in). SELinux
and Smack alike need special permissions to modify the running
policy, no surprises there.
Yeah, I figured this out a couple minutes ago. Turns out you can get
a similar effect with a little properly labeled shell script though
(text included in my last email), but it does decrease overall system
security.
Cheers,
Kyle Moffett
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
