Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965440AbXHMCph (ORCPT ); Sun, 12 Aug 2007 22:45:37 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S935150AbXHMCp2 (ORCPT ); Sun, 12 Aug 2007 22:45:28 -0400 Received: from smtpout.mac.com ([17.250.248.176]:60536 "EHLO smtpout.mac.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934597AbXHMCp1 (ORCPT ); Sun, 12 Aug 2007 22:45:27 -0400 In-Reply-To: <46BFC39F.1020703@manicmethod.com> References: <255628.7187.qm@web36607.mail.mud.yahoo.com> <10247DAA-D04B-42D5-B67B-C2D3BD42A94F@mac.com> <46BFC39F.1020703@manicmethod.com> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Cc: casey@schaufler-ca.com, linux-security-module@vger.kernel.org, LKML Kernel Content-Transfer-Encoding: 7bit From: Kyle Moffett Subject: Re: [PATCH] Smack: Simplified Mandatory Access Control Kernel Date: Sun, 12 Aug 2007 22:45:38 -0400 To: Joshua Brindle X-Mailer: Apple Mail (2.752.2) Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1382 Lines: 32 On Aug 12, 2007, at 22:36:15, Joshua Brindle wrote: > Kyle Moffett wrote: >> On Aug 12, 2007, at 15:41:46, Casey Schaufler wrote: >>> Your boolean solution requires more forthought than the Smack >>> rule solution, but I'll give it to you once you've fleshed out >>> your "##" lines. >> >> How does it require more forethought? When I want to turn it on, >> I write and load the 5 line policy then add the cronjobs. Yours >> involves giving cron unconditional permission to write to your >> security database (always a bad idea) and then adding similar >> cronjobs. > > nit: without the selinux policy server (which is not production > ready by any means) we have to grant the same to cron in this case > (or at least to the domain that cron runs the cronjobs in). SELinux > and Smack alike need special permissions to modify the running > policy, no surprises there. Yeah, I figured this out a couple minutes ago. Turns out you can get a similar effect with a little properly labeled shell script though (text included in my last email), but it does decrease overall system security. Cheers, Kyle Moffett - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/