From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 27 May 2009 12:01:45 -0400
Subject: [refpolicy] appconfig-mcs_user_u_default_contexts.patch
In-Reply-To: <4A1D5C0D.3030209@redhat.com>
References: <4A15675E.9090009@redhat.com> <1243430726.5421.12.camel@gorn>
	<4A1D5C0D.3030209@redhat.com>
Message-ID: <1243440107.5421.80.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2009-05-27 at 11:28 -0400, Daniel J Walsh wrote:
> On 05/27/2009 09:25 AM, Christopher J. PeBenito wrote:
> > On Thu, 2009-05-21 at 10:38 -0400, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F11/appconfig-mcs_user_u_default_contexts.patch
> >>
> >> user_u runs cronjobs as user_t
> >
> > Fedora-specific.
> >
> Please justify cronjobs running as something other then the default user 
> type?

A cronjob domain makes it possible to have a subset of user privileges
for cron jobs.  I understand your reasons for running them in the user
domain, but as we have discussed before, upstream tends to lean towards
the more restrictive side side as it is easy to make the policy looser
(as evidenced by the fairly trivial patch that makes it work the way you
want).

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150