Domains, interpreted languages, and Cron scripts
Bill McCarty
bmccarty at pt-net.net
Mon Aug 16 18:33:27 UTC 2004
Hi Stephen,
--On Monday, August 16, 2004 9:14 AM -0400 Stephen Smalley
<sds at epoch.ncsc.mil> wrote:
> Just as a reminder, domain transitions on scripts should only be done
> when shedding permissions.
I'm not sure that I understand. So, please pardon my flailing at the issue.
I have a feeling that I'm missing important context <g>.
It does seem reasonable to avoid domain transitions whereby someone could
gain permissions. But, Cron isn't all powerful and so I must allow one or
more domain transitions that selectively add permissions. Otherwise, I'd
have to extend Cron itself an unacceptably extensive range of permissions.
Cheers,
--
Bill McCarty, Ph.D.
Professor of Information Technology
Azusa Pacific University
More information about the selinux
mailing list