-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/21/2013 03:42 PM, Daniel J Walsh wrote:
On 01/21/2013 01:26 PM, Jean-David Beyer wrote:
> These semanage things take a long time. I have a 4-core 1.8 GHz
> Xeon processor. They tend to hog an entire core for around (but
> less than) a minute. What is it doing with all that time? The
> they have to hit a database for each program and file in the
> system or something?
>> We do not currently allow log files mailed off the system by
>> the system mailer. I guess we could add a boolean for this.
>> but I do not believe we should allow this by default.
> Was this in response to something I said? Because, if so, I
> forgot what I may have said that prompted this.
> In the future, I will be wanting to use shell scripts to send
> e-mails from one computer to another on my l.a.n. Right now, I
> cannot do it because I am running the default firewall that comes
> with RHEL 6 and CentOS 5. I certainly can SSH files between the
> machines with no trouble, since the default firewall allows that.
> And apparently so does SELinux. I know I can e-mail stuff off my
> machine using Thunderbird, and I do not suppose anything stops me
> from attaching a log file, though I never tried that. -- selinux
> mailing list selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
Well the AVC you were showing was emailing a cron log file. Which
SELinux blocks and you overrode with a policy module which is fine.
My point was we Fedora/RHEL do not to allow this by default and
allow customers/users to override the defaults.
OK. That is your policy.
What follows is not a disagreement nor is it a request to change the
default policy, but a bona-fide question.
Why do you, by default, not allow customers, users, to mail a cron log
file? I can even do it if I run the cron script as super user and not
anacron. Can you clarify the distinction between root sending an
e-mail in a script and anacron sending the same e-mail in the same script?
Since I had to be root in the first place to even put a cron script
into the cron.daily directory. If I am allowed to create that file,
and look at that file, what is the reason for the default policy
preventing me from doing that?
As a practical matter, that file contains only the results of trying
to make a backup, saying (in the example case) that it went OK and the
number of blocks written. Of course, I could have written something
sensitive in there too, and perhaps it is too much trouble (overhead)
for SELinux to figure that out; I admit it would be.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJQ/a6pAAoJEBZthAoMYQyLT9kIAN7zmJocv4IAhwmyvUt1o6jU
3o0GFqY9LIIa11YAIhGEawiJCCWoEoWzKU2xNT1vfcNpV/fHxCITsUwcPFTfNp0k
0Tv8xHpkg414n7t4v0EYkFOaTpMobY6yT/IuG1Cg8GkTkTWMjF2o2wulKoZV+hM/
gIpFbjcEAAW9eulWQYBKHzEJ2GEksD/mfCSXnV6nOx7iuXUPTwcTIJ8Z47xN21II
gN1qeCpZ/f0k5We6Hx/uYNgp1CaPxLHZQj+EP7jXt17qfebiXvC4Wm2P/PGwF1ea
OyNodaYOGkM5Qod3E3NxkjHycIF3/yXVLsvAGHAqMOmFCsTebyShYiQPPOZ5kgw=
=jOBl
-----END PGP SIGNATURE-----