New to this list, and new to SELinux.
Jean-David Beyer
jeandavid8 at verizon.net
Mon Jan 21 21:10:05 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/21/2013 03:42 PM, Daniel J Walsh wrote:
> On 01/21/2013 01:26 PM, Jean-David Beyer wrote:
>> These semanage things take a long time. I have a 4-core 1.8 GHz
>> Xeon processor. They tend to hog an entire core for around (but
>> less than) a minute. What is it doing with all that time? The
>> they have to hit a database for each program and file in the
>> system or something?
>
>>> We do not currently allow log files mailed off the system by
>>> the system mailer. I guess we could add a boolean for this.
>>> but I do not believe we should allow this by default.
>
>> Was this in response to something I said? Because, if so, I
>> forgot what I may have said that prompted this.
>
>> In the future, I will be wanting to use shell scripts to send
>> e-mails from one computer to another on my l.a.n. Right now, I
>> cannot do it because I am running the default firewall that comes
>> with RHEL 6 and CentOS 5. I certainly can SSH files between the
>> machines with no trouble, since the default firewall allows that.
>> And apparently so does SELinux. I know I can e-mail stuff off my
>> machine using Thunderbird, and I do not suppose anything stops me
>> from attaching a log file, though I never tried that. -- selinux
>> mailing list selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> Well the AVC you were showing was emailing a cron log file. Which
> SELinux blocks and you overrode with a policy module which is fine.
> My point was we Fedora/RHEL do not to allow this by default and
> allow customers/users to override the defaults.
>
OK. That is your policy.
What follows is not a disagreement nor is it a request to change the
default policy, but a bona-fide question.
Why do you, by default, not allow customers, users, to mail a cron log
file? I can even do it if I run the cron script as super user and not
anacron. Can you clarify the distinction between root sending an
e-mail in a script and anacron sending the same e-mail in the same script?
Since I had to be root in the first place to even put a cron script
into the cron.daily directory. If I am allowed to create that file,
and look at that file, what is the reason for the default policy
preventing me from doing that?
As a practical matter, that file contains only the results of trying
to make a backup, saying (in the example case) that it went OK and the
number of blocks written. Of course, I could have written something
sensitive in there too, and perhaps it is too much trouble (overhead)
for SELinux to figure that out; I admit it would be.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJQ/a6pAAoJEBZthAoMYQyLT9kIAN7zmJocv4IAhwmyvUt1o6jU
3o0GFqY9LIIa11YAIhGEawiJCCWoEoWzKU2xNT1vfcNpV/fHxCITsUwcPFTfNp0k
0Tv8xHpkg414n7t4v0EYkFOaTpMobY6yT/IuG1Cg8GkTkTWMjF2o2wulKoZV+hM/
gIpFbjcEAAW9eulWQYBKHzEJ2GEksD/mfCSXnV6nOx7iuXUPTwcTIJ8Z47xN21II
gN1qeCpZ/f0k5We6Hx/uYNgp1CaPxLHZQj+EP7jXt17qfebiXvC4Wm2P/PGwF1ea
OyNodaYOGkM5Qod3E3NxkjHycIF3/yXVLsvAGHAqMOmFCsTebyShYiQPPOZ5kgw=
=jOBl
-----END PGP SIGNATURE-----
More information about the selinux
mailing list