On Sun, 15 Aug 2004 16:03, Colin Walters <walters@xxxxxxxxxx> wrote: > > One idea: Would it be a good thing to modify Run-parts to transition to a > > domain named for the Cron script it launches? Doing so would seem to > > solve my problem, but it might create others <g>. > > I don't think it's necessary to modify run-parts. Instead, inside the > definition of your foo_script.te file, do something like: Absolutely. More than being unnecessary it's also exceedingly painful to go and modify lots of programs such as run-parts. If we did modify run-parts to use a domain name based on the file name then run-parts would need code to map the file name to the domain name thus removing policy decisions from the policy database in the kernel and putting them in the application. Someone who used to work on a different trusted OS project told me that he thought that the SE Linux design of putting everything in the policy is absolutely the right thing to do, he had considerable experience with doing these things as C code compiled into binaries and found it not to be effective. An on-going topic of discussion on the main SE Linux list for years has been about what other modifications should be made to applications. Most of the suggestions have been rejected (including some of mine). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
