David Hampton wrote:
On Tue, 2005-03-15 at 09:20 -0500, Daniel J Walsh wrote:
Why did you create a yam_crond_t? Why not just transition to yam_t from
crond?
When I first started working on the policy I was trying to be as
restrictive as possible and differentiate between what peripheral files
could be opened when running yam from the command line vs. when running
from cron. For example, the cron version requires less access to the
terminal and no access to a ssh file descriptor. The two instances also
try reading their dot files from different directories.
I wrote this policy just after writing an exim policy that distinguished
between user, sysadm, and system invocations of the program. Perhaps I
went overboard here.
David
P.S. I'm still tweaking the exim policy. I'll probably post it in a
week or so.
I was just question almost doubling of rules and increase in complexity
for little gain in security.
Dan
--
