On Sat, 2007-02-17 at 21:42 +0000, Ted Rule wrote: > If so, the workround is presumably for crond to double fork before > invoking the Job. i.e inside crond, do_command() would call > child_process(), which would then setexeccon(), then fork() AGAIN to > drop into the new security context as set by setexeccon(), and only then > build all the pipes and the greatgrandchild Job process and sendmail > processes themselves. Doh. Of course I now realise that a double fork won't help because the setexecon only affects exec() behaviour, not fork(). So I'm back to working round the problem with my wrapper script to indirectly launch sendmail. -- Ted Rule Director, Layer3 Systems Ltd W: http://www.layer3.co.uk/ -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
