-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/21/2013 03:42 PM, Daniel J Walsh wrote: > On 01/21/2013 01:26 PM, Jean-David Beyer wrote: >> These semanage things take a long time. I have a 4-core 1.8 GHz >> Xeon processor. They tend to hog an entire core for around (but >> less than) a minute. What is it doing with all that time? The >> they have to hit a database for each program and file in the >> system or something? > >>> We do not currently allow log files mailed off the system by >>> the system mailer. I guess we could add a boolean for this. >>> but I do not believe we should allow this by default. > >> Was this in response to something I said? Because, if so, I >> forgot what I may have said that prompted this. > >> In the future, I will be wanting to use shell scripts to send >> e-mails from one computer to another on my l.a.n. Right now, I >> cannot do it because I am running the default firewall that comes >> with RHEL 6 and CentOS 5. I certainly can SSH files between the >> machines with no trouble, since the default firewall allows that. >> And apparently so does SELinux. I know I can e-mail stuff off my >> machine using Thunderbird, and I do not suppose anything stops me >> from attaching a log file, though I never tried that. -- selinux >> mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > > Well the AVC you were showing was emailing a cron log file. Which > SELinux blocks and you overrode with a policy module which is fine. > My point was we Fedora/RHEL do not to allow this by default and > allow customers/users to override the defaults. > OK. That is your policy. What follows is not a disagreement nor is it a request to change the default policy, but a bona-fide question. Why do you, by default, not allow customers, users, to mail a cron log file? I can even do it if I run the cron script as super user and not anacron. Can you clarify the distinction between root sending an e-mail in a script and anacron sending the same e-mail in the same script? Since I had to be root in the first place to even put a cron script into the cron.daily directory. If I am allowed to create that file, and look at that file, what is the reason for the default policy preventing me from doing that? As a practical matter, that file contains only the results of trying to make a backup, saying (in the example case) that it went OK and the number of blocks written. Of course, I could have written something sensitive in there too, and perhaps it is too much trouble (overhead) for SELinux to figure that out; I admit it would be. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJQ/a6pAAoJEBZthAoMYQyLT9kIAN7zmJocv4IAhwmyvUt1o6jU 3o0GFqY9LIIa11YAIhGEawiJCCWoEoWzKU2xNT1vfcNpV/fHxCITsUwcPFTfNp0k 0Tv8xHpkg414n7t4v0EYkFOaTpMobY6yT/IuG1Cg8GkTkTWMjF2o2wulKoZV+hM/ gIpFbjcEAAW9eulWQYBKHzEJ2GEksD/mfCSXnV6nOx7iuXUPTwcTIJ8Z47xN21II gN1qeCpZ/f0k5We6Hx/uYNgp1CaPxLHZQj+EP7jXt17qfebiXvC4Wm2P/PGwF1ea OyNodaYOGkM5Qod3E3NxkjHycIF3/yXVLsvAGHAqMOmFCsTebyShYiQPPOZ5kgw= =jOBl -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
