Re: New to this list, and new to SELinux.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/21/2013 03:42 PM, Daniel J Walsh wrote:
> On 01/21/2013 01:26 PM, Jean-David Beyer wrote:

>> These semanage things take a long time. I have a 4-core 1.8 GHz
>> Xeon processor. They tend to hog an entire core for around (but
>> less than) a minute. What is it doing with all that time? The
>> they have to hit a database for each program and file in the
>> system or something?
> 
>>> We do not currently allow log files mailed off the system by
>>> the system mailer.  I guess we could add a boolean for this.
>>> but I do not believe we should allow this by default.
> 
>> Was this in response to something I said? Because, if so, I
>> forgot what I may have said that prompted this.
> 
>> In the future, I will be wanting to use shell scripts to send
>> e-mails from one computer to another on my l.a.n. Right now, I
>> cannot do it because I am running the default firewall that comes
>> with RHEL 6 and CentOS 5. I certainly can SSH files between the
>> machines with no trouble, since the default firewall allows that.
>> And apparently so does SELinux. I know I can e-mail stuff off my
>> machine using Thunderbird, and I do not suppose anything stops me
>> from attaching a log file, though I never tried that. -- selinux
>> mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
> Well the AVC you were showing was emailing a cron log file. Which
> SELinux blocks and you overrode with a policy module which is fine.
> My point was we Fedora/RHEL do not to allow this by default and
> allow customers/users to override the defaults.
> 
OK. That is your policy.

What follows is not a disagreement nor is it a request to change the
default policy, but a bona-fide question.

Why do you, by default, not allow customers, users, to mail a cron log
file? I can even do it if I run the cron script as super user and not
anacron. Can you clarify the distinction between root sending an
e-mail in a script and anacron sending the same e-mail in the same script?

Since I had to be root in the first place to even put a cron script
into the cron.daily directory. If I am allowed to create that file,
and look at that file, what is the reason for the default policy
preventing me from doing that?

As a practical matter, that file contains only the results of trying
to make a backup, saying (in the example case) that it went OK and the
number of blocks written. Of course, I could have written something
sensitive in there too, and perhaps it is too much trouble (overhead)
for SELinux to figure that out; I admit it would be.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQ/a6pAAoJEBZthAoMYQyLT9kIAN7zmJocv4IAhwmyvUt1o6jU
3o0GFqY9LIIa11YAIhGEawiJCCWoEoWzKU2xNT1vfcNpV/fHxCITsUwcPFTfNp0k
0Tv8xHpkg414n7t4v0EYkFOaTpMobY6yT/IuG1Cg8GkTkTWMjF2o2wulKoZV+hM/
gIpFbjcEAAW9eulWQYBKHzEJ2GEksD/mfCSXnV6nOx7iuXUPTwcTIJ8Z47xN21II
gN1qeCpZ/f0k5We6Hx/uYNgp1CaPxLHZQj+EP7jXt17qfebiXvC4Wm2P/PGwF1ea
OyNodaYOGkM5Qod3E3NxkjHycIF3/yXVLsvAGHAqMOmFCsTebyShYiQPPOZ5kgw=
=jOBl
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux