-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/21/2013 04:10 PM, Jean-David Beyer wrote: > On 01/21/2013 03:42 PM, Daniel J Walsh wrote: >> On 01/21/2013 01:26 PM, Jean-David Beyer wrote: > >>> These semanage things take a long time. I have a 4-core 1.8 GHz Xeon >>> processor. They tend to hog an entire core for around (but less than) a >>> minute. What is it doing with all that time? The they have to hit a >>> database for each program and file in the system or something? > >>>> We do not currently allow log files mailed off the system by the >>>> system mailer. I guess we could add a boolean for this. but I do not >>>> believe we should allow this by default. > >>> Was this in response to something I said? Because, if so, I forgot what >>> I may have said that prompted this. > >>> In the future, I will be wanting to use shell scripts to send e-mails >>> from one computer to another on my l.a.n. Right now, I cannot do it >>> because I am running the default firewall that comes with RHEL 6 and >>> CentOS 5. I certainly can SSH files between the machines with no >>> trouble, since the default firewall allows that. And apparently so does >>> SELinux. I know I can e-mail stuff off my machine using Thunderbird, >>> and I do not suppose anything stops me from attaching a log file, >>> though I never tried that. -- selinux mailing list >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/selinux > > >> Well the AVC you were showing was emailing a cron log file. Which SELinux >> blocks and you overrode with a policy module which is fine. My point was >> we Fedora/RHEL do not to allow this by default and allow customers/users >> to override the defaults. > > OK. That is your policy. > > What follows is not a disagreement nor is it a request to change the > default policy, but a bona-fide question. > > Why do you, by default, not allow customers, users, to mail a cron log > file? I can even do it if I run the cron script as super user and not > anacron. Can you clarify the distinction between root sending an e-mail in > a script and anacron sending the same e-mail in the same script? > I don't prevent a user/customer from mailing any log. Of course this might be a matter of semantics. Basically SELinux sees a mail program running out of cron or the init system, it transitions to the system_mail_t domain, which we don't want sending log files off the system. Since we can not tell if this is any general script executing a mail program, a hacked application running a mail program or an intended program to send mail. We choose to go with secure by default, when mail is being sent from system cron and init system. > Since I had to be root in the first place to even put a cron script into > the cron.daily directory. If I am allowed to create that file, and look at > that file, what is the reason for the default policy preventing me from > doing that? > root user is allowed to send mail, since he is most likely logged in as unconfined_t. He can mail anything he wants. With SELinux we have to envision apps as being hacked. A hacked app might want to email sensitive data off the system, since log files can contain sensitive data, we block this by default. Imagine the cron script of one of the executables the cron script runs is hacked into. > As a practical matter, that file contains only the results of trying to > make a backup, saying (in the example case) that it went OK and the number > of blocks written. Of course, I could have written something sensitive in > there too, and perhaps it is too much trouble (overhead) for SELinux to > figure that out; I admit it would be. I can not imagine how SELinux could tell what is sensitive and what is not, plus I don't believe we want SELinux or selinux apps reading data and trying to figure this out. One option we have is to have a boolean, like mail_logs and then give the system_mail_t type the ability to read log files, for setups like yours. > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlD+klcACgkQrlYvE4MpobO2sACgte/Pf/2WNWcshtTgCa6zI2dY ywAAoKIqqm6W3IpfYuGIym3Et4YyLeoW =1BVU -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux