On Tuesday, 8 January 2019 10:47:27 AM AEDT Chris PeBenito wrote: > On 1/6/19 10:10 PM, Russell Coker wrote: > > This patch adds a $1_crontab_t domain and makes it a compile option for > > What is the goal for reintroducing a crontab domain per-user-domain? To make it more difficult for a user from one domain to take over access to another domain via cron. The context of the crontab program determines the type of the cron spool file which then determines the permitted context of the cron job. > > having a $1_cronjob_t domain. > > > > I anticipate that even if this patch is accepted later on there will be > > some changes required. Please review this not for inclusion immediately > > but for changes necessary. However the previous patch is good to go if > > you like the concept. > > I'm not keen on this. The current policy is intended to make it easy to > decide if you want to use a *_cronjob_t domain or simply transition to > the user's domain by tweaking the default_contexts. Which means that everyone who doesn't have a need for *_cronjob_t domains gets all the extra policy. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
