On Fri, Oct 14, 2005 at 01:13:20PM +0200, Erich Schubert wrote: > Hi Javier, Hello Manoj, Russel, > [... /etc/cron.daily/standard trying to backup shadow,gshadow which > doesn't > work on SELinux due to permissions ...] > > Because people with SElinux that have granted root access (and to the cron > > process) to those files (i.e. have a proper SElinux policy in place) will > > disable the tasks even though they would execute fine. > > People doing so are bypassing some important part of the security system > IMHO. > The proper SELinux-solution would be to move the backup parts into a > separate script, and assign a special role to that one.
BTW, that's what I intend to do in the short term as I want to remove the cron tasks from the package and provide a, separate, 'cron-standard' package with the tasks. That way the cron package would not carry any task. I will consider (when I do that) breaking up the standard daily task to separate the backup and the lost+found stuff. Regards Javier
signature.asc
Description: Digital signature
