From mboxrd@z Thu Jan 1 00:00:00 1970 From: harrytaurus2002@hotmail.com (HarryCiao) Date: Tue, 1 Feb 2011 12:11:30 +0000 Subject: [refpolicy] cron patches and remaining questions In-Reply-To: <1296510850.23039.9.camel@tesla.lan> References: , <1296510850.23039.9.camel@tesla.lan> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Guido, > Subject: Re: [refpolicy] cron patches and remaining questions > From: guido at trentalancia.com > To: harrytaurus2002 at hotmail.com > CC: refpolicy at oss.tresys.com > Date: Mon, 31 Jan 2011 22:54:10 +0100 > > Hello Harry, > > just a quick comment on the first two issues... > > On Mon, 31/01/2011 at 11.20 +0000, HarryCiao wrote: > > Hi Chris and all, > > > > I've run into some cron issues and come up with the attached 3 > > patches, so far I am new to cron and cron.pp so it's likely there is a > > better way to fix the problems, any comments are greatly welcomed! > > > > Aslo there are a few cron problems that have not been fixed after > > applying these 3 patches: > > > > 1. on creation of /var/log/cron.log, its label is still var_log_t, the > > type_transition rule still not take effect; > > This is consistent with the file contexts as specified by the reference > policy. What do you expect as a label for cron log files ? Because logging_log_filetrans interface has been called for the crond_t and system_cronjob_t: cao at cao-laptop:/work/selinux/refpolicy/policy/modules$ grep logging_log_filetrans services/cron.te logging_log_filetrans(crond_t, cron_log_t, file) logging_log_filetrans(system_cronjob_t, cron_log_t, file) cao at cao-laptop:/work/selinux/refpolicy/policy/modules$ So I expect when the crond_t creates cron log files during system booting up, this newly created file should be auto-labeled as cron_log_t, rather than the inherited label for its parent directory. BTW, once we fix the label of /var/log/cron(\.log)? file, we also have to grant the write permission on it to the syslogd_t domain. > > > 2. on creation of /var/spool/cron/root by the crontab command, its > > label is still cron_spool_t, the type_transition rule still not take > > effect; > > Similar considerations as above apply here (behaviour appears consistent > with current file context definitions in the reference policy). What > label do you expect for root's crontab ? Perhaps sysadm_cron_spool_t ? > It's actually commented out in the file context for the cron module. > > It's very easy to change the labels, one just needs to modify the > relative cron.fc file under policy/modules/services. But what would you > change that to ? And will that be desirable for all refpolicy users ? > > I have not had time to look at your patches yet, but what problem are > they supposed to tackle ? Is the problem relevant to all refpolicy > users ? > Again, the cron_common_crontab_template has called the interface filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file) for crontab_t and admin_crontab_t domains, so whenever root user or non-root user uses crontab command to register a new crontab files, the created /var/spool/cron/[user] files should be auto-label as user_cron_spool_t, rather than cron_spool_t, otherwise cronjob_t won't have the required entrypoint permission on it. Cheers, Harry > Regards, > > Guido > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20110201/3e7c190e/attachment-0001.html