Re: [PATCH cron 2/2] user_crontab_t etc

From: Russell Coker <russell@coker.com.au>
To: Chris PeBenito <pebenito@ieee.org>
Cc: selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH cron 2/2] user_crontab_t etc
Date: Tue, 08 Jan 2019 14:38:21 +1100	[thread overview]
Message-ID: <6320875.l7dpP3Uglz@xev> (raw)
In-Reply-To: <b56674cc-183d-630e-defe-bf93237485a3@ieee.org>

On Tuesday, 8 January 2019 10:47:27 AM AEDT Chris PeBenito wrote:
> On 1/6/19 10:10 PM, Russell Coker wrote:
> > This patch adds a $1_crontab_t domain and makes it a compile option for
> 
> What is the goal for reintroducing a crontab domain per-user-domain?

To make it more difficult for a user from one domain to take over access to 
another domain via cron.

The context of the crontab program determines the type of the cron spool file 
which then determines the permitted context of the cron job.

> > having a $1_cronjob_t domain.
> > 
> > I anticipate that even if this patch is accepted later on there will be
> > some changes required.  Please review this not for inclusion immediately
> > but for changes necessary.  However the previous patch is good to go if
> > you like the concept.
> 
> I'm not keen on this.  The current policy is intended to make it easy to
> decide if you want to use a *_cronjob_t domain or simply transition to
> the user's domain by tweaking the default_contexts.

Which means that everyone who doesn't have a need for *_cronjob_t domains gets 
all the extra policy.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/