From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 242B6C43387 for ; Tue, 8 Jan 2019 03:38:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A6097206B7 for ; Tue, 8 Jan 2019 03:38:28 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="bdvzxeJq" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727455AbfAHDi2 (ORCPT ); Mon, 7 Jan 2019 22:38:28 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:43270 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727030AbfAHDi1 (ORCPT ); Mon, 7 Jan 2019 22:38:27 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id B7818EC07; Tue, 8 Jan 2019 14:38:25 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1546918706; bh=JoPo2rKOX5drw5yBEwTO32DWoUZ9LdhF6rQGeq1/mfg=; l=1212; h=From:To:Reply-To:Cc:Subject:Date:In-Reply-To:References:From; b=bdvzxeJq//aQXjqU9bwp+hJ2IReU9C2BkoTsaylKSoh1gcTefA+2L21CvT/tlZ3ZN UV8bshWChASQ8g1FzXgfJ49KVC/8na+vjvlhgm6BabNiKFEy0x2a1ZB2J/45DTBioo 9OkYCXp02scIEJKSaUfwWTE07FW4wt+/4oe/PBxw= Received: by xev.coker.com.au (Postfix, from userid 1001) id 3B8E6C3E1C3; Tue, 8 Jan 2019 14:38:21 +1100 (AEDT) From: Russell Coker To: Chris PeBenito Reply-To: russell@coker.com.au Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH cron 2/2] user_crontab_t etc Date: Tue, 08 Jan 2019 14:38:21 +1100 Message-ID: <6320875.l7dpP3Uglz@xev> In-Reply-To: References: <20190107031005.GA13945@aaa.coker.com.au> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Tuesday, 8 January 2019 10:47:27 AM AEDT Chris PeBenito wrote: > On 1/6/19 10:10 PM, Russell Coker wrote: > > This patch adds a $1_crontab_t domain and makes it a compile option for > > What is the goal for reintroducing a crontab domain per-user-domain? To make it more difficult for a user from one domain to take over access to another domain via cron. The context of the crontab program determines the type of the cron spool file which then determines the permitted context of the cron job. > > having a $1_cronjob_t domain. > > > > I anticipate that even if this patch is accepted later on there will be > > some changes required. Please review this not for inclusion immediately > > but for changes necessary. However the previous patch is good to go if > > you like the concept. > > I'm not keen on this. The current policy is intended to make it easy to > decide if you want to use a *_cronjob_t domain or simply transition to > the user's domain by tweaking the default_contexts. Which means that everyone who doesn't have a need for *_cronjob_t domains gets all the extra policy. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/