On Mon, 2009-12-21 at 15:11 +0000, Tom Boland wrote:
> Hi there,
>
> I've been battling with this, but don't seem to have much luck. I've
> added a default file context for the crontabs in /var/spool/crontab, but
> this doesn't seem to be honoured. I've also added rules to allow
> crontab to transition to the user_t type, but it's not choosing to do
> so. I also get permission denied when attempting to set the context
> with the -s option to crontab. I'm really confused about this. Here
> are my rules so far.
Any errors in /var/log/cron?
Any AVC messages in /var/log/audit/audit.log or /var/log/messages?
> ================================================================
>
> module cronusertr 1.0;
>
> require {
> type crond_t;
> type user_crontab_t;
> type nfs_t;
> type user_t;
> class file { getattr read write execute unlink create lock
> relabelfrom relabelto rename entrypoint };
> class dir { add_name remove_name reparent search rmdir };
> class process { transition };
> };
>
> allow crond_t nfs_t:file {getattr read write execute unlink create lock
> relabelfrom relabelto rename entrypoint };
> allow crond_t nfs_t:dir { add_name remove_name reparent search rmdir };
> allow crond_t user_t:file { getattr read write execute unlink create
> lock relabelfrom relabelto rename entrypoint };
The above rule should be unnecessary - no files (other than /proc/pid
entries for a process that is running in user_t) should be labeled with
user_t.
> allow crond_t user_t:process { transition };
> allow user_crontab_t user_t:file { getattr read write unlink create lock
> rename entrypoint };
Likewise.
> allow user_crontab_t user_t:process { transition };
This shouldn't be needed either.
>
> ================================================================
>
> Could someone please let me know if I'm on completely the wrong track?
> I think I must be, as I'm getting absolutely nowhere seemingly.
Let's review:
crond_t is transitioning to user_crond_t under the CentOS 5.4 strict
policy but you want it to transition to user_t. Yes?
So you need to allow the transition on the type pair, which you seem to
have done, and you need to update your default_contexts entry for crond,
which you seem to have done. But you also likely need to amend the
policy/constraints file in the strict policy. I'd have to see your
current one - look at your selinux-policy .src.rpm.
--
Stephen Smalley
National Security Agency