LinuxLists.cc - [refpolicy] Might be a bug in crond_system

2010-05-13 16:01:47

Subject: [refpolicy] Might be a bug in crond_system_entry

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

interface(`cron_system_entry',`
gen_require(`
type crond_t, system_cronjob_t;
')

domtrans_pattern(system_cronjob_t, $2, $1)
domtrans_pattern(crond_t, $2, $1)
This line is questionable. Might have even been added by me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvsImsACgkQrlYvE4MpobOtAQCguKNCtt1uDMPFpEdn+GlJpXD4
GeYAn1TEClBt8m6dJGbPR99NyA20dhsD
=dwd0
-----END PGP SIGNATURE-----

2010-05-13 17:22:04

by cpebenito

[permalink] [raw]

Subject: [refpolicy] Might be a bug in crond_system_entry

On Thu, 2010-05-13 at 12:01 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> interface(`cron_system_entry',`
> gen_require(`
> type crond_t, system_cronjob_t;
> ')
>
> domtrans_pattern(system_cronjob_t, $2, $1)
> domtrans_pattern(crond_t, $2, $1)
> This line is questionable. Might have even been added by me.

I believe the intention is to handle the case where someone puts the
command directly into the /etc/crontab, rather than in /etc/cron.*/

eg, in /etc/crontab:

0 * * * * root /usr/bin/my_entrypoint

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com