From: Laurent Bigonville <[email protected]>
When cron_userdomain_transition boolean is set to on, the user cronjobs
are supposed to run in their domains. Without this patch the default
context is not properly computed:
$ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0
/usr/sbin/getdefaultcon: Invalid argument
$ /usr/sbin/getdefaultcon staff_u system_u:system_r:crond_t:s0
staff_u:sysadm_r:sysadm_t:s0
With this patch applied:
$ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0
user_u:user_r:user_t:s0
$ /usr/sbin/getdefaultcon staff_ system_u:system_r:crond_t:s0
staff_u:staff_r:staff_t:s0
---
config/appconfig-mcs/default_contexts | 2 +-
config/appconfig-mcs/staff_u_default_contexts | 2 +-
config/appconfig-mcs/user_u_default_contexts | 2 +-
config/appconfig-mls/default_contexts | 2 +-
config/appconfig-mls/staff_u_default_contexts | 2 +-
config/appconfig-mls/user_u_default_contexts | 2 +-
config/appconfig-standard/default_contexts | 2 +-
config/appconfig-standard/staff_u_default_contexts | 2 +-
config/appconfig-standard/user_u_default_contexts | 2 +-
9 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/config/appconfig-mcs/default_contexts b/config/appconfig-mcs/default_contexts
index 801d97b..698d54c 100644
--- a/config/appconfig-mcs/default_contexts
+++ b/config/appconfig-mcs/default_contexts
@@ -1,4 +1,4 @@
-system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:crond_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts
index 881a292..5606c4e 100644
--- a/config/appconfig-mcs/staff_u_default_contexts
+++ b/config/appconfig-mcs/staff_u_default_contexts
@@ -1,7 +1,7 @@
system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:remote_login_t:s0 staff_r:staff_t:s0
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0 staff_r:cronjob_t:s0
+system_r:crond_t:s0 staff_r:staff_t:s0 staff_r:cronjob_t:s0
system_r:xdm_t:s0 staff_r:staff_t:s0
staff_r:staff_su_t:s0 staff_r:staff_t:s0
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts
index cacbc93..56d6071 100644
--- a/config/appconfig-mcs/user_u_default_contexts
+++ b/config/appconfig-mcs/user_u_default_contexts
@@ -1,7 +1,7 @@
system_r:local_login_t:s0 user_r:user_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
system_r:sshd_t:s0 user_r:user_t:s0
-system_r:crond_t:s0 user_r:cronjob_t:s0
+system_r:crond_t:s0 user_r:user_t:s0 user_r:cronjob_t:s0
system_r:xdm_t:s0 user_r:user_t:s0
user_r:user_su_t:s0 user_r:user_t:s0
user_r:user_sudo_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mls/default_contexts b/config/appconfig-mls/default_contexts
index 801d97b..698d54c 100644
--- a/config/appconfig-mls/default_contexts
+++ b/config/appconfig-mls/default_contexts
@@ -1,4 +1,4 @@
-system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:crond_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts
index 881a292..5606c4e 100644
--- a/config/appconfig-mls/staff_u_default_contexts
+++ b/config/appconfig-mls/staff_u_default_contexts
@@ -1,7 +1,7 @@
system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:remote_login_t:s0 staff_r:staff_t:s0
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0 staff_r:cronjob_t:s0
+system_r:crond_t:s0 staff_r:staff_t:s0 staff_r:cronjob_t:s0
system_r:xdm_t:s0 staff_r:staff_t:s0
staff_r:staff_su_t:s0 staff_r:staff_t:s0
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts
index cacbc93..56d6071 100644
--- a/config/appconfig-mls/user_u_default_contexts
+++ b/config/appconfig-mls/user_u_default_contexts
@@ -1,7 +1,7 @@
system_r:local_login_t:s0 user_r:user_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
system_r:sshd_t:s0 user_r:user_t:s0
-system_r:crond_t:s0 user_r:cronjob_t:s0
+system_r:crond_t:s0 user_r:user_t:s0 user_r:cronjob_t:s0
system_r:xdm_t:s0 user_r:user_t:s0
user_r:user_su_t:s0 user_r:user_t:s0
user_r:user_sudo_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-standard/default_contexts b/config/appconfig-standard/default_contexts
index 64a0a90..25ee341 100644
--- a/config/appconfig-standard/default_contexts
+++ b/config/appconfig-standard/default_contexts
@@ -1,4 +1,4 @@
-system_r:crond_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_cronjob_t unconfined_r:unconfined_cronjob_t
+system_r:crond_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_cronjob_t unconfined_r:unconfined_cronjob_t
system_r:local_login_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t
system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts
index c2a5ea8..300694c 100644
--- a/config/appconfig-standard/staff_u_default_contexts
+++ b/config/appconfig-standard/staff_u_default_contexts
@@ -1,7 +1,7 @@
system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t
system_r:remote_login_t staff_r:staff_t
system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t
-system_r:crond_t staff_r:cronjob_t
+system_r:crond_t staff_r:staff_t staff_r:cronjob_t
system_r:xdm_t staff_r:staff_t
staff_r:staff_su_t staff_r:staff_t
staff_r:staff_sudo_t staff_r:staff_t
diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts
index f5bfac3..63b7eec 100644
--- a/config/appconfig-standard/user_u_default_contexts
+++ b/config/appconfig-standard/user_u_default_contexts
@@ -1,7 +1,7 @@
system_r:local_login_t user_r:user_t
system_r:remote_login_t user_r:user_t
system_r:sshd_t user_r:user_t
-system_r:crond_t user_r:cronjob_t
+system_r:crond_t user_r:user_t user_r:cronjob_t
system_r:xdm_t user_r:user_t
user_r:user_su_t user_r:user_t
user_r:user_sudo_t user_r:user_t
--
2.6.2
On 12/3/2015 11:14 AM, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> When cron_userdomain_transition boolean is set to on, the user cronjobs
> are supposed to run in their domains. Without this patch the default
> context is not properly computed:
>
> $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0
> /usr/sbin/getdefaultcon: Invalid argument
> $ /usr/sbin/getdefaultcon staff_u system_u:system_r:crond_t:s0
> staff_u:sysadm_r:sysadm_t:s0
>
> With this patch applied:
>
> $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0
> user_u:user_r:user_t:s0
> $ /usr/sbin/getdefaultcon staff_ system_u:system_r:crond_t:s0
> staff_u:staff_r:staff_t:s0
Merged.
> ---
> config/appconfig-mcs/default_contexts | 2 +-
> config/appconfig-mcs/staff_u_default_contexts | 2 +-
> config/appconfig-mcs/user_u_default_contexts | 2 +-
> config/appconfig-mls/default_contexts | 2 +-
> config/appconfig-mls/staff_u_default_contexts | 2 +-
> config/appconfig-mls/user_u_default_contexts | 2 +-
> config/appconfig-standard/default_contexts | 2 +-
> config/appconfig-standard/staff_u_default_contexts | 2 +-
> config/appconfig-standard/user_u_default_contexts | 2 +-
> 9 files changed, 9 insertions(+), 9 deletions(-)
>
> diff --git a/config/appconfig-mcs/default_contexts b/config/appconfig-mcs/default_contexts
> index 801d97b..698d54c 100644
> --- a/config/appconfig-mcs/default_contexts
> +++ b/config/appconfig-mcs/default_contexts
> @@ -1,4 +1,4 @@
> -system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
> +system_r:crond_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
> system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
> system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
> system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
> diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts
> index 881a292..5606c4e 100644
> --- a/config/appconfig-mcs/staff_u_default_contexts
> +++ b/config/appconfig-mcs/staff_u_default_contexts
> @@ -1,7 +1,7 @@
> system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
> system_r:remote_login_t:s0 staff_r:staff_t:s0
> system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
> -system_r:crond_t:s0 staff_r:cronjob_t:s0
> +system_r:crond_t:s0 staff_r:staff_t:s0 staff_r:cronjob_t:s0
> system_r:xdm_t:s0 staff_r:staff_t:s0
> staff_r:staff_su_t:s0 staff_r:staff_t:s0
> staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
> diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts
> index cacbc93..56d6071 100644
> --- a/config/appconfig-mcs/user_u_default_contexts
> +++ b/config/appconfig-mcs/user_u_default_contexts
> @@ -1,7 +1,7 @@
> system_r:local_login_t:s0 user_r:user_t:s0
> system_r:remote_login_t:s0 user_r:user_t:s0
> system_r:sshd_t:s0 user_r:user_t:s0
> -system_r:crond_t:s0 user_r:cronjob_t:s0
> +system_r:crond_t:s0 user_r:user_t:s0 user_r:cronjob_t:s0
> system_r:xdm_t:s0 user_r:user_t:s0
> user_r:user_su_t:s0 user_r:user_t:s0
> user_r:user_sudo_t:s0 user_r:user_t:s0
> diff --git a/config/appconfig-mls/default_contexts b/config/appconfig-mls/default_contexts
> index 801d97b..698d54c 100644
> --- a/config/appconfig-mls/default_contexts
> +++ b/config/appconfig-mls/default_contexts
> @@ -1,4 +1,4 @@
> -system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
> +system_r:crond_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
> system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
> system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
> system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
> diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts
> index 881a292..5606c4e 100644
> --- a/config/appconfig-mls/staff_u_default_contexts
> +++ b/config/appconfig-mls/staff_u_default_contexts
> @@ -1,7 +1,7 @@
> system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
> system_r:remote_login_t:s0 staff_r:staff_t:s0
> system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
> -system_r:crond_t:s0 staff_r:cronjob_t:s0
> +system_r:crond_t:s0 staff_r:staff_t:s0 staff_r:cronjob_t:s0
> system_r:xdm_t:s0 staff_r:staff_t:s0
> staff_r:staff_su_t:s0 staff_r:staff_t:s0
> staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
> diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts
> index cacbc93..56d6071 100644
> --- a/config/appconfig-mls/user_u_default_contexts
> +++ b/config/appconfig-mls/user_u_default_contexts
> @@ -1,7 +1,7 @@
> system_r:local_login_t:s0 user_r:user_t:s0
> system_r:remote_login_t:s0 user_r:user_t:s0
> system_r:sshd_t:s0 user_r:user_t:s0
> -system_r:crond_t:s0 user_r:cronjob_t:s0
> +system_r:crond_t:s0 user_r:user_t:s0 user_r:cronjob_t:s0
> system_r:xdm_t:s0 user_r:user_t:s0
> user_r:user_su_t:s0 user_r:user_t:s0
> user_r:user_sudo_t:s0 user_r:user_t:s0
> diff --git a/config/appconfig-standard/default_contexts b/config/appconfig-standard/default_contexts
> index 64a0a90..25ee341 100644
> --- a/config/appconfig-standard/default_contexts
> +++ b/config/appconfig-standard/default_contexts
> @@ -1,4 +1,4 @@
> -system_r:crond_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_cronjob_t unconfined_r:unconfined_cronjob_t
> +system_r:crond_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_cronjob_t unconfined_r:unconfined_cronjob_t
> system_r:local_login_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
> system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t
> system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
> diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts
> index c2a5ea8..300694c 100644
> --- a/config/appconfig-standard/staff_u_default_contexts
> +++ b/config/appconfig-standard/staff_u_default_contexts
> @@ -1,7 +1,7 @@
> system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t
> system_r:remote_login_t staff_r:staff_t
> system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t
> -system_r:crond_t staff_r:cronjob_t
> +system_r:crond_t staff_r:staff_t staff_r:cronjob_t
> system_r:xdm_t staff_r:staff_t
> staff_r:staff_su_t staff_r:staff_t
> staff_r:staff_sudo_t staff_r:staff_t
> diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts
> index f5bfac3..63b7eec 100644
> --- a/config/appconfig-standard/user_u_default_contexts
> +++ b/config/appconfig-standard/user_u_default_contexts
> @@ -1,7 +1,7 @@
> system_r:local_login_t user_r:user_t
> system_r:remote_login_t user_r:user_t
> system_r:sshd_t user_r:user_t
> -system_r:crond_t user_r:cronjob_t
> +system_r:crond_t user_r:user_t user_r:cronjob_t
> system_r:xdm_t user_r:user_t
> user_r:user_su_t user_r:user_t
> user_r:user_sudo_t user_r:user_t
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com