Hi Chris,
We should have called logging_set_loginuid() interface for crond_t so that it could use pam_loginuid.so in its PAM configs.
All tests passed :-)
-bash-3.2$ id -Z
user_u:user_r:user_t:s0
-bash-3.2$ /usr/sbin/getenforce
Enforcing
-bash-3.2$ pwd
/home/userA
-bash-3.2$ touch userA_cron_results
-bash-3.2$ vim userA_crontab
-bash-3.2$ cat userA_crontab
* * * * * echo `date` >> /home/userA/userA_cron_results; echo `id -Z` >> /home/userA/userA_cron_results
-bash-3.2$ ls -Z userA_cron_results
-rw-r--r-- userA userA user_u:object_r:user_home_t:s0 userA_cron_results
-bash-3.2$
-bash-3.2$ crontab userA_crontab
-bash-3.2$ crontab -l
* * * * * echo `date` >> /home/userA/userA_cron_results; echo `id -Z` >> /home/userA/userA_cron_results
-bash-3.2$ date
Fri Feb 11 01:50:41 GMT 2011
-bash-3.2$ cat userA_cron_results
Fri Feb 11 01:50:01 GMT 2011
user_u:user_r:cronjob_t:s0
-bash-3.2$
-bash-3.2$ cat userA_cron_results
Fri Feb 11 01:50:01 GMT 2011
user_u:user_r:cronjob_t:s0
Fri Feb 11 01:51:01 GMT 2011
user_u:user_r:cronjob_t:s0
-bash-3.2$
[root/sysadm_r/s0 at QtCao ~]# getenforce
Enforcing
[root/sysadm_r/s0 at QtCao ~]# ls /var/spool/cron/
root userA
[root/sysadm_r/s0 at QtCao ~]# ls /var/spool/cron/ -Z
-rw------- root root root:object_r:user_cron_spool_t:s0 root
-rw------- userA root user_u:object_r:user_cron_spool_t:s0 userA
[root/sysadm_r/s0 at QtCao ~]#
[root/sysadm_r/s0 at QtCao ~]# matchpathcon /var/spool/cron/
/var/spool/cron system_u:object_r:cron_spool_t:s0
[root/sysadm_r/s0 at QtCao ~]# matchpathcon /var/spool/cron/userA
/var/spool/cron/userA <<none>>
[root/sysadm_r/s0 at QtCao ~]#
[root/sysadm_r/s0 at QtCao ~]# newrole -l s15:c0.c1023 -- -c "tail /var/log/cron.log"
Password:
Feb 11 01:47:14 QtCao crontab[943]: (root) LIST (root)
Feb 11 01:48:01 QtCao crond[970]: (root) CMD (echo `date` >> /root/root_cron_results; echo `id -Z` >> /root/root_cron_results)
Feb 11 01:49:01 QtCao crond[1001]: (root) CMD (echo `date` >> /root/root_cron_results; echo `id -Z` >> /root/root_cron_results)
Feb 11 01:49:41 QtCao crontab[1007]: (userA) REPLACE (userA)
Feb 11 01:49:44 QtCao crontab[1008]: (userA) LIST (userA)
Feb 11 01:50:01 QtCao crond[1024]: (root) CMD (/usr/lib/sa/sa1 -d 1 1)
Feb 11 01:50:01 QtCao crond[1025]: (userA) CMD (echo `date` >> /home/userA/userA_cron_results; echo `id -Z` >> /home/userA/userA_cron_results)
Feb 11 01:50:01 QtCao crond[1026]: (root) CMD (echo `date` >> /root/root_cron_results; echo `id -Z` >> /root/root_cron_results)
Feb 11 01:51:01 QtCao crond[1063]: (root) CMD (echo `date` >> /root/root_cron_results; echo `id -Z` >> /root/root_cron_results)
Feb 11 01:51:01 QtCao crond[1064]: (userA) CMD (echo `date` >> /home/userA/userA_cron_results; echo `id -Z` >> /home/userA/userA_cron_results)
[root/sysadm_r/s0 at QtCao ~]#
Thanks,
Harry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20110211/ef8f9a30/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Make-crond-use-pam_loginuid.patch
Type: text/x-patch
Size: 1907 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110211/ef8f9a30/attachment.bin
On 02/10/11 21:18, HarryCiao wrote:
> We should have called logging_set_loginuid() interface for crond_t so
> that it could use pam_loginuid.so in its PAM configs.
>
> All tests passed :-)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com