From: guido@trentalancia.com (Guido Trentalancia) Date: Mon, 31 Jan 2011 22:54:10 +0100 Subject: [refpolicy] cron patches and remaining questions In-Reply-To: References: Message-ID: <1296510850.23039.9.camel@tesla.lan> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Harry, just a quick comment on the first two issues... On Mon, 31/01/2011 at 11.20 +0000, HarryCiao wrote: > Hi Chris and all, > > I've run into some cron issues and come up with the attached 3 > patches, so far I am new to cron and cron.pp so it's likely there is a > better way to fix the problems, any comments are greatly welcomed! > > Aslo there are a few cron problems that have not been fixed after > applying these 3 patches: > > 1. on creation of /var/log/cron.log, its label is still var_log_t, the > type_transition rule still not take effect; This is consistent with the file contexts as specified by the reference policy. What do you expect as a label for cron log files ? > 2. on creation of /var/spool/cron/root by the crontab command, its > label is still cron_spool_t, the type_transition rule still not take > effect; Similar considerations as above apply here (behaviour appears consistent with current file context definitions in the reference policy). What label do you expect for root's crontab ? Perhaps sysadm_cron_spool_t ? It's actually commented out in the file context for the cron module. It's very easy to change the labels, one just needs to modify the relative cron.fc file under policy/modules/services. But what would you change that to ? And will that be desirable for all refpolicy users ? I have not had time to look at your patches yet, but what problem are they supposed to tackle ? Is the problem relevant to all refpolicy users ? Regards, Guido