From: guido@trentalancia.com (Guido Trentalancia) Date: Tue, 01 Feb 2011 14:59:35 +0100 Subject: [refpolicy] cron patches and remaining questions In-Reply-To: References: ,<1296510850.23039.9.camel@tesla.lan> Message-ID: <1296568775.18286.98.camel@tesla.lan> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Harry ! On Tue, 01/02/2011 at 12.11 +0000, HarryCiao wrote: > Hello Guido, > > > Subject: Re: [refpolicy] cron patches and remaining questions > > From: guido at trentalancia.com > > To: harrytaurus2002 at hotmail.com > > CC: refpolicy at oss.tresys.com > > Date: Mon, 31 Jan 2011 22:54:10 +0100 > > > > Hello Harry, > > > > just a quick comment on the first two issues... > > > > On Mon, 31/01/2011 at 11.20 +0000, HarryCiao wrote: > > > Hi Chris and all, > > > > > > I've run into some cron issues and come up with the attached 3 > > > patches, so far I am new to cron and cron.pp so it's likely there > is a > > > better way to fix the problems, any comments are greatly welcomed! > > > > > > Aslo there are a few cron problems that have not been fixed after > > > applying these 3 patches: > > > > > > 1. on creation of /var/log/cron.log, its label is still var_log_t, > the > > > type_transition rule still not take effect; > > > > This is consistent with the file contexts as specified by the > reference > > policy. What do you expect as a label for cron log files ? > > Because logging_log_filetrans interface has been called for the > crond_t and system_cronjob_t: > > cao at cao-laptop:/work/selinux/refpolicy/policy/modules$ grep > logging_log_filetrans services/cron.te > logging_log_filetrans(crond_t, cron_log_t, file) > logging_log_filetrans(system_cronjob_t, cron_log_t, file) > cao at cao-laptop:/work/selinux/refpolicy/policy/modules$ > > So I expect when the crond_t creates cron log files during system > booting up, this newly created file should be auto-labeled as > cron_log_t, rather than the inherited label for its parent directory. No, you shouldn't expect relabeling from logging_log_filetrans(). What is happening appears consistent with what is specified in cron.te and cron.fc. Supposedly logging_log_filetrans() just allows creation of files with a different label, it does not actually create them nor it does any relabeling. For labeling issues, you should edit cron.fc in the first place. Because in the end, even if something is labeled differently from what is specified there, such label won't survive a forced relabel process that can always take place for a variety of reasons. > BTW, once we fix the label of /var/log/cron(\.log)? file, we also have > to grant the write permission on it to the syslogd_t domain. Yes, you might have to grant different permissions if syslogd_t is going to carry out file operations (read, open, write or whatever is appropriate in this specific case) on a different target context. But are you sure it's syslogd_t and not crond_t ? In general it's crond_t that operates on the /var/log/cron(\.log)? file not syslogd_t. So, all you might need to change is the declaration of the type being used and the call to logging_log_file() in cron.te (after editing cron.fc appropriately). But I haven't checked in detail... > > > 2. on creation of /var/spool/cron/root by the crontab command, its > > > label is still cron_spool_t, the type_transition rule still not > take > > > effect; > > > > Similar considerations as above apply here (behaviour appears > consistent > > with current file context definitions in the reference policy). What > > label do you expect for root's crontab ? Perhaps > sysadm_cron_spool_t ? > > It's actually commented out in the file context for the cron module. > > > > It's very easy to change the labels, one just needs to modify the > > relative cron.fc file under policy/modules/services. But what would > you > > change that to ? And will that be desirable for all refpolicy > users ? > > > > I have not had time to look at your patches yet, but what problem > are > > they supposed to tackle ? Is the problem relevant to all refpolicy > > users ? > > > > Again, the cron_common_crontab_template has called the interface > filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file) for > crontab_t and admin_crontab_t domains, so whenever root user or > non-root user uses crontab command to register a new crontab files, > the created /var/spool/cron/[user] files should be auto-label as > user_cron_spool_t, rather than cron_spool_t, otherwise cronjob_t won't > have the required entrypoint permission on it. > > Cheers, > Harry > > > Regards, > > > > Guido > > >