From: guido@trentalancia.com (Guido Trentalancia) Date: Wed, 02 Feb 2011 08:53:46 +0100 Subject: [refpolicy] cron patches and remaining questions In-Reply-To: References: ,<1296510850.23039.9.camel@tesla.lan> Message-ID: <1296633226.2935.4.camel@tesla.lan> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Harry ! On Tue, 01/02/2011 at 12.11 +0000, HarryCiao wrote: > Hello Guido, > > > Subject: Re: [refpolicy] cron patches and remaining questions > > From: guido at trentalancia.com > > To: harrytaurus2002 at hotmail.com > > CC: refpolicy at oss.tresys.com > > Date: Mon, 31 Jan 2011 22:54:10 +0100 > > > > Hello Harry, > > > > just a quick comment on the first two issues... > > > > On Mon, 31/01/2011 at 11.20 +0000, HarryCiao wrote: > > > Hi Chris and all, > > > > > > I've run into some cron issues and come up with the attached 3 > > > patches, so far I am new to cron and cron.pp so it's likely there > is a > > > better way to fix the problems, any comments are greatly welcomed! > > > > > > Aslo there are a few cron problems that have not been fixed after > > > applying these 3 patches: > > > > > > 1. on creation of /var/log/cron.log, its label is still var_log_t, > the > > > type_transition rule still not take effect; > > > > This is consistent with the file contexts as specified by the > reference > > policy. What do you expect as a label for cron log files ? > > Because logging_log_filetrans interface has been called for the > crond_t and system_cronjob_t: > > cao at cao-laptop:/work/selinux/refpolicy/policy/modules$ grep > logging_log_filetrans services/cron.te > logging_log_filetrans(crond_t, cron_log_t, file) > logging_log_filetrans(system_cronjob_t, cron_log_t, file) > cao at cao-laptop:/work/selinux/refpolicy/policy/modules$ > > So I expect when the crond_t creates cron log files during system > booting up, this newly created file should be auto-labeled as > cron_log_t, rather than the inherited label for its parent directory. > > BTW, once we fix the label of /var/log/cron(\.log)? file, we also have > to grant the write permission on it to the syslogd_t domain. A quick comment on the first patch (0001-Fix-the-label-of-cron-log-files.patch). It looks good and desirable to me, but beware that policy/modules/system/logging.fc still bears this: /var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) So you might also want to remove the latter from logging.fc and do something else in cron.fc ? Regards, Guido