From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 23 Aug 2011 10:05:30 -0400 Subject: [refpolicy] unconfined_cronjob_t et al In-Reply-To: <4E4E3B19.7080302@redhat.com> References: <201108181731.39986.russell@coker.com.au> <4E4E3B19.7080302@redhat.com> Message-ID: <4E53B3AA.20008@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/19/11 06:29, Daniel J Walsh wrote: > On 08/18/2011 03:31 AM, Russell Coker wrote: >> Is anyone actually making use of domains such as >> unconfined_cronjob_t? > >> Is there any reason why I shouldn't just unilaterally remove them >> from the Debian policy for Squeeze regardless of what Red Hat and >> upstream are doing? > >> It seems to me that using a different domain for cron jobs causes >> pain with no gain. > > > I don't think so. I believe cronjobs in Red Hat os's are running > cronjobs as the usertype. I would say this should just be removed. I don't see any objections, so I'll take a patch that eliminates the role-derived cronjob domains, including unconfined_cronjob_t. That would only leave the system_cronjob_t domain for running jobs out of /etc/cron*. User cronjobs would run out of the user's actual domain. The userspace files (eg default_contexts) files would need to be updated too. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com