From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 23 Aug 2011 10:05:30 -0400
Subject: [refpolicy] unconfined_cronjob_t et al
In-Reply-To: <4E4E3B19.7080302@redhat.com>
References: <201108181731.39986.russell@coker.com.au>
	<4E4E3B19.7080302@redhat.com>
Message-ID: <4E53B3AA.20008@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/19/11 06:29, Daniel J Walsh wrote:
> On 08/18/2011 03:31 AM, Russell Coker wrote:
>> Is anyone actually making use of domains such as
>> unconfined_cronjob_t?
> 
>> Is there any reason why I shouldn't just unilaterally remove them
>> from the Debian policy for Squeeze regardless of what Red Hat and
>> upstream are doing?
> 
>> It seems to me that using a different domain for cron jobs causes
>> pain with no gain.
> 
> 
> I don't think so.  I believe cronjobs in Red Hat os's are running
> cronjobs as the usertype.  I would say this should just be removed.

I don't see any objections, so I'll take a patch that eliminates the
role-derived cronjob domains, including unconfined_cronjob_t.  That
would only leave the system_cronjob_t domain for running jobs out of
/etc/cron*.  User cronjobs would run out of the user's actual domain.
The userspace files (eg default_contexts) files would need to be updated
too.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com