From: dominick.grift@gmail.com (Dominick Grift) Date: Wed, 21 Sep 2011 22:25:11 +0200 Subject: [refpolicy] [PATCH 1/1] Cronjobs might create temporary directories In-Reply-To: <20110921192331.GA10041@siphos.be> References: <20110921192331.GA10041@siphos.be> Message-ID: <1316636711.24149.11.camel@x220.mydomain.internal> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2011-09-21 at 21:23 +0200, Sven Vermeulen wrote: > Cronjobs, like makewhatis, want to create temporary directories > (and not only just temporary files). system_cronjob_t is a unconfined_domain(), did you disable or de-install the unconfined module? Although allowing this for system_cronjob_t makes sense to me, it does make me wonder whether its better to just make the makewhatis and other known scripts cron_system_entry() instead. Some of these scripts need a lot of specific access (for example prelink), extending the system-cronjob domain to just allow all that makes it a very permissive domain. Oh wait, it is a unconfined domain already ;) But in any case allowing generic system jobs to manage temporary system job content makes sense to me. > We allow a filetrans in tmp_t for directories as well, and allow > system_cronjob_t to manage files and directories of > system_cronjob_tmp_t. > > Signed-off-by: Sven Vermeulen > --- > cron.te | 6 ++++-- > 1 files changed, 4 insertions(+), 2 deletions(-) > > diff --git a/cron.te b/cron.te > index f22d27c..07e2697 100644 > --- a/cron.te > +++ b/cron.te > @@ -334,11 +334,13 @@ allow system_cronjob_t crond_t:process sigchld; > allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; > files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file) > > -# write temporary files > +# write temporary files/directories > manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) > +manage_files_pattern(system_cronjob_t, system_cronjob_tmp_t, system_cronjob_tmp_t) > +manage_dirs_pattern(system_cronjob_t, system_cronjob_tmp_t, system_cronjob_tmp_t) > manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) > filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) > -files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) > +files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir }) > > # Read from /var/spool/cron. > allow system_cronjob_t cron_spool_t:dir list_dir_perms; -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110921/544de97f/attachment.bin