From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Thu, 22 Sep 2011 08:04:05 +0200
Subject: [refpolicy] [PATCH 1/1] Cronjobs might create temporary
 directories
In-Reply-To: <1316636711.24149.11.camel@x220.mydomain.internal>
References: <20110921192331.GA10041@siphos.be>
	<1316636711.24149.11.camel@x220.mydomain.internal>
Message-ID: <20110922060405.GA13992@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, Sep 21, 2011 at 10:25:11PM +0200, Dominick Grift wrote:
> On Wed, 2011-09-21 at 21:23 +0200, Sven Vermeulen wrote:
> > Cronjobs, like makewhatis, want to create temporary directories
> > (and not only just temporary files).
> 
> system_cronjob_t is a unconfined_domain(), did you disable or de-install
> the unconfined module?

Yup, in Gentoo we support "strict" (i.e. without the unconfined domain) for
servers and hope that this moves to workstations as well.

> Although allowing this for system_cronjob_t makes sense to me, it does
> make me wonder whether its better to just make the makewhatis and other
> known scripts cron_system_entry() instead.

In that case, makewhatis would require its own domain, and perhaps all other
scripts that want to create a temporary directory. I think that might give
too much overhead, although I do feel this is necessary in case of your next
paragraph:

> Some of these scripts need a lot of specific access (for example
> prelink), extending the system-cronjob domain to just allow all that
> makes it a very permissive domain. Oh wait, it is a unconfined domain
> already ;)

Indeed. It's about finding a good balance between manageability and security
I guess.

Wkr,
	Sven Vermeulen