From: dominick.grift@gmail.com (Dominick Grift) Date: Thu, 22 Sep 2011 09:54:25 +0200 Subject: [refpolicy] [PATCH 1/1] Cronjobs might create temporary directories In-Reply-To: <20110922060405.GA13992@siphos.be> References: <20110921192331.GA10041@siphos.be> <1316636711.24149.11.camel@x220.mydomain.internal> <20110922060405.GA13992@siphos.be> Message-ID: <1316678065.374.10.camel@x220.mydomain.internal> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 2011-09-22 at 08:04 +0200, Sven Vermeulen wrote: > On Wed, Sep 21, 2011 at 10:25:11PM +0200, Dominick Grift wrote: > > On Wed, 2011-09-21 at 21:23 +0200, Sven Vermeulen wrote: > > > Cronjobs, like makewhatis, want to create temporary directories > > > (and not only just temporary files). > > > > system_cronjob_t is a unconfined_domain(), did you disable or de-install > > the unconfined module? > > Yup, in Gentoo we support "strict" (i.e. without the unconfined domain) for > servers and hope that this moves to workstations as well. > > > Although allowing this for system_cronjob_t makes sense to me, it does > > make me wonder whether its better to just make the makewhatis and other > > known scripts cron_system_entry() instead. > > In that case, makewhatis would require its own domain, and perhaps all other > scripts that want to create a temporary directory. I think that might give > too much overhead, although I do feel this is necessary in case of your next > paragraph: > > > Some of these scripts need a lot of specific access (for example > > prelink), extending the system-cronjob domain to just allow all that > > makes it a very permissive domain. Oh wait, it is a unconfined domain > > already ;) > > Indeed. It's about finding a good balance between manageability and security > I guess. I kind of compare the system_gronjob_t to httpd_sys_script_t in a few ways. A thing to consider with regard to these generic domains is the fact that various processes may run in it, thus share resources (types). So in theory things can escalate inside these generic domains. In the case of httpd, we use the apache_content_template where that makes sense. My opinion is that we should do the same for system_cronjob_t versus cron_system_entry. Although that is just my view, and looking at the current cron policy i can see that this concept is currently not applied there. In Fedora for example, we have prelink running in a prelink cron script domain using the cron_system_entry but in refpolicy that same prelink cron script runs in the system_cronjob_t domain (i can see that from the various calls in cron.te) In my view system_cronjob_t should be just a fall back, just like the httpd_sys_script_t domain in my view is kind of a faill back for httpd cgi scripts. > Wkr, > Sven Vermeulen > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110922/a643d0e2/attachment.bin