From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Thu, 22 Sep 2011 20:42:51 +0200 Subject: [refpolicy] [PATCH 1/1] Cronjobs might create temporary directories In-Reply-To: <1316678065.374.10.camel@x220.mydomain.internal> References: <20110921192331.GA10041@siphos.be> <1316636711.24149.11.camel@x220.mydomain.internal> <20110922060405.GA13992@siphos.be> <1316678065.374.10.camel@x220.mydomain.internal> Message-ID: <20110922184251.GA15227@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, Sep 22, 2011 at 09:54:25AM +0200, Dominick Grift wrote: > I kind of compare the system_gronjob_t to httpd_sys_script_t in a few > ways. A thing to consider with regard to these generic domains is the > fact that various processes may run in it, thus share resources (types). > So in theory things can escalate inside these generic domains. > > In the case of httpd, we use the apache_content_template where that > makes sense. My opinion is that we should do the same for > system_cronjob_t versus cron_system_entry. Looking at the privileges that I would need to grant that are specific to cron, I do not find many to put in such template mechanism for now (unlike for apache, where the definition is used to differentiate between readable/read-writeable files, scriptable types (for things like PHP), and access to common HTTPd types... If the system_cronjob_t domain is seen more like a "jump board" towards the application specific domains, I don't mind creating a makewhatis policy module and work from there onwards. > Although that is just my view, and looking at the current cron policy i > can see that this concept is currently not applied there. > > In Fedora for example, we have prelink running in a prelink cron script > domain using the cron_system_entry but in refpolicy that same prelink > cron script runs in the system_cronjob_t domain (i can see that from the > various calls in cron.te It looks like fedora supports both, as I find cron_system_entry() usage for both prelink_t and prelink_cron_system_t. Wkr, Sven Vermeulen