From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 27 Sep 2011 08:49:10 -0400 Subject: [refpolicy] [PATCH 1/1] Cronjobs might create temporary directories In-Reply-To: <1316809587.1931.44.camel@x220.mydomain.internal> References: <20110921192331.GA10041@siphos.be> <1316636711.24149.11.camel@x220.mydomain.internal> <20110922060405.GA13992@siphos.be> <1316678065.374.10.camel@x220.mydomain.internal> <20110922184251.GA15227@siphos.be> <20110923191154.GA31939@siphos.be> <1316809587.1931.44.camel@x220.mydomain.internal> Message-ID: <4E81C646.5090709@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/23/11 16:26, Dominick Grift wrote: > On Fri, 2011-09-23 at 21:11 +0200, Sven Vermeulen wrote: >> On Thu, Sep 22, 2011 at 08:42:51PM +0200, Sven Vermeulen wrote: >>> If the system_cronjob_t domain is seen more like a "jump board" towards the >>> application specific domains, I don't mind creating a makewhatis policy >>> module and work from there onwards. >> >> Giving the fact that the policy will probably read and write man_t together >> with the usual suspects (_exec, _domtrans), is it okay to suggest a patch for >> the miscfiles module? Or would you rather see an independent module? >> >> I don't think I need to offer a _run or _role interface, since transitioning >> from sysadm_t wouldn't be necessary. Or is it better to do that anyway? > > I wonder what PeBenito thinks about this. > > I wouldnt mind adding this to miscfiles, but i wouldnt add any unused > interfaces. If it turns out they are needed they can always be added > later. I would tend to agree that we want to get privileges out of system_cronjob_t by transitioning to other domains. But the domain already has sufficient perms to run makewhatis (save for this new tmp patch). All that we could likely gain by making a new makewhatis domain would be to drop the man page access from system_cronjob_t. If is demonstrated that we could have real gains from having a makewhatis domain, I'd have to see what the policy looks like to determine if it would be ok in miscfiles. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com