From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sat, 10 Dec 2011 09:49:20 +0100
Subject: [refpolicy] userdom_list_user_home_dirs for system cronjobs
Message-ID: <20111210084920.GA7537@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi guys,

We had a case (logwatch) where running logwatch from within a cronjob failed
because /etc/crontab had "HOME=/root" set [1]. The application used the current
working directory for scanning and failed because the job did not have the
proper privileges. As a result, logwatch died out and didn't function.

I think that we have HOME=/ by default, but HOME=/root for system cronjobs
is not all that uncommon. But policy-wise, what is the best way to handle
this?

We can
- document that /etc/crontab must use HOME=/ and leave any job that needs
  HOME=/root for the root users' cronjobs
- allow the necessary privileges for logwatch_t only, or
- grant this to all domains through cron_system_entry

I personally think that the first one (document) is the proper one, but
perhaps one of you have a more profound vision on this?

Wkr,
	Sven Vermeulen

[1] https://bugs.gentoo.org/show_bug.cgi?id=392699