From: dominick.grift@gmail.com (Dominick Grift) Date: Wed, 14 Nov 2012 20:18:32 +0100 Subject: [refpolicy] [PATCH 5/5] Support at service In-Reply-To: <20121114190318.GA3460@siphos.be> References: <1352566218-17772-1-git-send-email-sven.vermeulen@siphos.be> <1352566218-17772-6-git-send-email-sven.vermeulen@siphos.be> <1352916203.3654.1.camel@d30.localdomain> <20121114190318.GA3460@siphos.be> Message-ID: <1352920712.3654.23.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2012-11-14 at 20:03 +0100, Sven Vermeulen wrote: > On Wed, Nov 14, 2012 at 07:03:23PM +0100, Dominick Grift wrote: > > On Sat, 2012-11-10 at 17:50 +0100, Sven Vermeulen wrote: > > > /var/spool/at/atspool(/.*)? > > > > Something creates this location because it is not installed (at least in > > fedora. yum whatprovides /var/spool/at/atspool yields no results) > > > > My guess is that this would need at least a file type transition > > Here, the location is created by the package manager through the "at" > package: > > testsys ~ # qfile /var/spool/at/atspool/ > sys-process/at (/var/spool/at/atspool) > > (This is comparable as saying that the directory is created by an RPM). > May this is gentoo specific, on my f17 system this location does not even exist Are you sure that it works as you expect it? Also the patch has stuff that seems unrelated. For example: > -read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) > +manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) Why did you change that? Also why does the following only apply for cron admin role and admin crontab? Do you know why the fsetid for admin_crontab_t is needed?: > +allow admin_crontab_t self:capability fsetid; > + type user_cron_spool_log_t; > ') > > + rw_files_pattern($1, user_cron_spool_log_t, > user_cron_spool_log_t) > + > > Wkr, > Sven Vermeulen > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy