From: dominick.grift@gmail.com (Dominick Grift) Date: Wed, 14 Nov 2012 20:39:49 +0100 Subject: [refpolicy] [PATCH 5/5] Support at service In-Reply-To: <20121114193113.GB4196@siphos.be> References: <1352566218-17772-1-git-send-email-sven.vermeulen@siphos.be> <1352566218-17772-6-git-send-email-sven.vermeulen@siphos.be> <1352916203.3654.1.camel@d30.localdomain> <20121114190318.GA3460@siphos.be> <1352920712.3654.23.camel@d30.localdomain> <20121114193113.GB4196@siphos.be> Message-ID: <1352921989.3654.36.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2012-11-14 at 20:31 +0100, Sven Vermeulen wrote: > On Wed, Nov 14, 2012 at 08:18:32PM +0100, Dominick Grift wrote: > > May this is gentoo specific, on my f17 system this location does not > > even exist > > > > Are you sure that it works as you expect it? > > It seems to yes, I'm using it often the last few days to test out job > invocation from system cron, without having to edit my crontabs over and > over gain: > > echo "layman -S" | at now+1min > > Easy as pie to test stuff. > > > Also the patch has stuff that seems unrelated. For example: > > > > > -read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) > > > +manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) > > > > Why did you change that? > > Well, there are two parts of the at-stuff: one is the atjobs, the other is > atspool. In atjobs (labeled user_cron_spool_t) the scripts are placed that > are to be executed. These scripts, once executed, add in lock files inside > the atjobs location (hence the manage_files_pattern for crond_t). > > > Also why does the following only apply for cron admin role and admin > > crontab? Do you know why the fsetid for admin_crontab_t is needed?: > > > > > +allow admin_crontab_t self:capability fsetid; > > > It might also be for non-admin cron stuff, I'm currently only testing with > admin. I believe it is needed while writing the scripts in the atjob > location. > > testsys ~ # echo ls | at now+1min > warning: commands will be executed using /bin/sh > job 21 at Wed Nov 14 20:31:00 2012 > testsys ~ # cat /var/log/avc.log > Nov 14 20:30:16 testsys kernel: [ 1746.093723] type=1400 > audit(1352921416.791:31): avc: granted { fsetid } for pid=3573 comm="at" > capability=4 scontext=root:sysadm_r:admin_crontab_t > tcontext=root:sysadm_r:admin_crontab_t tclass=capability > Nov 14 20:30:16 testsys kernel: [ 1746.093734] type=1400 > audit(1352921416.791:32): avc: granted { fsetid } for pid=3573 comm="at" > capability=4 scontext=root:sysadm_r:admin_crontab_t > tcontext=root:sysadm_r:admin_crontab_t tclass=capability I am not opposed to adding this but could you pretty please test it a little more first, also for other scenarios (users other than admin) > Wkr, > Sven Vermeulen > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy