From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 21 Apr 2014 09:00:04 -0400
Subject: [refpolicy] [PATCH 2/2] fcron socket support
In-Reply-To: <1397984133-12996-3-git-send-email-sven.vermeulen@siphos.be>
References: <1397984133-12996-1-git-send-email-sven.vermeulen@siphos.be>
	<1397984133-12996-3-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <53551654.1080001@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/20/2014 04:55 AM, Sven Vermeulen wrote:
> diff --git a/cron.te b/cron.te
> index bd8a5cc..a2cc311 100644
> --- a/cron.te
> +++ b/cron.te
> @@ -347,6 +347,8 @@ tunable_policy(`allow_polyinstantiation',`
>  
>  tunable_policy(`fcron_crond',`
>  	allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms;
> +	allow crond_t crond_var_run_t:sock_file manage_sock_file_perms;
> +	files_pid_filetrans(crond_t, crond_var_run_t, sock_file, "fcron.fifo")
>  ')

This has at least two problems.  Name filetrans in a conditional aren't allowed, and also I got an error with a role in a allow rule:

policy/modules/roles/sysadm.te":424:ERROR 'unknown type sysadm_r' at token ';' on line 2363883:
#line 424
	allow sysadm_r crond_var_run_t:dir { getattr search open };
checkpolicy:  error(s) encountered while parsing configuration



-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com