From: bigon@debian.org (Laurent Bigonville)
Date: Mon, 23 Nov 2015 13:15:07 +0100
Subject: [refpolicy] Transition not working as expected with boolean
 cron_userdomain_transition set to on
In-Reply-To: <20151123120014.GA826@x250>
References: <5652F8F4.3090601@debian.org> <20151123120014.GA826@x250>
Message-ID: <5653034B.3010607@debian.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Le 23/11/15 13:00, Dominick Grift a ?crit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On Mon, Nov 23, 2015 at 12:31:00PM +0100, Laurent Bigonville wrote:
>> [...]
>>
>>
>> When cron_userdomain_transition boolean is set to on, the user cronjobs
>> are supposed to run in their domains. Without this patch the default
>> context is not properly computed:
>>
>>      $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0
>>      /usr/sbin/getdefaultcon: Invalid argument
>>      $ /usr/sbin/getdefaultcon staff_u system_u:system_r:crond_t:s0
>>      staff_u:sysadm_r:sysadm_t:s0
> this is not a accurate description since it expects a user name and not a
> selinux user id (right?)
>
>> With this patch applied:
>>
>>      $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0
>>      user_u:user_r:user_t:s0
>>      $ /usr/sbin/getdefaultcon staff_ system_u:system_r:crond_t:s0
>>      staff_u:staff_r:staff_t:s0
> idem ditto

Yes indeed, it was to make the thing more clear for the reader