From: dac.override@gmail.com (Dominick Grift) Date: Mon, 23 Nov 2015 13:39:24 +0100 Subject: [refpolicy] Transition not working as expected with boolean cron_userdomain_transition set to on In-Reply-To: <5653034B.3010607@debian.org> References: <5652F8F4.3090601@debian.org> <20151123120014.GA826@x250> <5653034B.3010607@debian.org> Message-ID: <20151123123923.GB826@x250> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Mon, Nov 23, 2015 at 01:15:07PM +0100, Laurent Bigonville wrote: > Le 23/11/15 13:00, Dominick Grift a ?crit : > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA512 > > > > On Mon, Nov 23, 2015 at 12:31:00PM +0100, Laurent Bigonville wrote: > >> [...] > >> > >> > >> When cron_userdomain_transition boolean is set to on, the user cronjobs > >> are supposed to run in their domains. Without this patch the default > >> context is not properly computed: > >> > >> $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0 > >> /usr/sbin/getdefaultcon: Invalid argument > >> $ /usr/sbin/getdefaultcon staff_u system_u:system_r:crond_t:s0 > >> staff_u:sysadm_r:sysadm_t:s0 > > this is not a accurate description since it expects a user name and not a > > selinux user id (right?) > > > >> With this patch applied: > >> > >> $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0 > >> user_u:user_r:user_t:s0 > >> $ /usr/sbin/getdefaultcon staff_ system_u:system_r:crond_t:s0 > >> staff_u:staff_r:staff_t:s0 > > idem ditto > > Yes indeed, it was to make the thing more clear for the reader I do not think that this attempt succeeds, instead it is actually confusing. > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy - -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCgAGBQJWUwj3AAoJENAR6kfG5xmcZwEL/R/vvjBaiEpvMwuuusDhtGrZ G/KBJz8BBZyK9KoLRXJVNwLKXaqFpu2HYe97FVYC+1HRe7a9zvdasQkeEq46Ukbs ixVF7ox6R5zufEvtfGFAfi+MZZwY3IOEJLtO1gbW47c7NOC6HputsdgTb9yzFpCY KWGKCkgIGO0S1yea+nqF919sZZuBZ0qllwsMRmBPJIaGg3Qh3Ux1AeA+2ASYcdh0 dwKh4+tlkckKVLdbbw02eqNQCoI2nQXBIqBoxepIu3hs3TTufByzqVdUbCxANJ5b +6SO1cjNT/famW//w1Nois/16qDTJAJB38C3vMCPiaGsthoiKDaGj5AVwThoB47N QAE7MAFkfIfsWgMRboXNo77SBpmmTUKAV7dIJ6rZrCmuEdImnc1Bq5c67MwrF1fZ lpdPgGhGq0Gn15F5c+RmSRGXtpcQljFDf1daojfzE4+VD6Dm1Boqe/drk9nZWdLN ujXV9JKBXDoGcAt0Q+QVsAv6OFI7nyEOkZpzeO8V6A== =gI9G -----END PGP SIGNATURE-----