From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 3 Dec 2015 10:57:08 -0500
Subject: [refpolicy] Transition not working as expected with boolean
 cron_userdomain_transition set to on
In-Reply-To: <566052B2.4050401@debian.org>
References: <5652F8F4.3090601@debian.org> <565DC1D5.7020602@tresys.com>
	<565DCA23.3070301@debian.org> <565F01B8.6060602@tresys.com>
	<566052B2.4050401@debian.org>
Message-ID: <56606654.5070208@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/3/2015 9:33 AM, Laurent Bigonville wrote:
> Le 02/12/15 15:35, Christopher J. PeBenito a ?crit :
>> On 12/1/2015 11:26 AM, Laurent Bigonville wrote:
>>> Le 01/12/15 16:50, Christopher J. PeBenito a ?crit :
>>>> This makes sense, though the default_context files should probably
>>>> be updated similarly. 
>>> Is the order relevant here?
>> For each line, the order is relevant.  The libraries will choose the
>> first partial context that will result in a valid context.  I'd have to
>> look at the code to see if it will skip partial contexts if the context
>> is valid but the transition is denied.
> And in this precise case, do you have a specific order for these
> contexts in the default_contexts file?

I think it should be like the user default_context files, where the user
domains are first, so those are chosen if the cron_userdomain_transition
is true.  If false, then it should fall through to the cronjob domains.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com