From: dac.override@gmail.com (Dominick Grift)
Date: Sun, 31 Jan 2016 14:53:37 +0100
Subject: [refpolicy] [PATCH] cron: Allow locks to be lnk_files
In-Reply-To: <1454177718-7999-1-git-send-email-jason@perfinion.com>
References: <1454177718-7999-1-git-send-email-jason@perfinion.com>
Message-ID: <20160131135336.GA11299@void.wireless.home.internal>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Sun, Jan 31, 2016 at 02:15:18AM +0800, Jason Zaman wrote:
> The run-crons script now uses symlinks to pids as the locks instead of
> just a plain file.
> 
> avc:  denied  { create } for pid=5844 comm="ln" name="cron.hourly"
> scontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file permissive=0
> type=PATH msg=audit(1454175001.341:80669): item=2
> name="/var/lock/cron.hourly" nametype=CREATE
> ---
>  cron.te | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/cron.te b/cron.te
> index b481d5d..4aa43a7 100644
> --- a/cron.te
> +++ b/cron.te
> @@ -439,8 +439,8 @@ files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
>  
>  manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
>  
> -allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
> -files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
> +allow system_cronjob_t system_cronjob_lock_t:{ file lnk_file } manage_file_perms;

I prefer two lines for consistency:

allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
allow system_cronjob_t system_cronjob_lock_t:lnk_file manage_lnk_file_perms;

> +files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, { file lnk_file })
>  
>  manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
>  manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
> -- 
> 2.4.10
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJWrhHbAAoJECV0jlU3+UdpVAsL/0R7Gh4f2CXk+eWbkAcRj75m
+njD7iPYkCJ8gr96XVvM4/sCCV0YiWnknj43MH+sRrPc+MwkOfWvLlYoPMfKiruF
ipeDTkgIQ/IHak54xtsx+l7TLNpg/5QcmwXRX5DlKy/1dl4qIKMmSvCzIebF24zV
rjXIZs9poHdS5WYTDJZnl4PT7DmjwfcbAWXpsa1Wlmy6T9ycuG0upxIJTCXWdFi3
9TJLuiYgpQEKpdF3n7ccgCBrz12bEnbY4Tq9imhNbB4MzewIMdeZJDS2KPHprs4q
cgg6VW87233rGC/oG6fFCfQTPxCX0DbzYPys3EATkbNFS5MZ9A5f05HhKQfu30LC
lGg5LuiRx4oZiBrKOQCsUqf9CiAt8jnQetB2RpUNP+ngyBlOn+BFyQwYnjwESQec
x7rDJJnLEWLjBSusfejcokwkfleWV7BBQH3PAlFFpilRAfSPqO+ivR4pXI3WUAol
GBOT/mOBYy+hqaqaefg+6Kfhorci/ADqWzgShxlYlA==
=Zafm
-----END PGP SIGNATURE-----