2018-06-14 13:01:58

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] cron_system_entry(gpg_t, gpg_exec_t)

cron_system_entry(gpg_t, gpg_exec_t)

Why do we have this?

gpg is run by cron jobs that write to /var/log, so if we use gpg_t for gpg
when it's run from those cron jobs we need to allow it access to var_log_t
which means that user_t can use gpg to access var_log_t.

What benefit do we get from a domain transition when running gpg from a system
cron job?

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/


2018-06-16 11:46:15

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] cron_system_entry(gpg_t, gpg_exec_t)

On 06/14/2018 09:01 AM, Russell Coker via refpolicy wrote:
> cron_system_entry(gpg_t, gpg_exec_t)
>
> Why do we have this?
>
> gpg is run by cron jobs that write to /var/log, so if we use gpg_t for gpg
> when it's run from those cron jobs we need to allow it access to var_log_t
> which means that user_t can use gpg to access var_log_t.
>
> What benefit do we get from a domain transition when running gpg from a system
> cron job?

It was added back in 2009 from the Fedora policy. I can see dropping
it, if there are no arguments to keep it.

--
Chris PeBenito

2018-06-16 11:53:52

by Dominick Grift

[permalink] [raw]
Subject: [refpolicy] cron_system_entry(gpg_t, gpg_exec_t)

On Thu, Jun 14, 2018 at 11:01:58PM +1000, Russell Coker via refpolicy wrote:
> cron_system_entry(gpg_t, gpg_exec_t)
>
> Why do we have this?

My bad. Got it from Fedora probably. Was a bad idea and not something I would do today.

Remove it please.

>
> gpg is run by cron jobs that write to /var/log, so if we use gpg_t for gpg
> when it's run from those cron jobs we need to allow it access to var_log_t
> which means that user_t can use gpg to access var_log_t.
>
> What benefit do we get from a domain transition when running gpg from a system
> cron job?
>
> --
> My Main Blog http://etbe.coker.com.au/
> My Documents Blog http://doc.coker.com.au/
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20180616/8cab9c04/attachment.bin