[refpolicy] CentOS 5.4 nfs home directories + cron

Stephen Smalley sds at tycho.nsa.gov
Mon Jan 4 14:34:44 CST 2010


On Mon, 2009-12-21 at 15:11 +0000, Tom Boland wrote:
> Hi there,
> 
> I've been battling with this, but don't seem to have much luck.  I've 
> added a default file context for the crontabs in /var/spool/crontab, but 
> this doesn't seem to be honoured.  I've also added rules to allow 
> crontab to transition to the user_t type, but it's not choosing to do 
> so.  I also get permission denied when attempting to set the context 
> with the -s option to crontab.   I'm really confused about this.  Here 
> are my rules so far.

Any errors in /var/log/cron?
Any AVC messages in /var/log/audit/audit.log or /var/log/messages?

> ================================================================
> 
> module cronusertr 1.0;
> 
> require {
>     type crond_t;
>     type user_crontab_t;
>     type nfs_t;
>     type user_t;
>     class file { getattr read write execute unlink create lock 
> relabelfrom relabelto rename entrypoint };
>     class dir { add_name remove_name reparent search rmdir };
>     class process { transition };
> };
> 
> allow crond_t nfs_t:file {getattr read write execute unlink create lock 
> relabelfrom relabelto rename entrypoint };
> allow crond_t nfs_t:dir { add_name remove_name reparent search rmdir };
> allow crond_t user_t:file { getattr read write execute unlink create 
> lock relabelfrom relabelto rename entrypoint };

The above rule should be unnecessary - no files (other than /proc/pid
entries for a process that is running in user_t) should be labeled with
user_t.

> allow crond_t user_t:process { transition };
> allow user_crontab_t user_t:file { getattr read write unlink create lock 
> rename entrypoint };

Likewise.

> allow user_crontab_t user_t:process { transition };

This shouldn't be needed either.
> 
> ================================================================
> 
> Could someone please let me know if I'm on completely the wrong track?  
> I think I must be, as I'm getting absolutely nowhere seemingly.

Let's review:
crond_t is transitioning to user_crond_t under the CentOS 5.4 strict
policy but you want it to transition to user_t.  Yes?

So you need to allow the transition on the type pair, which you seem to
have done, and you need to update your default_contexts entry for crond,
which you seem to have done.  But you also likely need to amend the
policy/constraints file in the strict policy.  I'd have to see your
current one - look at your selinux-policy .src.rpm.

-- 
Stephen Smalley
National Security Agency



More information about the refpolicy mailing list