[refpolicy] [PATCH 1/1] Cronjobs might create temporary directories

Dominick Grift dominick.grift at gmail.com
Wed Sep 21 15:25:11 CDT 2011


On Wed, 2011-09-21 at 21:23 +0200, Sven Vermeulen wrote:
> Cronjobs, like makewhatis, want to create temporary directories
> (and not only just temporary files).

system_cronjob_t is a unconfined_domain(), did you disable or de-install
the unconfined module?

Although allowing this for system_cronjob_t makes sense to me, it does
make me wonder whether its better to just make the makewhatis and other
known scripts cron_system_entry() instead.

Some of these scripts need a lot of specific access (for example
prelink), extending the system-cronjob domain to just allow all that
makes it a very permissive domain. Oh wait, it is a unconfined domain
already ;)

But in any case allowing generic system jobs to manage temporary system
job content makes sense to me.

> We allow a filetrans in tmp_t for directories as well, and allow
> system_cronjob_t to manage files and directories of
> system_cronjob_tmp_t.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
> ---
>  cron.te |    6 ++++--
>  1 files changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/cron.te b/cron.te
> index f22d27c..07e2697 100644
> --- a/cron.te
> +++ b/cron.te
> @@ -334,11 +334,13 @@ allow system_cronjob_t crond_t:process sigchld;
>  allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
>  files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
>  
> -# write temporary files
> +# write temporary files/directories
>  manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
> +manage_files_pattern(system_cronjob_t, system_cronjob_tmp_t, system_cronjob_tmp_t)
> +manage_dirs_pattern(system_cronjob_t, system_cronjob_tmp_t, system_cronjob_tmp_t)
>  manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
>  filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
> -files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
> +files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })
>  
>  # Read from /var/spool/cron.
>  allow system_cronjob_t cron_spool_t:dir list_dir_perms;

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110921/544de97f/attachment.bin 


More information about the refpolicy mailing list