[refpolicy] [PATCH 1/1] Cronjobs might create temporary directories

Sven Vermeulen sven.vermeulen at siphos.be
Thu Sep 22 01:04:05 CDT 2011


On Wed, Sep 21, 2011 at 10:25:11PM +0200, Dominick Grift wrote:
> On Wed, 2011-09-21 at 21:23 +0200, Sven Vermeulen wrote:
> > Cronjobs, like makewhatis, want to create temporary directories
> > (and not only just temporary files).
> 
> system_cronjob_t is a unconfined_domain(), did you disable or de-install
> the unconfined module?

Yup, in Gentoo we support "strict" (i.e. without the unconfined domain) for
servers and hope that this moves to workstations as well.

> Although allowing this for system_cronjob_t makes sense to me, it does
> make me wonder whether its better to just make the makewhatis and other
> known scripts cron_system_entry() instead.

In that case, makewhatis would require its own domain, and perhaps all other
scripts that want to create a temporary directory. I think that might give
too much overhead, although I do feel this is necessary in case of your next
paragraph:

> Some of these scripts need a lot of specific access (for example
> prelink), extending the system-cronjob domain to just allow all that
> makes it a very permissive domain. Oh wait, it is a unconfined domain
> already ;)

Indeed. It's about finding a good balance between manageability and security
I guess.

Wkr,
	Sven Vermeulen


More information about the refpolicy mailing list