[refpolicy] [PATCH 1/1] Cronjobs might create temporary directories

Dominick Grift dominick.grift at gmail.com
Thu Sep 22 02:54:25 CDT 2011


On Thu, 2011-09-22 at 08:04 +0200, Sven Vermeulen wrote:
> On Wed, Sep 21, 2011 at 10:25:11PM +0200, Dominick Grift wrote:
> > On Wed, 2011-09-21 at 21:23 +0200, Sven Vermeulen wrote:
> > > Cronjobs, like makewhatis, want to create temporary directories
> > > (and not only just temporary files).
> > 
> > system_cronjob_t is a unconfined_domain(), did you disable or de-install
> > the unconfined module?
> 
> Yup, in Gentoo we support "strict" (i.e. without the unconfined domain) for
> servers and hope that this moves to workstations as well.
> 
> > Although allowing this for system_cronjob_t makes sense to me, it does
> > make me wonder whether its better to just make the makewhatis and other
> > known scripts cron_system_entry() instead.
> 
> In that case, makewhatis would require its own domain, and perhaps all other
> scripts that want to create a temporary directory. I think that might give
> too much overhead, although I do feel this is necessary in case of your next
> paragraph:
> 
> > Some of these scripts need a lot of specific access (for example
> > prelink), extending the system-cronjob domain to just allow all that
> > makes it a very permissive domain. Oh wait, it is a unconfined domain
> > already ;)
> 
> Indeed. It's about finding a good balance between manageability and security
> I guess.

I kind of compare the system_gronjob_t to httpd_sys_script_t in a few
ways. A thing to consider with regard to these generic domains is the
fact that various processes may run in it, thus share resources (types).
So in theory things can escalate inside these generic domains.

In the case of httpd, we use the apache_content_template where that
makes sense. My opinion is that we should do the same for
system_cronjob_t versus cron_system_entry.

Although that is just my view, and looking at the current cron policy i
can see that this concept is currently not applied there.

In Fedora for example, we have prelink running  in a prelink cron script
domain using the cron_system_entry but in refpolicy that same prelink
cron script runs in the system_cronjob_t domain (i can see that from the
various calls in cron.te)

In my view system_cronjob_t should be just a fall back, just like the
httpd_sys_script_t domain in my view is kind of a faill back for httpd
cgi scripts.

> Wkr,
> 	Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110922/a643d0e2/attachment.bin 


More information about the refpolicy mailing list