[refpolicy] [PATCH 1/1] Cronjobs might create temporary directories

Sven Vermeulen sven.vermeulen at siphos.be
Thu Sep 22 13:42:51 CDT 2011


On Thu, Sep 22, 2011 at 09:54:25AM +0200, Dominick Grift wrote:
> I kind of compare the system_gronjob_t to httpd_sys_script_t in a few
> ways. A thing to consider with regard to these generic domains is the
> fact that various processes may run in it, thus share resources (types).
> So in theory things can escalate inside these generic domains.
> 
> In the case of httpd, we use the apache_content_template where that
> makes sense. My opinion is that we should do the same for
> system_cronjob_t versus cron_system_entry.

Looking at the privileges that I would need to grant that are specific to
cron, I do not find many to put in such template mechanism for now (unlike
for apache, where the definition is used to differentiate between
readable/read-writeable files, scriptable types (for things like PHP), and
access to common HTTPd types...

If the system_cronjob_t domain is seen more like a "jump board" towards the
application specific domains, I don't mind creating a makewhatis policy
module and work from there onwards.

> Although that is just my view, and looking at the current cron policy i
> can see that this concept is currently not applied there.
> 
> In Fedora for example, we have prelink running  in a prelink cron script
> domain using the cron_system_entry but in refpolicy that same prelink
> cron script runs in the system_cronjob_t domain (i can see that from the
> various calls in cron.te

It looks like fedora supports both, as I find cron_system_entry() usage for
both prelink_t and prelink_cron_system_t.

Wkr,
	Sven Vermeulen


More information about the refpolicy mailing list