[refpolicy] [PATCH 1/1] Cronjobs might create temporary directories

Christopher J. PeBenito cpebenito at tresys.com
Tue Sep 27 07:49:10 CDT 2011


On 09/23/11 16:26, Dominick Grift wrote:
> On Fri, 2011-09-23 at 21:11 +0200, Sven Vermeulen wrote:
>> On Thu, Sep 22, 2011 at 08:42:51PM +0200, Sven Vermeulen wrote:
>>> If the system_cronjob_t domain is seen more like a "jump board" towards the
>>> application specific domains, I don't mind creating a makewhatis policy
>>> module and work from there onwards.
>>
>> Giving the fact that the policy will probably read and write man_t together
>> with the usual suspects (_exec, _domtrans), is it okay to suggest a patch for
>> the miscfiles module? Or would you rather see an independent module?
>>
>> I don't think I need to offer a _run or _role interface, since transitioning
>> from sysadm_t wouldn't be necessary. Or is it better to do that anyway?
> 
> I wonder what PeBenito thinks about this.
> 
> I wouldnt mind adding this to miscfiles, but i wouldnt add any unused
> interfaces. If it turns out they are needed they can always be added
> later.

I would tend to agree that we want to get privileges out of system_cronjob_t by transitioning to other domains.  But the domain already has sufficient perms to run makewhatis (save for this new tmp patch).  All that we could likely gain by making a new makewhatis domain would be to drop the man page access from system_cronjob_t.  If is demonstrated that we could have real gains from having a makewhatis domain, I'd have to see what the policy looks like to determine if it would be ok in miscfiles.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list