On Thursday, August 28, 2014 08:24:32 Jonathan Billings wrote:
> On Thu, Aug 28, 2014 at 07:05:49AM -0500, Bill Gee wrote:
> > Another curious thing is that it all works perfectly when I "run-parts
> > /etc/cron.daily" from a root login. Why should SELinux regard that as
> > different from when it is run by cron???
>
> Cron runs processes in a different SELinux domain (crond_t I think?)
> than processes started by the root user, so this is entirely expected
> behavior.
But that means that SELinux contexts are NOT stable ... They are NOT the same
for all instances of a process. It seems to me that defeats the whole purpose
of SELinux.
How does the SELinux inheritance work? How is it related to the user context
under which a process runs? As I look at it, I see this chain ...
== Cron run under the crond_t context and chrony user account. It calls
logwatch.
==== Logwatch runs under the logwatch_t context and user account of the
caller. It calls various binaries such as uptime and hddtemp and virsh.
====== Uptime is bin_t. hddtemp is bin_t. virsh is virsh_exec_t. They all
run under the user account of the caller.
If I run-parts from a root login, then the cron service is not involved. The
processes all run in the root user account. That does not change their
SELinux types, but it sure changes what they can do!
I know this issue is in SELinux somewhere because if I set the system to
permissive, then it all works.
Bill Gee
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
