On Thu, 2004-07-08 at 14:40, Daniel J Walsh wrote:
> We might want to add a tunable to allow system_crond_t to exec
> setfiles_t. You can modify the
> /etc/selinux/config file and add
> CRONTYPE="restore"
> CRONMAILTO="dwalsh@xxxxxxxxxx"
>
> Which would cause setfiles to restore the security contexts when
> fixfiles.cron runs. and send mail to the specified user.
Patch below (replaces patch sent earlier for running setfiles without
changing domains just to check contexts).
Index: policy/domains/program/crond.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/crond.te,v
retrieving revision 1.23
diff -u -r1.23 crond.te
--- policy/domains/program/crond.te 16 Jun 2004 17:07:45 -0000 1.23
+++ policy/domains/program/crond.te 8 Jul 2004 18:56:41 -0000
@@ -194,3 +194,10 @@
dontaudit userdomain system_crond_t:fd { use };
r_dir_file(crond_t, selinux_config_t)
+
+ifdef(`cron_can_relabel', `
+domain_auto_trans(system_crond_t, setfiles_exec_t, setfiles_t)
+', `
+r_dir_file(system_crond_t, file_context_t)
+can_getsecurity(system_crond_t)
+')
Index: policy/tunables/tunable.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/tunables/tunable.te,v
retrieving revision 1.4
diff -u -r1.4 tunable.te
--- policy/tunables/tunable.te 17 Jun 2004 16:59:30 -0000 1.4
+++ policy/tunables/tunable.te 8 Jul 2004 18:56:09 -0000
@@ -100,3 +100,5 @@
# Allow user to rw usb devices
dnl define(`user_rw_usb')
+# Allow system cron job to relabel filesystem for restoring file contexts.
+dnl define(`cron_can_relabel')
--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency
