On Tue, 2004-08-17 at 11:29 -0700, Bill McCarty wrote: > Hi all, > > How do folks like to test system Cron scripts, which run in the context > system_u:system_r:system_crond_t? The system administrator can't simply > invoke them using runcon: > > runcon system_u:system_r:system_crond_t /etc/cron.hourly/test.cron > > because the usual policies don't permit transitions from sysadm_t to > system_crond_t. Right. > And, modifying the policy to permit such a transition seems to entail > authorizing too many permissions, at least for my taste. The following would probably be sufficient as a hack: role sysadm_r types system_crond_t; domain_trans(sysadm_t, bin_t, system_crond_t) Then invoke runcon like this: runcon system_u:system_r:system_crond_t /bin/sh /etc/cron.daily/prelink (We use /bin/sh because etc_t cannot be an entrypoint) > What am I missing? Nothing - I think that the major goal of the strict policy is to deny any interactions on the system that aren't part of "normal" operation. So normally, the system administrator wouldn't be debugging cron scripts. However, now that we have the boolean support, I think it would be nice to have a "debug" boolean or the like. This would enable things like the system administrator running cron scripts directly. To do this correctly, I think we would need to have runcon labeled specially, similar to newrole, so it can be a specific entrypoint for the cron types, instead of just using bin_t above.
