Re: Right context for /var/spool/cron/crontabs/root

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/18/2011 11:51 AM, Dominick Grift wrote:
> On 01/18/2011 05:46 PM, Luciano Furtado wrote:
>> Hi group,
> 
>> Why does the context of the crontab spool directory is set to <<none>>
>> on /etc/selinux/default/contexts/files/file_contexts
> 
> i suspect that may be related to some historical issues. Maybe we used
> to prefix the cron spool files with a role prefix, and since all users
> crontabs would go in the same directory there would be no way to tell
> the system what the file context should be reset to.
> 
> I think currently these files should all be labelled user_cron_spool_t.
> 
>> /var/spool/cron/crontabs/.*     --      <<none>>
> 
>> I am getting the following avc messages :
> 
> Not sure how these files got the file_t type. Can you reproduce that?
> 
> 
>> [   17.600000] type=1400 audit(1295191072.769:6): avc:  denied  { read }
>> for  pid=1847 comm="cron" name="root" dev=xvda ino=106585
>> scontext=system_u:system_r:crond_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:file_t:s0 tclass=file
>> [   17.600000] type=1400 audit(1295191072.769:7): avc:  denied  {
>> getattr } for  pid=1847 comm="cron" path="/var/spool/cron/crontabs/root"
>> dev=xvda ino=106585 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:file_t:s0 tclass=file
> 
> 
>> Is cron_spool_t the right context for this file ?
> 
> 
> 
>> Best Regards.
>> Luciano
> 


Well the cron files can also have levels and you do not want a cron file
set at SystemHigh to run at SystemLow because someone ran a restorecon
the directory.

I would label it user_cron_spool_t
- --
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk016mUACgkQrlYvE4MpobPa/QCg0L8fOtgLRhQY0cGiJwvVorTi
1EMAoLUQcN8Rq90DZWOeId6eCXsoiHrK
=L3cM
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux