-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/13/2012 10:29 AM, Moray Henderson wrote: >> From: Moray Henderson [mailto:Moray.Henderson@xxxxxxxxxxxxxxxx] >> Sent: 13 February 2012 13:05 >> >> Can someone explain why the logwatch process run by crond >> transitions to unconfined_t, while the same process run by >> anacron remains in logwatch_t:s0-s0:c0.c1023? > > Does this answer my own question? > > [root@centos services]# ldd /usr/sbin/crond linux-gate.so.1 => > (0x00550000) libselinux.so.1 => /lib/libselinux.so.1 (0x00671000) > libpam.so.0 => /lib/libpam.so.0 (0x001c8000) libpam_misc.so.0 => > /lib/libpam_misc.so.0 (0x00803000) libaudit.so.0 => > /lib/libaudit.so.0 (0x00a2e000) libc.so.6 => /lib/libc.so.6 > (0x0031c000) libdl.so.2 => /lib/libdl.so.2 (0x00110000) > libsepol.so.1 => /lib/libsepol.so.1 (0x00bb0000) /lib/ld-linux.so.2 > (0x00eef000) [root@centos services]# ldd /usr/sbin/anacron > linux-gate.so.1 => (0x005d3000) libc.so.6 => /lib/libc.so.6 > (0x0014d000) /lib/ld-linux.so.2 (0x00129000) > > Am I right that crond can do type transitions because it was > written with libselinux.so in mind, while anacron can't because it > wasn't? Although somehow my ps process did manage to get to > logwatch_t. > > Am I right that that was a bug? Looks like it's been fixed in > CentOS 6. Unfortunately I'm stuck on 5 for this project. I'll have > to come up with a workaround. > > > > Moray. "To err is human; to purr, feline." > > > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux There is two ways to do transitions. One can be written in policy. Processes running as a_t executing files labeles as b_exec_t will transition to c_t. Or applications can have SELinux awareness built into then, as cron does. Cron is just using SELinux awareness for user jobs, I believe. When a user creates a cron job, the cronjob gets labeled with the level and user type of the user that created the job, then when cron runs the job it looks up the label and asks the kernel: If I have a file labeled X, which context should I run it as. The kernel responds with Y and cron will attempt to run the job as Y. Since anacron does not have SELinux awareness in it, it can not do the second object and only the first. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk85O3IACgkQrlYvE4MpobMKXwCcC81+cyYzkXUKp5T3o2a29eoP fIsAnAyqINZFQYrhyWHIbSIGAVN+FGkC =Ppc6 -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
