Re: cron vs. anacron

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/13/2012 10:29 AM, Moray Henderson wrote:
>> From: Moray Henderson [mailto:Moray.Henderson@xxxxxxxxxxxxxxxx] 
>> Sent: 13 February 2012 13:05
>> 
>> Can someone explain why the logwatch process run by crond
>> transitions to unconfined_t, while the same process run by
>> anacron remains in logwatch_t:s0-s0:c0.c1023?
> 
> Does this answer my own question?
> 
> [root@centos services]# ldd /usr/sbin/crond linux-gate.so.1 =>
> (0x00550000) libselinux.so.1 => /lib/libselinux.so.1 (0x00671000) 
> libpam.so.0 => /lib/libpam.so.0 (0x001c8000) libpam_misc.so.0 =>
> /lib/libpam_misc.so.0 (0x00803000) libaudit.so.0 =>
> /lib/libaudit.so.0 (0x00a2e000) libc.so.6 => /lib/libc.so.6
> (0x0031c000) libdl.so.2 => /lib/libdl.so.2 (0x00110000) 
> libsepol.so.1 => /lib/libsepol.so.1 (0x00bb0000) /lib/ld-linux.so.2
> (0x00eef000) [root@centos services]# ldd /usr/sbin/anacron 
> linux-gate.so.1 =>  (0x005d3000) libc.so.6 => /lib/libc.so.6
> (0x0014d000) /lib/ld-linux.so.2 (0x00129000)
> 
> Am I right that crond can do type transitions because it was
> written with libselinux.so in mind, while anacron can't because it
> wasn't?  Although somehow my ps process did manage to get to
> logwatch_t.
> 
> Am I right that that was a bug?  Looks like it's been fixed in
> CentOS 6. Unfortunately I'm stuck on 5 for this project.  I'll have
> to come up with a workaround.
> 
> 
> 
> Moray. "To err is human; to purr, feline."
> 
> 
> 
> 
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux


There is two ways to do transitions.  One can be written in policy.

Processes running as a_t executing files labeles as b_exec_t will
transition to c_t.

Or applications can have SELinux awareness built into then, as cron
does.  Cron is just using SELinux awareness for user jobs, I believe.

When a user creates a cron job, the cronjob gets labeled with the
level and user type of the user that created the job, then when cron
runs the job it looks up the label and asks the kernel:

If I have a file labeled X, which context should I run it as. The
kernel responds with Y and cron will attempt to run the job as Y.

Since anacron does not have SELinux awareness in it, it can not do the
second object and only the first.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk85O3IACgkQrlYvE4MpobMKXwCcC81+cyYzkXUKp5T3o2a29eoP
fIsAnAyqINZFQYrhyWHIbSIGAVN+FGkC
=Ppc6
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux