> From: Daniel J Walsh [mailto:dwalsh@xxxxxxxxxx] > Sent: 13 February 2012 16:34 > > On 02/13/2012 10:29 AM, Moray Henderson wrote: > >> From: Moray Henderson [mailto:Moray.Henderson@xxxxxxxxxxxxxxxx] > >> Sent: 13 February 2012 13:05 > >> > >> Can someone explain why the logwatch process run by crond > >> transitions to unconfined_t, while the same process run by > >> anacron remains in logwatch_t:s0-s0:c0.c1023? > > > > Does this answer my own question? > > > > [root@centos services]# ldd /usr/sbin/crond linux-gate.so.1 => > > (0x00550000) libselinux.so.1 => /lib/libselinux.so.1 (0x00671000) > > libpam.so.0 => /lib/libpam.so.0 (0x001c8000) libpam_misc.so.0 => > > /lib/libpam_misc.so.0 (0x00803000) libaudit.so.0 => > > /lib/libaudit.so.0 (0x00a2e000) libc.so.6 => /lib/libc.so.6 > > (0x0031c000) libdl.so.2 => /lib/libdl.so.2 (0x00110000) > > libsepol.so.1 => /lib/libsepol.so.1 (0x00bb0000) /lib/ld-linux.so.2 > > (0x00eef000) [root@centos services]# ldd /usr/sbin/anacron > > linux-gate.so.1 => (0x005d3000) libc.so.6 => /lib/libc.so.6 > > (0x0014d000) /lib/ld-linux.so.2 (0x00129000) > > > > Am I right that crond can do type transitions because it was > > written with libselinux.so in mind, while anacron can't because it > > wasn't? Although somehow my ps process did manage to get to > > logwatch_t. > > > > Am I right that that was a bug? Looks like it's been fixed in > > CentOS 6. Unfortunately I'm stuck on 5 for this project. I'll have > > to come up with a workaround. > > > > > > > > Moray. "To err is human; to purr, feline." > > > > > > > > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > There is two ways to do transitions. One can be written in policy. > > Processes running as a_t executing files labeles as b_exec_t will > transition to c_t. > > Or applications can have SELinux awareness built into then, as cron > does. Cron is just using SELinux awareness for user jobs, I believe. > > When a user creates a cron job, the cronjob gets labeled with the > level and user type of the user that created the job, then when cron > runs the job it looks up the label and asks the kernel: > > If I have a file labeled X, which context should I run it as. The > kernel responds with Y and cron will attempt to run the job as Y. > > Since anacron does not have SELinux awareness in it, it can not do the > second object and only the first. I see - so because /etc/crontab says that /etc/cron.daily jobs should be run as root, cron gives the jobs root's normal context. On plain CentOS in targeted mode, that's unconfined_t. Anacron just launches the logwatch script, and because its file context is logwatch_exec_t the kernel transitions its process to logwatch_t. That all makes sense now. Thanks for the explanation. Moray. “To err is human; to purr, feline.” -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
