On 03/08/2016 03:40 AM, Douglas Brown wrote: > Hi list, Hi Doug, > > We have a client who wants a service account’s crontab to run a ruby > script in /var/www; this isn’t permitted by default and I have no idea > what this script does which is important and it is a reason why we confine crontabs. We want to contain possible security issues in crontabs. > but from past experience suspect it will generate > an array of misleading AVCs if I go down the route of allowing crontab_t > to read httpdcontent attribute (ie. httpd_sys_rw_content_t, etc.) files > and directories. Could someone please explain the rationale behind the > policy design for user crontab confinement and how I should handle this > situation? What is your OS? What AVC are you getting? > > Thanks, > Doug > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx > -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
