-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stefan Schulze Frielinghaus wrote: > On Mon, 2008-03-10 at 09:00 -0400, Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Stefan Schulze Frielinghaus wrote: >>> In RHEL/CentOS 5.1 a cron job (/etc/cron.daily/prelink) runs prelink. >>> The cron job itself removes a file (/etc/prelink.cache) if necessary and >>> updates the database. This does not work with the strict SELinux policy. >>> >>> To solve this I patched the prelink application to >>> use /var/cache/prelink/prelink.cache instead of /etc/prelink.cache >>> This would make it more easier to write SELinux policies. But know my >>> actual question is how to modify the cron job to work properly? All cron >>> jobs on my system are labeled as bin_t. This would mean that >>> system_crond_t needs write/create etc. permissions >>> on /var/cache/prelink. Thats not really nice and I would prefer to >>> create a domain like cron_script_prelink_t for /etc/cron.daily/prelink >>> which gets all the rights to manage /var/cache/prelink. >>> >>> What are your ideas to handle cron scripts properly? >>> >>> >>> -- >>> This message was distributed to subscribers of the selinux mailing list. >>> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with >>> the words "unsubscribe selinux" without quotes as the message. >> Does labeling the directory cron_var_run_t make it work? >> >> Please open a bug report on prelink to put the cache file in this new >> directory. > > The relabel did not solve the problem (AVCs are attached). > > #============= prelink_t ============== > allow prelink_t crond_var_run_t:dir { remove_name add_name }; > allow prelink_t crond_var_run_t:file { write rename create setattr }; > > #============= system_crond_t ============== > allow system_crond_t crond_var_run_t:dir { write remove_name add_name }; > allow system_crond_t self:process setfscreate; > > Should we create a special type for this purpose (like already > mentioned: cron_script_prelink_t and label the > file /etc/cron.daily/prelink)? > > I opened a bug: https://bugzilla.redhat.com/show_bug.cgi?id=437684 > > cheers > Stefan > > PS: Sorry for responding so late but I did not have a Internet > connection during last week. > I think you would need to label the individual scrips and setup proper transitions to make this work correctly. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkfeumgACgkQrlYvE4MpobPtowCfU3DiAWPpFwb3ZbpLUOjpZxH3 ZhcAoKFxYqs2rzi+Mzor87SY8QeRhQmp =D2qQ -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.