Le 23/11/15 09:08, Dominick Grift a écrit :
On Mon, Nov 23, 2015 at 01:53:03AM +0100, Laurent Bigonville wrote:
Hi,
I'm still looking at adding SELinux support in the "at" daemon and I now
have the following patch[0].
With this patch, at seems to behave like the cron daemon, as explained in
the commit log:
- When cron_userdomain_transition is set to off, a process for an
unconfined user will transition to unconfined_cronjob_t. For confined
user, the job is run as cronjob_t.
- When cron_userdomain_transition is set to on, the processes are run
under the user default context.
But every time an AVC denial is generated (with cron_userdomain_transition
set to off and the user running as staff_u, in permissive with unmodified
refpolicy):
avc: denied { entrypoint } for scontext=staff_u:staff_r:cronjob_t:s0
tcontext=staff_u:object_r:user_cron_spool_t:s0 tclass=file
The job runs as (id -Z): staff_u:staff_r:cronjob_t:s0
But audit2{allow,why} are saying that this is already allowed in the policy
Setting the cron_userdomain_transition boolean to on, I have the following
avc:
avc: denied { entrypoint } for scontext=staff_u:sysadm_r:sysadm_t:s0
tcontext=staff_u:object_r:user_cron_spool_t:s0 tclass=file
I think this is weird as well since user_cron_spool_t is not actually
executed as far as i know (and thus is not actually an entrypoint). The entrypoint permission is merely allowed so
that crond_t/atd_t can calculate access to the target domains.
So i do not see why these entrypoint events are hit in the first place
The code is explicitly doing that, I guess it's the design decision from
the original writer of the patch:
/*
* Since crontab files are not directly executed,
* crond must ensure that the crontab file has
* a context that is appropriate for the context of
* the user cron job. It performs an entrypoint
* permission check for this purpose.
*/
And that's why there is a entrypoint check:
selinux_check_access(user_context, file_context, "file", "entrypoint",
NULL);
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
