[selinux-policy: 2226/3172] Add missing rules to make unconfined_cronjob_t a valid cron job domain.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:17:37 UTC 2010
commit 2a77737d4ea2623a15b9a8307f1784ba6b2d01f6
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Aug 12 14:15:39 2009 -0400
Add missing rules to make unconfined_cronjob_t a valid cron job domain.
Unconfined_cronjob_t is not a valid cron job domain because the cron
module is lacking a transition from the crond to the unconfined_cronjob_t
domain. This adds the transition and also a constraints exemption since
part of the transition is also a seuser and role change typically.
Changelog | 1 +
policy/modules/services/cron.te | 11 ++++++++++-
2 files changed, 11 insertions(+), 1 deletions(-)
---
diff --git a/Changelog b/Changelog
index d2d030c..9e53df0 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Add missing rules to make unconfined_cronjob_t a valid cron job domain.
- Add btrfs and ext4 to labeling targets.
- Fix infrastructure to expand macros in initrc_context when installing.
- Handle unix_chkpwd usage by useradd and groupadd.
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 70b183d..d73dc11 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -1,5 +1,5 @@
-policy_module(cron, 2.1.0)
+policy_module(cron, 2.1.1)
gen_require(`
class passwd rootok;
@@ -95,6 +95,7 @@ ifdef(`enable_mcs',`
type unconfined_cronjob_t;
domain_type(unconfined_cronjob_t)
+domain_cron_exemption_target(unconfined_cronjob_t)
# Type of user crontabs once moved to cron spool.
type user_cron_spool_t, cron_spool_type;
@@ -589,5 +590,13 @@ optional_policy(`
#
optional_policy(`
+ # Permit a transition from the crond_t domain to this domain.
+ # The transition is requested explicitly by the modified crond
+ # via setexeccon. There is no way to set up an automatic
+ # transition, since crontabs are configuration files, not executables.
+ allow crond_t unconfined_cronjob_t:process transition;
+ dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
+ allow crond_t unconfined_cronjob_t:fd use;
+
unconfined_domain(unconfined_cronjob_t)
')
More information about the scm-commits
mailing list