cron vs. anacron

Daniel J Walsh dwalsh at redhat.com
Mon Feb 13 16:33:54 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/13/2012 10:29 AM, Moray Henderson wrote:
>> From: Moray Henderson [mailto:Moray.Henderson at ict-software.org] 
>> Sent: 13 February 2012 13:05
>> 
>> Can someone explain why the logwatch process run by crond
>> transitions to unconfined_t, while the same process run by
>> anacron remains in logwatch_t:s0-s0:c0.c1023?
> 
> Does this answer my own question?
> 
> [root at centos services]# ldd /usr/sbin/crond linux-gate.so.1 =>
> (0x00550000) libselinux.so.1 => /lib/libselinux.so.1 (0x00671000) 
> libpam.so.0 => /lib/libpam.so.0 (0x001c8000) libpam_misc.so.0 =>
> /lib/libpam_misc.so.0 (0x00803000) libaudit.so.0 =>
> /lib/libaudit.so.0 (0x00a2e000) libc.so.6 => /lib/libc.so.6
> (0x0031c000) libdl.so.2 => /lib/libdl.so.2 (0x00110000) 
> libsepol.so.1 => /lib/libsepol.so.1 (0x00bb0000) /lib/ld-linux.so.2
> (0x00eef000) [root at centos services]# ldd /usr/sbin/anacron 
> linux-gate.so.1 =>  (0x005d3000) libc.so.6 => /lib/libc.so.6
> (0x0014d000) /lib/ld-linux.so.2 (0x00129000)
> 
> Am I right that crond can do type transitions because it was
> written with libselinux.so in mind, while anacron can't because it
> wasn't?  Although somehow my ps process did manage to get to
> logwatch_t.
> 
> Am I right that that was a bug?  Looks like it's been fixed in
> CentOS 6. Unfortunately I'm stuck on 5 for this project.  I'll have
> to come up with a workaround.
> 
> 
> 
> Moray. "To err is human; to purr, feline."
> 
> 
> 
> 
> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux


There is two ways to do transitions.  One can be written in policy.

Processes running as a_t executing files labeles as b_exec_t will
transition to c_t.

Or applications can have SELinux awareness built into then, as cron
does.  Cron is just using SELinux awareness for user jobs, I believe.

When a user creates a cron job, the cronjob gets labeled with the
level and user type of the user that created the job, then when cron
runs the job it looks up the label and asks the kernel:

If I have a file labeled X, which context should I run it as. The
kernel responds with Y and cron will attempt to run the job as Y.

Since anacron does not have SELinux awareness in it, it can not do the
second object and only the first.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk85O3IACgkQrlYvE4MpobMKXwCcC81+cyYzkXUKp5T3o2a29eoP
fIsAnAyqINZFQYrhyWHIbSIGAVN+FGkC
=Ppc6
-----END PGP SIGNATURE-----

More information about the selinux mailing list