Hi Javier, Hello Manoj, Russel,
[... /etc/cron.daily/standard trying to backup shadow,gshadow which
doesn't
work on SELinux due to permissions ...]
> Because people with SElinux that have granted root access (and to the cron
> process) to those files (i.e. have a proper SElinux policy in place) will
> disable the tasks even though they would execute fine.
People doing so are bypassing some important part of the security system
IMHO.
The proper SELinux-solution would be to move the backup parts into a
separate script, and assign a special role to that one.
I added manoj and rjc to the CC list, since their opinion about this is
probably "most authorative", being the SELinux experts at Debian.
But you're welcome to clone this bug to selinux-policy-default that it
should make this backup work. Until then I'd suggest to use my approach
to remove one pitfall for people who want to try SELinux...
You can't transition security roles within a script, and the "can read
shadow" permission is probably a bit too much
for /etc/cron.daily/standard
which is to be considered a configuration file, not an application.
> What I *might* add is a check in the tasks so that it will only try to copy
> the shadow/gshadow files if they are readable, i.e., change:
I'm not sure if you are even allowed to getattr the file.
Even then this will only test for traditional unix permissions, and
since the cronjob runs as root it would expect it can read the file.
best regards,
Erich Schubert
--
erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_
Go away or i'll replace you with a very small shell script. //\
Der Anfang aller Erkenntnis ist das Staunen. --- Aristoteles V_/_
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
