On Saturday 19 May 2007 02:08, Manoj Srivastava <[EMAIL PROTECTED]> wrote: > On Wed, 16 May 2007 22:54:00 +1000, Russell Coker <[EMAIL PROTECTED]> > > I have not yet made this change. I have discovered additional > issues with cron; > ,---- > > | #============= initrc_t ============== > | # src="initrc_t" tgt="crond_t" class="fifo_file", perms="{ read ioctl }" > | # comm="sysklogd" exe="" path="" > | allow initrc_t crond_t:fifo_file { read ioctl }; > | # src="initrc_t" tgt="system_crond_t" class="fd", perms="use" > | # comm="sysklogd" exe="" path="" > | allow initrc_t system_crond_t:fd use; > | # src="initrc_t" tgt="system_crond_t" class="fifo_file", perms="write" > | # comm="sysklogd" exe="" path="" > | allow initrc_t system_crond_t:fifo_file write;
Hmm, seems lacking permission for restarting daemons from cron. That should be allowed. > | #============= system_crond_t ============== > | # src="system_crond_t" tgt="apt_var_lib_t" class="file", perms="read" > | # comm="cp" exe="" path="" > | allow system_crond_t apt_var_lib_t:file read; > | # src="system_crond_t" tgt="var_t" class="dir", perms="{ write add_name > | }" # comm="cp" exe="" path="" > | allow system_crond_t var_t:dir { write add_name }; > | # src="system_crond_t" tgt="var_t" class="file", perms="{ write create > | setattr }" # comm="cp" exe="" path="" > | allow system_crond_t var_t:file { write create setattr }; Looks like one of those scripts to backup Debian data to /var/backup. Maybe if you give /etc/cron.daily/aptitude type backup_exec_t and allow it to transition to backup_t from system_crond_t. > However, when cretaing the refpolicy package itself, I can > across this little denial while linking: > ,---- > > | #============= user_t ============== > | # src="user_t" tgt="shlib_t" class="file", perms="ioctl" > | # comm="ld" exe="" path="" > | allow user_t shlib_t:file ioctl; > > `---- > > Shouldn't that be allowed? Yes, that's fine. -- [EMAIL PROTECTED] http://etbe.coker.com.au/ My Blog http://www.coker.com.au/sponsorship.html Sponsoring Free Software development -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]