The current cron patch attempts to allow users to specify the
role/type/mls context for a particular job to run at. You simply specify
SELINUX_ROLE_TYPE=staff_u:staff_r:staff_crond_t:SystemLow-s0:c15
in the crontab.
The problem is that users logically think they can specify other
roles/types in the file. Except the patch is doing an entrypoint check
on the cron file. But the only entrypoints defined in policy look
something like this
allow $1_crond_t $1_spool_cron_t: file entrypoint;
So if the user specifies,
SELINUX_ROLE_TYPE=staff_u:sysadm_r:sysadm_crond_t:SystemLow-s0:c15
or
SELINUX_ROLE_TYPE=staff_u:sysadm_r:sysadm_t:SystemLow-s0:c15
The entrypoint check fails and the job is denied. Now we could allow
users to write a loadable policy module that said something like
allow sysadm_t staff_spool_cron_t: file entrypoint;
But the cron job will fail, because the crond_t is not allowed to
transition to sysadm_t. So we could force the user to specify
sysadm_crond_t. Which might work.
I see this as being too confusing for the user and would like to change
it so the user can only specify MLS values.
SELINUX_MLS_LEVEL=SystemHigh
And then the old mechanism would run the job as
staff_r:staff_crond_t:SystemHigh.
Thoughts?
Dan
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
