From: dominick.grift@gmail.com (grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 04/11] Initial policy for makewhatis
Date: Sun, 09 Dec 2012 11:59:51 +0100 [thread overview]
Message-ID: <1355050791.1797.63.camel@localhost> (raw)
In-Reply-To: <20121209094426.GA20616@siphos.be>
On Sun, 2012-12-09 at 10:44 +0100, Sven Vermeulen wrote:
> On Sat, Dec 08, 2012 at 10:57:54PM +0100, grift wrote:
> [... About makewhatis and logsentry policies ...]
> > I would rather have the actual cron script labeled and leave this file
> > generic instead since this policy only supports a domain transition from
> > crond anyway.
>
> What's the rational behind that? The application is marked as an
> application_domain, so regular user domains can execute it. Also, other
> policies like tmpreaper, which are also meant to just be triggered through a
> cronjob, are setup the same way (i.e. /usr/sbin/tmp{reaper,watch} are marked
> as tmpreaper_exec_t).
>
Yes regular users may be able to execute it but there is currently no
other domain transition specified.
The rationale is the following.
If you look at the prelink policy i will use that as a reference to back
up my suggesting:
if you transition on the actual cron script you will be generally safer
that things work if you have unconfined disabled:
# seinfo -xaunconfined_domain_type | grep cron
unconfined_cronjob_t
system_cronjob_t
crond_t
this shows that a bunch of cron domains are unconfined in fedora at
least so all cron scripts by default run fine.
However stuff *might* break if you disable the unconfined domain,
For example if the cron script does something that is currently not
allowed.
Some stupid example: lets say the cron script creates a file in the
makewhatis tmp location. or it actually creates it.
Then you have crond_t creating the makewhatis tmp location (on top of
that with a non-optimal type if you do not specify a proper type
transition.
if you do the transition on the script then you will avoid any of those
issues currently and in the future (you never know when a script may get
updated to do something you dont want crond to do)
Basically it ensures that stuff will keep working even if you have
unconfined disabled if done right.
If you would have enclosed a valid use case for why users should
directly transition on the actually executable file rather than the cron
script then i would be more convinced but currently you only transition
on cron and so i prefer that you then do it on the script and leave the
executable file generic,
I hope my reasoning made sense to you
> Wkr,
> Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
next prev parent reply other threads:[~2012-12-09 10:59 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-08 20:56 [refpolicy] [PATCH 00/11] Contrib changes Sven Vermeulen
2012-12-08 20:56 ` [refpolicy] [PATCH 01/11] Moving sandbox code to sandbox section (v2) Sven Vermeulen
2012-12-09 13:51 ` grift
2012-12-08 20:56 ` [refpolicy] [PATCH 02/11] Allow sandbox to log violations Sven Vermeulen
2012-12-09 13:55 ` grift
2012-12-08 20:56 ` [refpolicy] [PATCH 03/11] Initial policy for logsentry Sven Vermeulen
2012-12-08 22:03 ` grift
2013-10-05 7:22 ` Dominick Grift
2012-12-08 20:56 ` [refpolicy] [PATCH 04/11] Initial policy for makewhatis Sven Vermeulen
2012-12-08 21:57 ` grift
2012-12-09 9:44 ` Sven Vermeulen
2012-12-09 10:59 ` grift [this message]
2012-12-08 20:56 ` [refpolicy] [PATCH 05/11] Use rw_fifo_file_perms Sven Vermeulen
2012-12-09 13:58 ` grift
2012-12-08 20:56 ` [refpolicy] [PATCH 06/11] Apache should not depend on gpg Sven Vermeulen
2012-12-09 13:59 ` grift
2012-12-08 20:56 ` [refpolicy] [PATCH 07/11] Mark make.profile entry as portage_conf_t Sven Vermeulen
2012-12-08 21:46 ` grift
2012-12-08 20:56 ` [refpolicy] [PATCH 08/11] Named init script creates rundir Sven Vermeulen
2012-12-09 14:00 ` grift
2012-12-08 20:57 ` [refpolicy] [PATCH 09/11] Add ~/.maildir as a valid maildir destination Sven Vermeulen
2012-12-09 14:01 ` grift
2012-12-08 20:57 ` [refpolicy] [PATCH 10/11] Support stunnel_read_config for startup Sven Vermeulen
2012-12-09 14:03 ` grift
2012-12-08 20:57 ` [refpolicy] [PATCH 11/11] Updates on stunnel policy Sven Vermeulen
2012-12-09 14:04 ` grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1355050791.1797.63.camel@localhost \
--to=dominick.grift@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.