running make relabel from a cronjob

running make relabel from a cronjob

[Luke Kenneth Casson Leighton]

[-- Attachment #1: Type: text/plain, Size: 742 bytes --]

the following patches allow the attached /etc/cron.d/selinux program
to successfully run.

this is for a user-only system where root access will not be given
out, and there won't be any maintenance or support, either.

i heard from someone that Fedora also has a cronjob doing a make
relabel too, so i am slightly confused that the strict selinux policy
doesn't presently have this already oh well.

l.

-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


[-- Attachment #2: g --]
[-- Type: text/plain, Size: 1128 bytes --]

--- /usr/share/selinux/policy/default/domains/program/setfiles.te	2004-08-02 08:28:37.000000000 +0100
+++ setfiles.te	2004-08-24 12:03:19.000000000 +0100
@@ -49,9 +49,14 @@
 
 allow setfiles_t etc_runtime_t:file read;
 allow setfiles_t etc_t:file read;
+allow setfiles_t automount_etc_t:file { getattr read };
 allow setfiles_t proc_t:file { getattr read };
 dontaudit setfiles_t proc_t:lnk_file { getattr read };
 
 # for config files in a home directory
 allow setfiles_t home_type:file r_file_perms;
 dontaudit setfiles_t sysadm_tty_device_t:chr_file { relabelfrom };
+
+# allow setfiles to be run from crond
+allow setfiles_t crond_t:fifo_file { read write };
+
--- /usr/share/selinux/policy/default/domains/program/crond.te	2004-08-02 08:28:37.000000000 +0100
+++ crond.te	2004-08-24 12:03:26.000000000 +0100
@@ -202,3 +202,11 @@
 r_dir_file(system_crond_t, file_context_t)
 can_getsecurity(system_crond_t)
 ')
+
+
+allow system_crond_t policy_src_t:file { read };
+	#EXE=/usr/bin/make  NAME=Makefile   :  read
+
+can_exec(system_crond_t, setfiles_exec_t)
+domain_auto_trans(system_crond_t,  setfiles_exec_t, setfiles_t)
+

[-- Attachment #3: selinux --]
[-- Type: text/plain, Size: 267 bytes --]

# run every 6 hours to restore contexts on filesystem
# ... just in case of damage...

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
* 0,6,12,18	* * *	root    nice -20 make -C /etc/selinux/src relabel

Re: running make relabel from a cronjob

[Stephen Smalley]

On Tue, 2004-08-24 at 07:07, Luke Kenneth Casson Leighton wrote:
> the following patches allow the attached /etc/cron.d/selinux program
> to successfully run.
> 
> this is for a user-only system where root access will not be given
> out, and there won't be any maintenance or support, either.
> 
> i heard from someone that Fedora also has a cronjob doing a make
> relabel too, so i am slightly confused that the strict selinux policy
> doesn't presently have this already oh well.

See the cron_can_relabel boolean in crond.te and the fixfiles.cron
script in policycoreutils.  If CRONTYPE=relabel is in
/etc/selinux/config and the cron_can_relabel boolean is enabled, then
cron will (and can) relabel.  Otherwise, cron will merely check file
contexts and mail a report about incorrect contexts.  It doesn't need to
access policy sources; there is an installed file_contexts file in
/etc/selinux/$SELINUXTYPE/contexts/files that is used at runtime for
restorecon, fixfiles, etc.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: running make relabel from a cronjob

[Luke Kenneth Casson Leighton]

On Tue, Aug 24, 2004 at 07:55:38AM -0400, Stephen Smalley wrote:
> On Tue, 2004-08-24 at 07:07, Luke Kenneth Casson Leighton wrote:
> > the following patches allow the attached /etc/cron.d/selinux program
> > to successfully run.
> > 
> > this is for a user-only system where root access will not be given
> > out, and there won't be any maintenance or support, either.
> > 
> > i heard from someone that Fedora also has a cronjob doing a make
> > relabel too, so i am slightly confused that the strict selinux policy
> > doesn't presently have this already oh well.
> 
> See the cron_can_relabel boolean in crond.te and the fixfiles.cron
> script in policycoreutils.  If CRONTYPE=relabel is in
> /etc/selinux/config and the cron_can_relabel boolean is enabled, then
> cron will (and can) relabel.  Otherwise, cron will merely check file
> contexts and mail a report about incorrect contexts.  It doesn't need to
> access policy sources; there is an installed file_contexts file in
> /etc/selinux/$SELINUXTYPE/contexts/files that is used at runtime for
> restorecon, fixfiles, etc.
 
 ah ha!

 great.  thank you v. much.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.