[refpolicy] Make crond able to use pam_namespace.so

From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Make crond able to use pam_namespace.so
Date: Sun, 13 Feb 2011 13:10:58 +0100	[thread overview]
Message-ID: <20110213121032.GA2226@localhost.localdomain> (raw)
In-Reply-To: <SNT139-w582A70ACE98790EE74343DABD10@phx.gbl>

On Sun, Feb 13, 2011 at 10:46:32AM +0000, HarryCiao wrote:
> 
> 
> 
> 
> Hello Chris and Dom,
> 
> Please hold on this patch.  I am now puzzled at if we should have crond use pam_namespace.so at all.
> 
> The problem I run into is that the cron job process does not share the same namespace with the cron job submitter's process. 
> 
> If a staff user(mapped to staff_u) specifies cron job to write into a "/home/staff/somefile", if $HOME is polyinstantiated, then the cron job process will attempt to write into somefile to the BASE directory of /home/staff, rather than the MEMBER directory of /home/home.inst/staff_xxx created by ssh or login, resulting that this somefile is invisible to the staff user, only the root user could see it in the original base directory of /home/staff.
> 
> How could I have the cron job process share the same namespace with the user's login session?
> 
> Would below plan ever work?
> 1.  when crontab command creates user's cron job files in /var/spool/cron, the file name not only contains user's Linux User name, but also the submitter's role and MLS level;
> 
> 2. crond determines cron job process security context from the name of above cron job files, rather than by get_default_context_with_level(). The cron job process will be in the same security context as the relevant submitter, rather than cronjob_t fetched from system_r:crond_t:s0 related entries in contexts/default_contexts or users/[user].
> 
> 3. crond PAM configs uses pam_namespace.so, which will find the cron job submitter's polyinstantiation member directory already created by ssh or login in the polyinstantiation parent directory.

I am not sure but i use to have similar issues which in the end were never resolved.

https://bugzilla.redhat.com/show_bug.cgi?id=519232

> 
> 
> Thanks,
> Harry
> 
> From: harrytaurus2002 at hotmail.com
> To: cpebenito at tresys.com; refpolicy at oss1.tresys.com
> Date: Fri, 11 Feb 2011 08:54:29 +0000
> Subject: [refpolicy] Make crond able to use pam_namespace.so
> 
> 
> 
> 
> 
> 
> 
> 
> Hi Chirs,
> 
> Another patch for crond_t, call the files_polyinstantiate_all() interface for it as what has been done for other entrypoint applications' domains, so that crond could work well when pam_namespace.so is used in its PAM config files and polyinstantiation is enabled.
> 
> Thanks,
> 
> Best regards,
> Harry
>  		 	   		  
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy 		 	   		  
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110213/922f3abd/attachment.bin 