transition from crond

All of lore.kernel.org
 help / color / mirror / Atom feed

* transition from crond
@ 2011-12-30 18:51 Tracy Reed
  2011-12-31 10:34 ` Sven Vermeulen
  0 siblings, 1 reply; 3+ messages in thread
From: Tracy Reed @ 2011-12-30 18:51 UTC (permalink / raw)
  To: selinux

I am trying to write policy to constrain a perl program called
email2feedback.pl which runs from cron on CentOS 5.7. It persists in running in
scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 despite the following policy.
I suspect I have incorrectly configured the transition in email2feedback.if.
Any tips?

# ls -laZ /automated_tasks/email2feedback.pl
-rwxrwxr-x  root treed system_u:object_r:email2feedback_exec_t:s0 /automated_tasks/email2feedback.pl



email2feedback.fc:

/automated_tasks/email2feedback.pl              --      gen_context(system_u:object_r:email2feedback_exec_t,s0)




email2feedback.te:

policy_module(email2feedback, 1.0.0)
type email2feedback_t;
type email2feedback_exec_t;

require {
        type automated_tasks_db_t;
}

domain_type(email2feedback_t)
domain_entry_file(email2feedback_t, email2feedback_exec_t)

allow email2feedback_t automated_tasks_db_t:file { read getattr ioctl };




email2feedback.if:

interface(`email2feedback_domtrans',`
        gen_require(`
                        type email2feedback_t, email2feedback_exec_t;
                                ')

                domain_auto_trans($1,email2feedback_exec_t,email2feedback_t)

                        allow $1 email2feedback_t:fd use;
                                allow email2feedback_t $1:fd use;
                                ')

# Let it switch from crond_t to email2feedback_t
ifdef(`crond.te', `
    system_crond_entry(email2feedback_exec_t, email2feedback_t)
    ')


-- 
Tracy Reed

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: transition from crond
  2011-12-30 18:51 transition from crond Tracy Reed
@ 2011-12-31 10:34 ` Sven Vermeulen
  2012-01-01  8:28   ` Tracy Reed
  0 siblings, 1 reply; 3+ messages in thread
From: Sven Vermeulen @ 2011-12-31 10:34 UTC (permalink / raw)
  To: selinux

On Fri, Dec 30, 2011 at 10:51:47AM -0800, Tracy Reed wrote:
> email2feedback.te:
> 
> policy_module(email2feedback, 1.0.0)
> type email2feedback_t;
> type email2feedback_exec_t;
> 
> require {
>         type automated_tasks_db_t;
> }
> 
> domain_type(email2feedback_t)
> domain_entry_file(email2feedback_t, email2feedback_exec_t)
> 
> allow email2feedback_t automated_tasks_db_t:file { read getattr ioctl };
[...]
> # Let it switch from crond_t to email2feedback_t
> ifdef(`crond.te', `
>     system_crond_entry(email2feedback_exec_t, email2feedback_t)
>     ')

This seems wrong. There's no need for an "ifdef" here. 

You probably want something like the following in your .te file:

optional_policy(`
	cron_system_entry(email2feedback_t, email2feedback_exec_t)
')

Wkr,
	Sven Vermeulen

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: transition from crond
  2011-12-31 10:34 ` Sven Vermeulen
@ 2012-01-01  8:28   ` Tracy Reed
  0 siblings, 0 replies; 3+ messages in thread
From: Tracy Reed @ 2012-01-01  8:28 UTC (permalink / raw)
  To: Sven Vermeulen; +Cc: selinux

On Sat, Dec 31, 2011 at 11:34:15AM +0100, Sven Vermeulen spake thusly:
> This seems wrong. There's no need for an "ifdef" here. 
> 
> You probably want something like the following in your .te file:

Ah, thanks! I was just copying from the only example I could find of transitioning from crond:

http://www.linuxtopia.org/online_books/writing_SELinux_policy_guide/case_study_13.html

This is from 2003 or so and very outdated, no doubt. But it is the only such
example I could find. Is there any better documentation? 

Also, while your suggestion seems to have worked and I have eliminated quite a
few avc denials I am still getting this one:

type=AVC msg=audit(1325404861.508:99794): avc:  denied  { getattr } for  pid=5065 comm="perl" path="/automated_tasks/etc/mysql_auth.pm" dev =md0 ino=240014 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:automated_tasks_db_t:s0 tclass=file

mysql_auth.pm is a perl module included by email2feedback.pl. I would have
thought that this perl module would have been run under the email2feedback_t
type of the program it was being used in. What is the correct way to handle
this?

-- 
Tracy Reed

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2012-01-01  8:28 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-12-30 18:51 transition from crond Tracy Reed
2011-12-31 10:34 ` Sven Vermeulen
2012-01-01  8:28   ` Tracy Reed

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.