[refpolicy] [PATCH 5/5] Support at service

[sven.vermeulen@siphos.be (Sven Vermeulen)]

On Wed, Nov 14, 2012 at 08:18:32PM +0100, Dominick Grift wrote:
> May this is gentoo specific, on my f17 system this location does not
> even exist
> 
> Are you sure that it works as you expect it? 

It seems to yes, I'm using it often the last few days to test out job
invocation from system cron, without having to edit my crontabs over and
over gain:

echo "layman -S" | at now+1min

Easy as pie to test stuff.

> Also the patch has stuff that seems unrelated. For example:
> 
> > -read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
> > +manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
> 
> Why did you change that?

Well, there are two parts of the at-stuff: one is the atjobs, the other is
atspool. In atjobs (labeled user_cron_spool_t) the scripts are placed that
are to be executed. These scripts, once executed, add in lock files inside
the atjobs location (hence the manage_files_pattern for crond_t).

> Also why does the following only apply for cron admin role and admin
> crontab? Do you know why the fsetid for admin_crontab_t is needed?:
> 
> > +allow admin_crontab_t self:capability fsetid;


It might also be for non-admin cron stuff, I'm currently only testing with
admin. I believe it is needed while writing the scripts in the atjob
location.

testsys ~ # echo ls | at now+1min
warning: commands will be executed using /bin/sh
job 21 at Wed Nov 14 20:31:00 2012
testsys ~ # cat /var/log/avc.log 
Nov 14 20:30:16 testsys kernel: [ 1746.093723] type=1400
audit(1352921416.791:31): avc:  granted  { fsetid } for  pid=3573 comm="at"
capability=4  scontext=root:sysadm_r:admin_crontab_t
tcontext=root:sysadm_r:admin_crontab_t tclass=capability
Nov 14 20:30:16 testsys kernel: [ 1746.093734] type=1400
audit(1352921416.791:32): avc:  granted  { fsetid } for  pid=3573 comm="at"
capability=4  scontext=root:sysadm_r:admin_crontab_t
tcontext=root:sysadm_r:admin_crontab_t tclass=capability

Wkr,
	Sven Vermeulen