Re: using cron in selinux policy

Re: using cron in selinux policy

[Daniel J Walsh]

Michael C Thompson wrote:
> Hey Dan,
>
> So, for some reason I can't schedule cron jobs with the custom user I 
> wrote for our test execution. From what I've looked it, I think I need 
> to call cron_per_role_template, but doing so causes the policy to fail 
> to build, claiming abat_crond_t is being defined twice. I'm guessing 
> calling cron_per_role_template explicitly is not the solution, and 
> that the interfaces I need to be calling have probably changed.
>
> If you have a moment, can you please look help me look at this?
>
> Thanks,
> Mike
This looks to me like a compiler problem.

policy_module(testadm,1.0.0)

userdom_admin_user_template(testadm)
cron_per_role_template(testadm, testadm_t, testadm_r)

Causes the same problem.  I also got this to happen with 
ethereal_per_role_template.  Compiler says that the type is defined 
twice, even though I only see it once.  However there is a gen_requires 
of the type before the declaration which might be causing the problem.

If I create a testadm.te file like above

make -f /usr/share/selinux/devel/Makefile
Compiling targeted test module
/usr/bin/checkmodule:  loading policy configuration from tmp/test.tmp
test.te:4:ERROR 'duplicate declaration of type/attribute' at token ';' 
on line 102058:
        type testadm_crond_t;
#line 4
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/test.mod] Error 1




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: using cron in selinux policy ( a tip)

[Zwartsenberg, Remmolt]

[-- Attachment #1: Type: text/plain, Size: 3898 bytes --]

Hello Daniel,
 
RE: using cron in selinux policy
 
In most unix kernels only the cron that is owned by 'root' of the server can emulate a real root process, and will thus be usable for a 'custom user'. This of course depends on the UID/GID combination of the cron you are trying to use to submit your policy job to. This leads 2 the following options in my humble opinion:
 

*	
	use the cron that is owned by 'root' (probably against the local SE policy)
*	
	create a cron that acts like being root showing the right UID/GID combination to WORLD (easy on BSD, more difficult on INTEL-platforms) 

If this does not work for you, look at the file ownership of /usr/pacct and insert that UID/GID combination into your Policy List you expect to execute your cron job.

Good Luck,

-rgz


________________________________

From: owner-selinux@tycho.nsa.gov on behalf of Daniel J Walsh
Sent: Wed 4/18/2007 3:04 PM
To: Michael C Thompson; Karl MacMillan; Joshua Brindle; Stephen Smalley; Christopher J. PeBenito; SE Linux
Subject: Re: using cron in selinux policy



Michael C Thompson wrote:
> Hey Dan,
>
> So, for some reason I can't schedule cron jobs with the custom user I
> wrote for our test execution. From what I've looked it, I think I need
> to call cron_per_role_template, but doing so causes the policy to fail
> to build, claiming abat_crond_t is being defined twice. I'm guessing
> calling cron_per_role_template explicitly is not the solution, and
> that the interfaces I need to be calling have probably changed.
>
> If you have a moment, can you please look help me look at this?
>
> Thanks,
> Mike
This looks to me like a compiler problem.

policy_module(testadm,1.0.0)

userdom_admin_user_template(testadm)
cron_per_role_template(testadm, testadm_t, testadm_r)

Causes the same problem.  I also got this to happen with
ethereal_per_role_template.  Compiler says that the type is defined
twice, even though I only see it once.  However there is a gen_requires
of the type before the declaration which might be causing the problem.

If I create a testadm.te file like above

make -f /usr/share/selinux/devel/Makefile
Compiling targeted test module
/usr/bin/checkmodule:  loading policy configuration from tmp/test.tmp
test.te:4:ERROR 'duplicate declaration of type/attribute' at token ';'
on line 102058:
        type testadm_crond_t;
#line 4
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/test.mod] Error 1




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.


Disclaimer

Dit bericht met eventuele bijlagen is vertrouwelijk en uitsluitend bestemd voor de geadresseerde. Indien u niet de bedoelde ontvanger bent, wordt u verzocht de afzender te waarschuwen en dit bericht met eventuele bijlagen direct te verwijderen en/of te vernietigen. Het is niet toegestaan dit bericht en eventuele bijlagen te vermenigvuldigen, door te sturen, openbaar te maken, op te slaan of op andere wijze te gebruiken. Ordina N.V. en/of haar groepsmaatschappijen accepteren geen verantwoordelijkheid of aansprakelijkheid voor schade die voortvloeit uit de inhoud en/of de verzending van dit bericht.

This e-mail and any attachments are confidential and is solely intended for the addressee only. If you are not the intended recipient, please notify the sender and delete and/or destroy this message and any attachments immediately. It is prohibited to copy, to distribute, to disclose or to use this e-mail and any attachments in any other way. Ordina N.V. and/or its group companies do not accept any responsibility nor liability for any damage resulting from the content of and/or the transmission of this message.

[-- Attachment #2: Type: text/html, Size: 4751 bytes --]

Re: using cron in selinux policy

[Karl MacMillan]

On Wed, 2007-04-18 at 09:04 -0400, Daniel J Walsh wrote:
> Michael C Thompson wrote:
> > Hey Dan,
> >
> > So, for some reason I can't schedule cron jobs with the custom user I 
> > wrote for our test execution. From what I've looked it, I think I need 
> > to call cron_per_role_template, but doing so causes the policy to fail 
> > to build, claiming abat_crond_t is being defined twice. I'm guessing 
> > calling cron_per_role_template explicitly is not the solution, and 
> > that the interfaces I need to be calling have probably changed.
> >
> > If you have a moment, can you please look help me look at this?
> >
> > Thanks,
> > Mike
> This looks to me like a compiler problem.
> 
> policy_module(testadm,1.0.0)
> 
> userdom_admin_user_template(testadm)
> cron_per_role_template(testadm, testadm_t, testadm_r)
> 
> Causes the same problem.  I also got this to happen with 
> ethereal_per_role_template.  Compiler says that the type is defined 
> twice, even though I only see it once.  However there is a gen_requires 
> of the type before the declaration which might be causing the problem.
> 

That's what is causing the problem - can you just remove the requires?
Josh - I thought we were going to do promotion of requires at one point.
Did you decide against that?

Karl

> If I create a testadm.te file like above
> 
> make -f /usr/share/selinux/devel/Makefile
> Compiling targeted test module
> /usr/bin/checkmodule:  loading policy configuration from tmp/test.tmp
> test.te:4:ERROR 'duplicate declaration of type/attribute' at token ';' 
> on line 102058:
>         type testadm_crond_t;
> #line 4
> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> make: *** [tmp/test.mod] Error 1
> 
> 
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: using cron in selinux policy

[Joshua Brindle]

> From: Karl MacMillan [mailto:kmacmill@redhat.com] 
> 
> > 
> > Causes the same problem.  I also got this to happen with 
> > ethereal_per_role_template.  Compiler says that the type is defined 
> > twice, even though I only see it once.  However there is a 
> > gen_requires of the type before the declaration which might 
> be causing the problem.
> > 
> 
> That's what is causing the problem - can you just remove the requires?
> Josh - I thought we were going to do promotion of requires at 
> one point.
> Did you decide against that?
> 


We fixed declare-then-require but for some reason which I can't think of
right now did not add promotion of requires. We could fix this now or
wait for the new parser that won't care, how important is this?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: using cron in selinux policy

[Karl MacMillan]

On Wed, 2007-04-18 at 10:57 -0400, Joshua Brindle wrote:
> > From: Karl MacMillan [mailto:kmacmill@redhat.com] 
> > 
> > > 
> > > Causes the same problem.  I also got this to happen with 
> > > ethereal_per_role_template.  Compiler says that the type is defined 
> > > twice, even though I only see it once.  However there is a 
> > > gen_requires of the type before the declaration which might 
> > be causing the problem.
> > > 
> > 
> > That's what is causing the problem - can you just remove the requires?
> > Josh - I thought we were going to do promotion of requires at 
> > one point.
> > Did you decide against that?
> > 
> 
> 
> We fixed declare-then-require but for some reason which I can't think of
> right now did not add promotion of requires. We could fix this now or
> wait for the new parser that won't care, how important is this?

Seems like there was a good reason not to but I can't think of it right
now. I think it is a policy bug - so let's punt.

Karl


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.