From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 1/1] Cronjobs might create temporary directories
Date: Tue, 27 Sep 2011 08:49:10 -0400 [thread overview]
Message-ID: <4E81C646.5090709@tresys.com> (raw)
In-Reply-To: <1316809587.1931.44.camel@x220.mydomain.internal>
On 09/23/11 16:26, Dominick Grift wrote:
> On Fri, 2011-09-23 at 21:11 +0200, Sven Vermeulen wrote:
>> On Thu, Sep 22, 2011 at 08:42:51PM +0200, Sven Vermeulen wrote:
>>> If the system_cronjob_t domain is seen more like a "jump board" towards the
>>> application specific domains, I don't mind creating a makewhatis policy
>>> module and work from there onwards.
>>
>> Giving the fact that the policy will probably read and write man_t together
>> with the usual suspects (_exec, _domtrans), is it okay to suggest a patch for
>> the miscfiles module? Or would you rather see an independent module?
>>
>> I don't think I need to offer a _run or _role interface, since transitioning
>> from sysadm_t wouldn't be necessary. Or is it better to do that anyway?
>
> I wonder what PeBenito thinks about this.
>
> I wouldnt mind adding this to miscfiles, but i wouldnt add any unused
> interfaces. If it turns out they are needed they can always be added
> later.
I would tend to agree that we want to get privileges out of system_cronjob_t by transitioning to other domains. But the domain already has sufficient perms to run makewhatis (save for this new tmp patch). All that we could likely gain by making a new makewhatis domain would be to drop the man page access from system_cronjob_t. If is demonstrated that we could have real gains from having a makewhatis domain, I'd have to see what the policy looks like to determine if it would be ok in miscfiles.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
prev parent reply other threads:[~2011-09-27 12:49 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-21 19:23 [refpolicy] [PATCH 1/1] Cronjobs might create temporary directories Sven Vermeulen
2011-09-21 20:25 ` Dominick Grift
2011-09-22 6:04 ` Sven Vermeulen
2011-09-22 7:54 ` Dominick Grift
2011-09-22 18:42 ` Sven Vermeulen
2011-09-23 19:11 ` Sven Vermeulen
2011-09-23 20:26 ` Dominick Grift
2011-09-27 12:49 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E81C646.5090709@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.