From mboxrd@z Thu Jan  1 00:00:00 1970
From: bigon@debian.org (Laurent Bigonville)
Date: Mon, 23 Nov 2015 12:31:00 +0100
Subject: [refpolicy] Transition not working as expected with boolean
 cron_userdomain_transition set to on
Message-ID: <5652F8F4.3090601@debian.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi,

While testing my patch for the at daemon, I think I also found a bug in 
the policy.

With the cron_userdomain_transition boolean set to off I see the 
following behavior, user bigon is unconfined_u, test is user_u and 
test_staff is staff_u

bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0
unconfined_u:unconfined_r:unconfined_cronjob_t:s0-s0:c0.c1023
bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0
user_u:user_r:cronjob_t:s0
bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff 
system_u:system_r:crond_t:s0
staff_u:staff_r:cronjob_t:s0


Everything seems OK here.

But when I toggle the boolean to on, I see the following behavior:

bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0
/usr/sbin/getdefaultcon: Invalid argument
bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff 
system_u:system_r:crond_t:s0
staff_u:sysadm_r:sysadm_t:s0

As you can see a default context cannot be computed for the user_u user 
and the staff_u domain is transitioned to sysadm_r:sysadm_t (not sure 
this is intended)

In the fedora policy I've found this patch 
https://github.com/fedora-selinux/selinux-policy/commit/28afa6f6438070902daca6ecb5d97abad7d53a0d

If I'm _adding_ the user context to the default context

bigon at soldur:~$ /usr/sbin/getdefaultcon bigon system_u:system_r:crond_t:s0
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
bigon at soldur:~$ /usr/sbin/getdefaultcon test system_u:system_r:crond_t:s0
user_u:user_r:user_t:s0
bigon at soldur:~$ /usr/sbin/getdefaultcon test_staff 
system_u:system_r:crond_t:s0
staff_u:staff_r:staff_t:s0

I've attached a patch, am I understanding everything correctly here?

Cheers,

Laurent Bigonville
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Allow-the-user-cronjobs-to-run-in-their-userdomain.patch
Type: text/x-patch
Size: 4973 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20151123/597b9346/attachment.bin