Le 23/11/15 01:53, Laurent Bigonville a écrit : > Hi, > > I'm still looking at adding SELinux support in the "at" daemon and I > now have the following patch[0]. > > With this patch, at seems to behave like the cron daemon, as explained > in the commit log: > > - When cron_userdomain_transition is set to off, a process for an > unconfined user will transition to unconfined_cronjob_t. For > confined > user, the job is run as cronjob_t. > > - When cron_userdomain_transition is set to on, the processes are run > under the user default context. > > But every time an AVC denial is generated (with > cron_userdomain_transition set to off and the user running as staff_u, > in permissive with unmodified refpolicy): > > avc: denied { entrypoint } for scontext=staff_u:staff_r:cronjob_t:s0 > tcontext=staff_u:object_r:user_cron_spool_t:s0 tclass=file > > The job runs as (id -Z): staff_u:staff_r:cronjob_t:s0 > > But audit2{allow,why} are saying that this is already allowed in the > policy > > Setting the cron_userdomain_transition boolean to on, I have the > following avc: > > avc: denied { entrypoint } for scontext=staff_u:sysadm_r:sysadm_t:s0 > tcontext=staff_u:object_r:user_cron_spool_t:s0 tclass=file > > The job runs as (id -Z): staff_u:sysadm_r:sysadm_t:s0 > > So as said it seems to work, but I'm not sure why this AVC denial is > generated. > > sesearch shows: > > $ sesearch -ATSC -t user_cron_spool_t -c file -p entrypoint > Found 6 semantic av rules: > allow files_unconfined_type file_type : file { ioctl read write > create getattr setattr lock relabelfrom relabelto append unlink link > rename execute swapon quotaon mounton execute_no_trans entrypoint open > audit_access } ; > DT allow unconfined_t user_cron_spool_t : file entrypoint ; [ > cron_userdomain_transition ] > DT allow user_t user_cron_spool_t : file entrypoint ; [ > cron_userdomain_transition ] > EF allow cronjob_t user_cron_spool_t : file entrypoint ; [ > cron_userdomain_transition ] > DT allow staff_t user_cron_spool_t : file entrypoint ; [ > cron_userdomain_transition ] > DT allow sysadm_t user_cron_spool_t : file entrypoint ; [ > cron_userdomain_transition ] > > Did I overlooked something? > > Cheers, > > Laurent Bigonville > > [0] > https://anonscm.debian.org/cgit/users/bigon/at.git/commit/?h=selinux&id=0112f006b74a36f7200e315575fd25d78e11b170 I'm attaching the patch to this mail for the people that cannot access the website and FTR. Cheers, Laurent Bigonville