Le 23/11/15 16:34, Laurent Bigonville a écrit : > Le 23/11/15 01:53, Laurent Bigonville a écrit : >> Hi, >> >> I'm still looking at adding SELinux support in the "at" daemon and I >> now have the following patch[0]. >> >> With this patch, at seems to behave like the cron daemon, as >> explained in the commit log: >> >> - When cron_userdomain_transition is set to off, a process for an >> unconfined user will transition to unconfined_cronjob_t. For >> confined >> user, the job is run as cronjob_t. >> >> - When cron_userdomain_transition is set to on, the processes are >> run >> under the user default context. >> >> But every time an AVC denial is generated (with >> cron_userdomain_transition set to off and the user running as >> staff_u, in permissive with unmodified refpolicy): >> >> avc: denied { entrypoint } for >> scontext=staff_u:staff_r:cronjob_t:s0 >> tcontext=staff_u:object_r:user_cron_spool_t:s0 tclass=file >> >> The job runs as (id -Z): staff_u:staff_r:cronjob_t:s0 >> >> But audit2{allow,why} are saying that this is already allowed in the >> policy >> >> Setting the cron_userdomain_transition boolean to on, I have the >> following avc: >> >> avc: denied { entrypoint } for >> scontext=staff_u:sysadm_r:sysadm_t:s0 >> tcontext=staff_u:object_r:user_cron_spool_t:s0 tclass=file >> >> The job runs as (id -Z): staff_u:sysadm_r:sysadm_t:s0 >> >> So as said it seems to work, but I'm not sure why this AVC denial is >> generated. >> >> sesearch shows: >> >> $ sesearch -ATSC -t user_cron_spool_t -c file -p entrypoint >> Found 6 semantic av rules: >> allow files_unconfined_type file_type : file { ioctl read write >> create getattr setattr lock relabelfrom relabelto append unlink link >> rename execute swapon quotaon mounton execute_no_trans entrypoint >> open audit_access } ; >> DT allow unconfined_t user_cron_spool_t : file entrypoint ; [ >> cron_userdomain_transition ] >> DT allow user_t user_cron_spool_t : file entrypoint ; [ >> cron_userdomain_transition ] >> EF allow cronjob_t user_cron_spool_t : file entrypoint ; [ >> cron_userdomain_transition ] >> DT allow staff_t user_cron_spool_t : file entrypoint ; [ >> cron_userdomain_transition ] >> DT allow sysadm_t user_cron_spool_t : file entrypoint ; [ >> cron_userdomain_transition ] >> >> Did I overlooked something? >> >> Cheers, >> >> Laurent Bigonville >> >> [0] >> https://anonscm.debian.org/cgit/users/bigon/at.git/commit/?h=selinux&id=0112f006b74a36f7200e315575fd25d78e11b170 > > I'm attaching the patch to this mail for the people that cannot access > the website and FTR. And it was of course the wrong one...