From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH v2] Allow the user cronjobs to run in their userdomain
Date: Tue, 8 Dec 2015 09:39:03 -0500 [thread overview]
Message-ID: <5666EB87.3020606@tresys.com> (raw)
In-Reply-To: <1449159248-15112-1-git-send-email-bigon@debian.org>
On 12/3/2015 11:14 AM, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> When cron_userdomain_transition boolean is set to on, the user cronjobs
> are supposed to run in their domains. Without this patch the default
> context is not properly computed:
>
> $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0
> /usr/sbin/getdefaultcon: Invalid argument
> $ /usr/sbin/getdefaultcon staff_u system_u:system_r:crond_t:s0
> staff_u:sysadm_r:sysadm_t:s0
>
> With this patch applied:
>
> $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0
> user_u:user_r:user_t:s0
> $ /usr/sbin/getdefaultcon staff_ system_u:system_r:crond_t:s0
> staff_u:staff_r:staff_t:s0
Merged.
> ---
> config/appconfig-mcs/default_contexts | 2 +-
> config/appconfig-mcs/staff_u_default_contexts | 2 +-
> config/appconfig-mcs/user_u_default_contexts | 2 +-
> config/appconfig-mls/default_contexts | 2 +-
> config/appconfig-mls/staff_u_default_contexts | 2 +-
> config/appconfig-mls/user_u_default_contexts | 2 +-
> config/appconfig-standard/default_contexts | 2 +-
> config/appconfig-standard/staff_u_default_contexts | 2 +-
> config/appconfig-standard/user_u_default_contexts | 2 +-
> 9 files changed, 9 insertions(+), 9 deletions(-)
>
> diff --git a/config/appconfig-mcs/default_contexts b/config/appconfig-mcs/default_contexts
> index 801d97b..698d54c 100644
> --- a/config/appconfig-mcs/default_contexts
> +++ b/config/appconfig-mcs/default_contexts
> @@ -1,4 +1,4 @@
> -system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
> +system_r:crond_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
> system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
> system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
> system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
> diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts
> index 881a292..5606c4e 100644
> --- a/config/appconfig-mcs/staff_u_default_contexts
> +++ b/config/appconfig-mcs/staff_u_default_contexts
> @@ -1,7 +1,7 @@
> system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
> system_r:remote_login_t:s0 staff_r:staff_t:s0
> system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
> -system_r:crond_t:s0 staff_r:cronjob_t:s0
> +system_r:crond_t:s0 staff_r:staff_t:s0 staff_r:cronjob_t:s0
> system_r:xdm_t:s0 staff_r:staff_t:s0
> staff_r:staff_su_t:s0 staff_r:staff_t:s0
> staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
> diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts
> index cacbc93..56d6071 100644
> --- a/config/appconfig-mcs/user_u_default_contexts
> +++ b/config/appconfig-mcs/user_u_default_contexts
> @@ -1,7 +1,7 @@
> system_r:local_login_t:s0 user_r:user_t:s0
> system_r:remote_login_t:s0 user_r:user_t:s0
> system_r:sshd_t:s0 user_r:user_t:s0
> -system_r:crond_t:s0 user_r:cronjob_t:s0
> +system_r:crond_t:s0 user_r:user_t:s0 user_r:cronjob_t:s0
> system_r:xdm_t:s0 user_r:user_t:s0
> user_r:user_su_t:s0 user_r:user_t:s0
> user_r:user_sudo_t:s0 user_r:user_t:s0
> diff --git a/config/appconfig-mls/default_contexts b/config/appconfig-mls/default_contexts
> index 801d97b..698d54c 100644
> --- a/config/appconfig-mls/default_contexts
> +++ b/config/appconfig-mls/default_contexts
> @@ -1,4 +1,4 @@
> -system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
> +system_r:crond_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
> system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
> system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
> system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
> diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts
> index 881a292..5606c4e 100644
> --- a/config/appconfig-mls/staff_u_default_contexts
> +++ b/config/appconfig-mls/staff_u_default_contexts
> @@ -1,7 +1,7 @@
> system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
> system_r:remote_login_t:s0 staff_r:staff_t:s0
> system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
> -system_r:crond_t:s0 staff_r:cronjob_t:s0
> +system_r:crond_t:s0 staff_r:staff_t:s0 staff_r:cronjob_t:s0
> system_r:xdm_t:s0 staff_r:staff_t:s0
> staff_r:staff_su_t:s0 staff_r:staff_t:s0
> staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
> diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts
> index cacbc93..56d6071 100644
> --- a/config/appconfig-mls/user_u_default_contexts
> +++ b/config/appconfig-mls/user_u_default_contexts
> @@ -1,7 +1,7 @@
> system_r:local_login_t:s0 user_r:user_t:s0
> system_r:remote_login_t:s0 user_r:user_t:s0
> system_r:sshd_t:s0 user_r:user_t:s0
> -system_r:crond_t:s0 user_r:cronjob_t:s0
> +system_r:crond_t:s0 user_r:user_t:s0 user_r:cronjob_t:s0
> system_r:xdm_t:s0 user_r:user_t:s0
> user_r:user_su_t:s0 user_r:user_t:s0
> user_r:user_sudo_t:s0 user_r:user_t:s0
> diff --git a/config/appconfig-standard/default_contexts b/config/appconfig-standard/default_contexts
> index 64a0a90..25ee341 100644
> --- a/config/appconfig-standard/default_contexts
> +++ b/config/appconfig-standard/default_contexts
> @@ -1,4 +1,4 @@
> -system_r:crond_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_cronjob_t unconfined_r:unconfined_cronjob_t
> +system_r:crond_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_cronjob_t unconfined_r:unconfined_cronjob_t
> system_r:local_login_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
> system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t
> system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
> diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts
> index c2a5ea8..300694c 100644
> --- a/config/appconfig-standard/staff_u_default_contexts
> +++ b/config/appconfig-standard/staff_u_default_contexts
> @@ -1,7 +1,7 @@
> system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t
> system_r:remote_login_t staff_r:staff_t
> system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t
> -system_r:crond_t staff_r:cronjob_t
> +system_r:crond_t staff_r:staff_t staff_r:cronjob_t
> system_r:xdm_t staff_r:staff_t
> staff_r:staff_su_t staff_r:staff_t
> staff_r:staff_sudo_t staff_r:staff_t
> diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts
> index f5bfac3..63b7eec 100644
> --- a/config/appconfig-standard/user_u_default_contexts
> +++ b/config/appconfig-standard/user_u_default_contexts
> @@ -1,7 +1,7 @@
> system_r:local_login_t user_r:user_t
> system_r:remote_login_t user_r:user_t
> system_r:sshd_t user_r:user_t
> -system_r:crond_t user_r:cronjob_t
> +system_r:crond_t user_r:user_t user_r:cronjob_t
> system_r:xdm_t user_r:user_t
> user_r:user_su_t user_r:user_t
> user_r:user_sudo_t user_r:user_t
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
prev parent reply other threads:[~2015-12-08 14:39 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-03 16:14 [refpolicy] [PATCH v2] Allow the user cronjobs to run in their userdomain Laurent Bigonville
2015-12-08 14:39 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5666EB87.3020606@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.