From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 8 Dec 2015 09:39:03 -0500 Subject: [refpolicy] [PATCH v2] Allow the user cronjobs to run in their userdomain In-Reply-To: <1449159248-15112-1-git-send-email-bigon@debian.org> References: <1449159248-15112-1-git-send-email-bigon@debian.org> Message-ID: <5666EB87.3020606@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/3/2015 11:14 AM, Laurent Bigonville wrote: > From: Laurent Bigonville > > When cron_userdomain_transition boolean is set to on, the user cronjobs > are supposed to run in their domains. Without this patch the default > context is not properly computed: > > $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0 > /usr/sbin/getdefaultcon: Invalid argument > $ /usr/sbin/getdefaultcon staff_u system_u:system_r:crond_t:s0 > staff_u:sysadm_r:sysadm_t:s0 > > With this patch applied: > > $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0 > user_u:user_r:user_t:s0 > $ /usr/sbin/getdefaultcon staff_ system_u:system_r:crond_t:s0 > staff_u:staff_r:staff_t:s0 Merged. > --- > config/appconfig-mcs/default_contexts | 2 +- > config/appconfig-mcs/staff_u_default_contexts | 2 +- > config/appconfig-mcs/user_u_default_contexts | 2 +- > config/appconfig-mls/default_contexts | 2 +- > config/appconfig-mls/staff_u_default_contexts | 2 +- > config/appconfig-mls/user_u_default_contexts | 2 +- > config/appconfig-standard/default_contexts | 2 +- > config/appconfig-standard/staff_u_default_contexts | 2 +- > config/appconfig-standard/user_u_default_contexts | 2 +- > 9 files changed, 9 insertions(+), 9 deletions(-) > > diff --git a/config/appconfig-mcs/default_contexts b/config/appconfig-mcs/default_contexts > index 801d97b..698d54c 100644 > --- a/config/appconfig-mcs/default_contexts > +++ b/config/appconfig-mcs/default_contexts > @@ -1,4 +1,4 @@ > -system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 > +system_r:crond_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 > system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 > system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0 > system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 > diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts > index 881a292..5606c4e 100644 > --- a/config/appconfig-mcs/staff_u_default_contexts > +++ b/config/appconfig-mcs/staff_u_default_contexts > @@ -1,7 +1,7 @@ > system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 > system_r:remote_login_t:s0 staff_r:staff_t:s0 > system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 > -system_r:crond_t:s0 staff_r:cronjob_t:s0 > +system_r:crond_t:s0 staff_r:staff_t:s0 staff_r:cronjob_t:s0 > system_r:xdm_t:s0 staff_r:staff_t:s0 > staff_r:staff_su_t:s0 staff_r:staff_t:s0 > staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 > diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts > index cacbc93..56d6071 100644 > --- a/config/appconfig-mcs/user_u_default_contexts > +++ b/config/appconfig-mcs/user_u_default_contexts > @@ -1,7 +1,7 @@ > system_r:local_login_t:s0 user_r:user_t:s0 > system_r:remote_login_t:s0 user_r:user_t:s0 > system_r:sshd_t:s0 user_r:user_t:s0 > -system_r:crond_t:s0 user_r:cronjob_t:s0 > +system_r:crond_t:s0 user_r:user_t:s0 user_r:cronjob_t:s0 > system_r:xdm_t:s0 user_r:user_t:s0 > user_r:user_su_t:s0 user_r:user_t:s0 > user_r:user_sudo_t:s0 user_r:user_t:s0 > diff --git a/config/appconfig-mls/default_contexts b/config/appconfig-mls/default_contexts > index 801d97b..698d54c 100644 > --- a/config/appconfig-mls/default_contexts > +++ b/config/appconfig-mls/default_contexts > @@ -1,4 +1,4 @@ > -system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 > +system_r:crond_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 > system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 > system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0 > system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 > diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts > index 881a292..5606c4e 100644 > --- a/config/appconfig-mls/staff_u_default_contexts > +++ b/config/appconfig-mls/staff_u_default_contexts > @@ -1,7 +1,7 @@ > system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 > system_r:remote_login_t:s0 staff_r:staff_t:s0 > system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 > -system_r:crond_t:s0 staff_r:cronjob_t:s0 > +system_r:crond_t:s0 staff_r:staff_t:s0 staff_r:cronjob_t:s0 > system_r:xdm_t:s0 staff_r:staff_t:s0 > staff_r:staff_su_t:s0 staff_r:staff_t:s0 > staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 > diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts > index cacbc93..56d6071 100644 > --- a/config/appconfig-mls/user_u_default_contexts > +++ b/config/appconfig-mls/user_u_default_contexts > @@ -1,7 +1,7 @@ > system_r:local_login_t:s0 user_r:user_t:s0 > system_r:remote_login_t:s0 user_r:user_t:s0 > system_r:sshd_t:s0 user_r:user_t:s0 > -system_r:crond_t:s0 user_r:cronjob_t:s0 > +system_r:crond_t:s0 user_r:user_t:s0 user_r:cronjob_t:s0 > system_r:xdm_t:s0 user_r:user_t:s0 > user_r:user_su_t:s0 user_r:user_t:s0 > user_r:user_sudo_t:s0 user_r:user_t:s0 > diff --git a/config/appconfig-standard/default_contexts b/config/appconfig-standard/default_contexts > index 64a0a90..25ee341 100644 > --- a/config/appconfig-standard/default_contexts > +++ b/config/appconfig-standard/default_contexts > @@ -1,4 +1,4 @@ > -system_r:crond_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_cronjob_t unconfined_r:unconfined_cronjob_t > +system_r:crond_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_cronjob_t unconfined_r:unconfined_cronjob_t > system_r:local_login_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t > system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t > system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t > diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts > index c2a5ea8..300694c 100644 > --- a/config/appconfig-standard/staff_u_default_contexts > +++ b/config/appconfig-standard/staff_u_default_contexts > @@ -1,7 +1,7 @@ > system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t > system_r:remote_login_t staff_r:staff_t > system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t > -system_r:crond_t staff_r:cronjob_t > +system_r:crond_t staff_r:staff_t staff_r:cronjob_t > system_r:xdm_t staff_r:staff_t > staff_r:staff_su_t staff_r:staff_t > staff_r:staff_sudo_t staff_r:staff_t > diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts > index f5bfac3..63b7eec 100644 > --- a/config/appconfig-standard/user_u_default_contexts > +++ b/config/appconfig-standard/user_u_default_contexts > @@ -1,7 +1,7 @@ > system_r:local_login_t user_r:user_t > system_r:remote_login_t user_r:user_t > system_r:sshd_t user_r:user_t > -system_r:crond_t user_r:cronjob_t > +system_r:crond_t user_r:user_t user_r:cronjob_t > system_r:xdm_t user_r:user_t > user_r:user_su_t user_r:user_t > user_r:user_sudo_t user_r:user_t > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com