diff options
| author | Chris PeBenito <cpebenito@tresys.com> | 2009-08-12 14:15:39 -0400 |
|---|---|---|
| committer | Chris PeBenito <cpebenito@tresys.com> | 2009-08-12 14:15:39 -0400 |
| commit | 2a77737d4ea2623a15b9a8307f1784ba6b2d01f6 (patch) | |
| tree | 2883cde0811efed8ddbcb2d7b5ecb7cf908db208 /policy | |
| parent | 97e42114dbc2fcf16d41aa3ac0cf09a89f75aeb4 (diff) | |
Add missing rules to make unconfined_cronjob_t a valid cron job domain.
Unconfined_cronjob_t is not a valid cron job domain because the cron
module is lacking a transition from the crond to the unconfined_cronjob_t
domain. This adds the transition and also a constraints exemption since
part of the transition is also a seuser and role change typically.
Diffstat (limited to 'policy')
| -rw-r--r-- | policy/modules/services/cron.te | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index 70b183dd..d73dc117 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -1,5 +1,5 @@ -policy_module(cron, 2.1.0) +policy_module(cron, 2.1.1) gen_require(` class passwd rootok; @@ -95,6 +95,7 @@ ifdef(`enable_mcs',` type unconfined_cronjob_t; domain_type(unconfined_cronjob_t) +domain_cron_exemption_target(unconfined_cronjob_t) # Type of user crontabs once moved to cron spool. type user_cron_spool_t, cron_spool_type; @@ -589,5 +590,13 @@ optional_policy(` # optional_policy(` + # Permit a transition from the crond_t domain to this domain. + # The transition is requested explicitly by the modified crond + # via setexeccon. There is no way to set up an automatic + # transition, since crontabs are configuration files, not executables. + allow crond_t unconfined_cronjob_t:process transition; + dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh }; + allow crond_t unconfined_cronjob_t:fd use; + unconfined_domain(unconfined_cronjob_t) ') |