From 2a77737d4ea2623a15b9a8307f1784ba6b2d01f6 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Aug 12 2009 18:15:39 +0000 Subject: Add missing rules to make unconfined_cronjob_t a valid cron job domain. Unconfined_cronjob_t is not a valid cron job domain because the cron module is lacking a transition from the crond to the unconfined_cronjob_t domain. This adds the transition and also a constraints exemption since part of the transition is also a seuser and role change typically. --- diff --git a/Changelog b/Changelog index d2d030c..9e53df0 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Add missing rules to make unconfined_cronjob_t a valid cron job domain. - Add btrfs and ext4 to labeling targets. - Fix infrastructure to expand macros in initrc_context when installing. - Handle unix_chkpwd usage by useradd and groupadd. diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index 70b183d..d73dc11 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -1,5 +1,5 @@ -policy_module(cron, 2.1.0) +policy_module(cron, 2.1.1) gen_require(` class passwd rootok; @@ -95,6 +95,7 @@ ifdef(`enable_mcs',` type unconfined_cronjob_t; domain_type(unconfined_cronjob_t) +domain_cron_exemption_target(unconfined_cronjob_t) # Type of user crontabs once moved to cron spool. type user_cron_spool_t, cron_spool_type; @@ -589,5 +590,13 @@ optional_policy(` # optional_policy(` + # Permit a transition from the crond_t domain to this domain. + # The transition is requested explicitly by the modified crond + # via setexeccon. There is no way to set up an automatic + # transition, since crontabs are configuration files, not executables. + allow crond_t unconfined_cronjob_t:process transition; + dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh }; + allow crond_t unconfined_cronjob_t:fd use; + unconfined_domain(unconfined_cronjob_t) ')