Add missing rules to make unconfined_cronjob_t a valid cron job domain.
Unconfined_cronjob_t is not a valid cron job domain because the cron module is lacking a transition from the crond to the unconfined_cronjob_t domain. This adds the transition and also a constraints exemption since part of the transition is also a seuser and role change typically.
This commit is contained in:
parent
97e42114db
commit
2a77737d4e
@ -1,3 +1,4 @@
|
|||||||
|
- Add missing rules to make unconfined_cronjob_t a valid cron job domain.
|
||||||
- Add btrfs and ext4 to labeling targets.
|
- Add btrfs and ext4 to labeling targets.
|
||||||
- Fix infrastructure to expand macros in initrc_context when installing.
|
- Fix infrastructure to expand macros in initrc_context when installing.
|
||||||
- Handle unix_chkpwd usage by useradd and groupadd.
|
- Handle unix_chkpwd usage by useradd and groupadd.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(cron, 2.1.0)
|
policy_module(cron, 2.1.1)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class passwd rootok;
|
class passwd rootok;
|
||||||
@ -95,6 +95,7 @@ ifdef(`enable_mcs',`
|
|||||||
|
|
||||||
type unconfined_cronjob_t;
|
type unconfined_cronjob_t;
|
||||||
domain_type(unconfined_cronjob_t)
|
domain_type(unconfined_cronjob_t)
|
||||||
|
domain_cron_exemption_target(unconfined_cronjob_t)
|
||||||
|
|
||||||
# Type of user crontabs once moved to cron spool.
|
# Type of user crontabs once moved to cron spool.
|
||||||
type user_cron_spool_t, cron_spool_type;
|
type user_cron_spool_t, cron_spool_type;
|
||||||
@ -589,5 +590,13 @@ optional_policy(`
|
|||||||
#
|
#
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
# Permit a transition from the crond_t domain to this domain.
|
||||||
|
# The transition is requested explicitly by the modified crond
|
||||||
|
# via setexeccon. There is no way to set up an automatic
|
||||||
|
# transition, since crontabs are configuration files, not executables.
|
||||||
|
allow crond_t unconfined_cronjob_t:process transition;
|
||||||
|
dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
|
||||||
|
allow crond_t unconfined_cronjob_t:fd use;
|
||||||
|
|
||||||
unconfined_domain(unconfined_cronjob_t)
|
unconfined_domain(unconfined_cronjob_t)
|
||||||
')
|
')
|
||||||
|
Loading…
Reference in New Issue
Block a user