Add missing rules to make unconfined_cronjob_t a valid cron job domain.

Unconfined_cronjob_t is not a valid cron job domain because the cron
module is lacking a transition from the crond to the unconfined_cronjob_t
domain.  This adds the transition and also a constraints exemption since
part of the transition is also a seuser and role change typically.
This commit is contained in:
Chris PeBenito 2009-08-12 14:15:39 -04:00
parent 97e42114db
commit 2a77737d4e
2 changed files with 11 additions and 1 deletions

View File

@ -1,3 +1,4 @@
- Add missing rules to make unconfined_cronjob_t a valid cron job domain.
- Add btrfs and ext4 to labeling targets. - Add btrfs and ext4 to labeling targets.
- Fix infrastructure to expand macros in initrc_context when installing. - Fix infrastructure to expand macros in initrc_context when installing.
- Handle unix_chkpwd usage by useradd and groupadd. - Handle unix_chkpwd usage by useradd and groupadd.

View File

@ -1,5 +1,5 @@
policy_module(cron, 2.1.0) policy_module(cron, 2.1.1)
gen_require(` gen_require(`
class passwd rootok; class passwd rootok;
@ -95,6 +95,7 @@ ifdef(`enable_mcs',`
type unconfined_cronjob_t; type unconfined_cronjob_t;
domain_type(unconfined_cronjob_t) domain_type(unconfined_cronjob_t)
domain_cron_exemption_target(unconfined_cronjob_t)
# Type of user crontabs once moved to cron spool. # Type of user crontabs once moved to cron spool.
type user_cron_spool_t, cron_spool_type; type user_cron_spool_t, cron_spool_type;
@ -589,5 +590,13 @@ optional_policy(`
# #
optional_policy(` optional_policy(`
# Permit a transition from the crond_t domain to this domain.
# The transition is requested explicitly by the modified crond
# via setexeccon. There is no way to set up an automatic
# transition, since crontabs are configuration files, not executables.
allow crond_t unconfined_cronjob_t:process transition;
dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
allow crond_t unconfined_cronjob_t:fd use;
unconfined_domain(unconfined_cronjob_t) unconfined_domain(unconfined_cronjob_t)
') ')