| Summary: | sys-process/fcron - fcrontab unable to properly handle su user | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | vespian <gentooorg> |
| Component: | SELinux | Assignee: | SE Linux Bugs <selinux> |
| Status: | RESOLVED NEEDINFO | ||
| Severity: | enhancement | CC: | cron-bugs+disabled, flameeyes |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: |
emerge --info
test-relabel.c test-relabel_policy.fc test-relabel_policy.te |
||
|
Description
vespian
2013-02-23 18:42:52 UTC
Created attachment 339832 [details]
test-relabel.c
POC code
Created attachment 339834 [details]
test-relabel_policy.fc
Created attachment 339836 [details]
test-relabel_policy.te
I think that I wrongly set the Component field - it should be SElinux. Sorry. @selinux please advise on these bugs, or simply fix them if something's there to fix. Hi vespian I don't think it makes much sense to try and patch fcron code. See also http://oss.tresys.com/pipermail/refpolicy/2013-January/006297.html I'd rather focus on policy - so either we document that for fcron, UBAC will need to be disabled or users will need to relabel the files when needed or the cron_userdomain_transition boolean is enabled or ... Lots of things we might do to resolve this. Does fcron work properly with cron_userdomain_transition enabled? Hi, Sorry for the late answer, I was deep underwater with other stuff. (In reply to comment #6) > Hi vespian > > I don't think it makes much sense to try and patch fcron code. See also > http://oss.tresys.com/pipermail/refpolicy/2013-January/006297.html > > I'd rather focus on policy - Not sure if we can address all the issues without making the software selinux aware :| > so either we document that for fcron Documenting will not be of much help unless we put big fat warning somewhere in fcron itself (shown if it detects UBAC enabled Selinux). People will still have to waste some time googling it out. > UBAC will need to be disabled or It will not solve the problem of systab fcrontab. Manual relabel of this file will still be necessary. > users will need to relabel the files when needed or > the cron_userdomain_transition boolean is enabled or ... Lots of things we > might do to resolve this. > > Does fcron work properly with cron_userdomain_transition enabled? I will test this. The bottom line is that it would be nice to have easy and integrated solution so that people will not have to debug/google/manually fix. Linux is complicated enough without it :) Thanks pr Hi, I checked the policy source and tested the cron_userdomain_transition boolean - it does not solve the problem, it only disables the AVC messages and my main issue still persists. To put it short - I do not want to disable UBAC (I like this feature) and do not think that we can solve this problem only by patching policy without making it difficult for less experienced users. Despite the fact that fcron is not perfect (and messy by design :), it is maintained and I have not found anything with similar functionality and fully supported by SElinux. So I can try to prepare the patches and fix the policy for fcron, but I need your opinion whether relabeling approach is correct provided that we want a solution where people do not have to debug/google/manually fix anything. What do you think? pr Let's start focusing on the policy first, before updating the code. If we do need to patch the code, then it has to be accepted upstream - we don't have the resources to maintain deviating patches imo. So you say the *tab files get the wrong context after creating? What is the context of the user that you run in, and what is the context of the file when it is stored? What context should the file be in order for the fcron daemon to work properly? Please reopen if the necessary information is at hand. |
