Fedora 17, crond and SELinux

[Man-wai Chang]

On 1/08/2012 8:11 PM, Man-wai Chang wrote:
> Anyone knew how I could make scripts called by crond to create/modify
> files using BASH scripts the SELinux way?

Temp fix is to use audit2allow to add custom modules:

     $ cat /var/log/audit/audit.log | audit2allow -m local > local.te
     $ checkmodule -M -m -o local.mod local.te
     $ semodule_package -o local.pp -m local.mod
     $ semodule -i local.pp

以下兮 local.te:

     module local 1.0;

     require {
             type public_content_t;
             type httpd_sys_content_t;
             type etc_t;
             type system_cronjob_t;
             class dir write;
             class file { write setattr };
     }

     #============= system_cronjob_t ==============
     allow system_cronjob_t etc_t:file write;
     #!!!! The source type 'system_cronjob_t' can write to a 'dir' of 
the following types:
     # user_home_dir_t, prelink_var_lib_t, innd_log_t, var_lock_t, 
etc_t, man_t, root_t, tmp_t, system_cronjob_var_lib_t, sysstat_log_t, 
crond_tmp_t, locate_log_t, var_spool_t, httpd_cache_t, var_log_t, 
var_lib_t, var_run_t, system_cron_spool_t, spamc_home_t, innd_var_run_t, 
cyrus_var_lib_t, spamd_var_lib_t, mrtg_log_t, prelink_log_t, root_t

     allow system_cronjob_t httpd_sys_content_t:dir write;
     allow system_cronjob_t httpd_sys_content_t:file { write setattr };
     allow system_cronjob_t public_content_t:file { write setattr };

But isn't this defeating SELinux? Imagine administrators start adding 
custom "allow"s ... :)


-- 
   @~@   Remain silent. Nothing from soldiers and magicians is real!
  / v \  Simplicity is Beauty! May the Force and farces be with you!
/( _ )\ (Fedora 17 i686)  Linux 3.4.6-2.fc17.i686
   ^ ^   21:09:01 up 40 min 1 user load average: 0.00 0.04 0.11
不借貸! 不詐騙! 不援交! 不打交! 不打劫! 不自殺! 請考慮綜援 (CSSA):
http://www.swd.gov.hk/tc/index/site_pubsvc/page_socsecu/sub_addressesa