As one of entrypoint application, crond_t should have had the
files_polyinstantiate_all() interface called so that pam_namespace.so
could work well in crond_t. Otherwise the crond_t lacks the sys_admin
permission to make use of pam_namespace.so
BTW, the allow_polyinstantiation boolean need to be toggled true
accordingly.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Entry point applications such as crond or atd use pam_loginuid.so for
the session phase of their PAM config files to set the process loginuid
attribute. Accordingly logging_set_loginuid interface should have been
called, otherwise we could run into below error message:
type=USER_START msg=audit(1296377641.212:213): user pid=2633 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s15:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=failed)'
type=USER_END msg=audit(1296377641.220:214): user pid=2633 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s15:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=failed)'
type=AVC msg=audit(1296377641.196:212): avc: denied { audit_control } for pid=2633 comm="crond" capability=30 scontext=system_u:system_r:crond_t:s0-s15:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s15:c0.c1023 tclass=capability
BTW, other entrypoint applications such as sshd/login/remote have had
this interface called for their domains.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Unconfined_cronjob_t is not a valid cron job domain because the cron
module is lacking a transition from the crond to the unconfined_cronjob_t
domain. This adds the transition and also a constraints exemption since
part of the transition is also a seuser and role change typically.
The latest revision of the labeled policy patches which enable both labeled
and unlabeled policy support for NetLabel. This revision takes into account
Chris' feedback from the first version and reduces the number of interface
calls in each domain down to two at present: one for unlabeled access, one for
NetLabel access. The older, transport layer specific interfaces, are still
present for use by third-party modules but are not used in the default policy
modules.
trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.
This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.
