[redhat-lspp] Problem with the current cron patch.

Stephen Smalley sds at tycho.nsa.gov
Thu Oct 26 19:17:39 UTC 2006 

On Thu, 2006-10-26 at 14:57 -0400, Stephen Smalley wrote:
> On Thu, 2006-10-26 at 10:19 -0400, Daniel J Walsh wrote:
> > The current cron patch attempts to allow users to specify the 
> > role/type/mls context for a particular job to run at.  You simply specify
> > 
> > SELINUX_ROLE_TYPE=staff_u:staff_r:staff_crond_t:SystemLow-s0:c15
> > 
> > in the crontab.
> > 
> > The problem is that users logically think they can specify other 
> > roles/types in the file.  Except the  patch is doing an entrypoint check 
> > on the  cron file.    But the only entrypoints defined in policy look 
> > something like this
> > 
> > allow $1_crond_t  $1_spool_cron_t: file entrypoint;
> > 
> > So if the user specifies,
> > 
> > SELINUX_ROLE_TYPE=staff_u:sysadm_r:sysadm_crond_t:SystemLow-s0:c15
> > or
> > SELINUX_ROLE_TYPE=staff_u:sysadm_r:sysadm_t:SystemLow-s0:c15
> > 
> > The entrypoint check fails and the job is denied.    Now we could allow 
> > users to write a loadable policy module that said something like
> > 
> > allow sysadm_t  staff_spool_cron_t: file entrypoint;
> > 
> > But the cron job will fail, because the crond_t is not allowed to 
> > transition to sysadm_t.  So we could force the user to specify 
> > sysadm_crond_t.  Which might work.
> > 
> > I see this as being too confusing for the  user and would like to change 
> > it so the user can only specify MLS values.
> > 
> > SELINUX_MLS_LEVEL=SystemHigh
> > 
> > And then the old mechanism would run the job as 
> > staff_r:staff_crond_t:SystemHigh.
> > 
> > Thoughts?
> 
> I'm not clear on what the current cron patch does, but I had thought
> that it was going to support multi-context cron by maintaining separate
> cron spool files per context, and the user could e.g. create separate
> crontabs for different roles or levels if they were authorized for more
> than one role or level, and could only create each crontab if running in
> that role or level in the first place (such that the crontab was
> properly labeled with a corresponding type and level).  Not by
> specifying a context in the crontab file itself, except possibly for the
> system cron jobs defined by /etc/crontab et al where one might need such
> specification (just as one specifies the user identity in /etc/crontab
> but not in per-user crontabs).
> 
> If crond allows you to specify arbitrary contexts in the crontab file
> itself, that is obviously not good.

At what point was the approach to cron completely redesigned?  Where was
this described?

The current approach is completely unusable AFAICS, not to mention
unsafe.

-- 
Stephen Smalley
National Security Agency

More information about the redhat-lspp mailing list