[DSE-Dev] cron broken in SELinux enforced mode due to system_u login mapping removal
Laurent Bigonville
bigon at debian.org
Tue Oct 3 13:31:25 UTC 2017
tag 857662 + patch
thanks
On Mon, 13 Mar 2017 21:09:13 +0100 cgzones <cgzones at googlemail.com> wrote:
> Hi,
> with the removal of the SELinux login entry for system_u [1], cron
> stops working.
>
> get_security_context [2] expects a NULL name when called for a system
cronjob.
> But it is called with "system_u" [2].
>
> It worked so far cause getseuserbyname [3] translated the incorrect
> name value "system_u" still to the "system_u" seuser.
>
> Best regards,
> Christian Göttsche
>
> [1]
https://github.com/TresysTechnology/refpolicy/commit/79f31a04739dad7c7369616cd7c666a57c365511
> [2] https://sources.debian.net/src/cron/3.0pl1-128/user.c/?hl=120#L218
> [3] https://sources.debian.net/src/cron/3.0pl1-128/user.c/?hl=120#L51
The attached patch is a bit more complete. That way cron stop depending
of refpolicy specific identifiers.
I'm thinking about uploading my patch in unstable in the following days
and then in stable
Cheers,
Laurent Bigonville
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 857662.patch
Type: text/x-patch
Size: 1566 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20171003/1d7222c3/attachment.bin>
More information about the SELinux-devel
mailing list