Testing cron script
Colin Walters
walters at verbum.org
Fri Aug 20 01:55:02 UTC 2004
On Tue, 2004-08-17 at 11:29 -0700, Bill McCarty wrote:
> Hi all,
>
> How do folks like to test system Cron scripts, which run in the context
> system_u:system_r:system_crond_t? The system administrator can't simply
> invoke them using runcon:
>
> runcon system_u:system_r:system_crond_t /etc/cron.hourly/test.cron
>
> because the usual policies don't permit transitions from sysadm_t to
> system_crond_t.
Right.
> And, modifying the policy to permit such a transition seems to entail
> authorizing too many permissions, at least for my taste.
The following would probably be sufficient as a hack:
role sysadm_r types system_crond_t;
domain_trans(sysadm_t, bin_t, system_crond_t)
Then invoke runcon like this:
runcon system_u:system_r:system_crond_t /bin/sh /etc/cron.daily/prelink
(We use /bin/sh because etc_t cannot be an entrypoint)
> What am I missing?
Nothing - I think that the major goal of the strict policy is to deny
any interactions on the system that aren't part of "normal" operation.
So normally, the system administrator wouldn't be debugging cron
scripts.
However, now that we have the boolean support, I think it would be nice
to have a "debug" boolean or the like. This would enable things like
the system administrator running cron scripts directly. To do this
correctly, I think we would need to have runcon labeled specially,
similar to newrole, so it can be a specific entrypoint for the cron
types, instead of just using bin_t above.
More information about the fedora-selinux-list
mailing list