fixfile.cron added.

[Stephen Smalley]

On Thu, 2004-07-08 at 14:40, Daniel J Walsh wrote:
> We might want to add a tunable to allow system_crond_t to exec 
> setfiles_t.   You can modify the
> /etc/selinux/config file and add
> CRONTYPE="restore"
> CRONMAILTO="dwalsh at redhat.com"
> 
> Which would cause setfiles to restore the security contexts when 
> fixfiles.cron runs. and send mail to the specified user.

Patch below (replaces patch sent earlier for running setfiles without
changing domains just to check contexts).

Index: policy/domains/program/crond.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/crond.te,v
retrieving revision 1.23
diff -u -r1.23 crond.te
--- policy/domains/program/crond.te	16 Jun 2004 17:07:45 -0000	1.23
+++ policy/domains/program/crond.te	8 Jul 2004 18:56:41 -0000
@@ -194,3 +194,10 @@
 dontaudit userdomain system_crond_t:fd { use };
 
 r_dir_file(crond_t, selinux_config_t)
+
+ifdef(`cron_can_relabel', `
+domain_auto_trans(system_crond_t, setfiles_exec_t, setfiles_t)
+', `
+r_dir_file(system_crond_t, file_context_t)
+can_getsecurity(system_crond_t)
+')
Index: policy/tunables/tunable.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/tunables/tunable.te,v
retrieving revision 1.4
diff -u -r1.4 tunable.te
--- policy/tunables/tunable.te	17 Jun 2004 16:59:30 -0000	1.4
+++ policy/tunables/tunable.te	8 Jul 2004 18:56:09 -0000
@@ -100,3 +100,5 @@
 # Allow user to rw usb devices
 dnl define(`user_rw_usb')
 
+# Allow system cron job to relabel filesystem for restoring file contexts.
+dnl define(`cron_can_relabel')

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency