[redhat-lspp] Problem with the current cron patch.

[Daniel J Walsh]

The current cron patch attempts to allow users to specify the 
role/type/mls context for a particular job to run at.  You simply specify

SELINUX_ROLE_TYPE=staff_u:staff_r:staff_crond_t:SystemLow-s0:c15

in the crontab.

The problem is that users logically think they can specify other 
roles/types in the file.  Except the  patch is doing an entrypoint check 
on the  cron file.    But the only entrypoints defined in policy look 
something like this

allow $1_crond_t  $1_spool_cron_t: file entrypoint;

So if the user specifies,

SELINUX_ROLE_TYPE=staff_u:sysadm_r:sysadm_crond_t:SystemLow-s0:c15
or
SELINUX_ROLE_TYPE=staff_u:sysadm_r:sysadm_t:SystemLow-s0:c15

The entrypoint check fails and the job is denied.    Now we could allow 
users to write a loadable policy module that said something like

allow sysadm_t  staff_spool_cron_t: file entrypoint;

But the cron job will fail, because the crond_t is not allowed to 
transition to sysadm_t.  So we could force the user to specify 
sysadm_crond_t.  Which might work.

I see this as being too confusing for the  user and would like to change 
it so the user can only specify MLS values.

SELINUX_MLS_LEVEL=SystemHigh

And then the old mechanism would run the job as 
staff_r:staff_crond_t:SystemHigh.

Thoughts?

Dan