1 |
commit: 82b12f62f20f15f66de9c3ce3853b46349151992 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Tue Sep 25 13:55:55 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Thu Sep 27 17:54:47 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=82b12f62 |
7 |
|
8 |
Changes to the cron policy module and relevant dependencies |
9 |
|
10 |
Ported from Fedora with changes |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be> |
14 |
|
15 |
--- |
16 |
policy/modules/contrib/cron.te | 55 ++++++++++++++++++++++++++++----------- |
17 |
1 files changed, 39 insertions(+), 16 deletions(-) |
18 |
|
19 |
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te |
20 |
index c48cc70..412d5fb 100644 |
21 |
--- a/policy/modules/contrib/cron.te |
22 |
+++ b/policy/modules/contrib/cron.te |
23 |
@@ -96,12 +96,12 @@ typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; |
24 |
|
25 |
type system_cron_spool_t, cron_spool_type; |
26 |
files_type(system_cron_spool_t) |
27 |
+mta_system_content(system_cron_spool_t) |
28 |
|
29 |
type system_cronjob_t alias system_crond_t; |
30 |
init_daemon_domain(system_cronjob_t, anacron_exec_t) |
31 |
corecmd_shell_entry_type(system_cronjob_t) |
32 |
domain_interactive_fd(system_cronjob_t) |
33 |
-role system_r types system_cronjob_t; |
34 |
|
35 |
type system_cronjob_lock_t alias system_crond_lock_t; |
36 |
files_lock_file(system_cronjob_lock_t) |
37 |
@@ -366,6 +366,27 @@ optional_policy(` |
38 |
') |
39 |
|
40 |
optional_policy(` |
41 |
+ apache_search_sys_content(crond_t) |
42 |
+') |
43 |
+ |
44 |
+optional_policy(` |
45 |
+ dbus_system_bus_client(crond_t) |
46 |
+ |
47 |
+ optional_policy(` |
48 |
+ hal_dbus_chat(crond_t) |
49 |
+ ') |
50 |
+ |
51 |
+ optional_policy(` |
52 |
+ unconfined_dbus_send(crond_t) |
53 |
+ ') |
54 |
+') |
55 |
+ |
56 |
+optional_policy(` |
57 |
+ djbdns_search_tinydns_keys(crond_t) |
58 |
+ djbdns_link_tinydns_keys(crond_t) |
59 |
+') |
60 |
+ |
61 |
+optional_policy(` |
62 |
locallogin_search_keys(crond_t) |
63 |
locallogin_link_keys(crond_t) |
64 |
') |
65 |
@@ -554,6 +575,18 @@ optional_policy(` |
66 |
') |
67 |
|
68 |
optional_policy(` |
69 |
+ dbus_system_bus_client(system_cronjob_t) |
70 |
+ |
71 |
+ optional_policy(` |
72 |
+ networkmanager_dbus_chat(system_cronjob_t) |
73 |
+ ') |
74 |
+') |
75 |
+ |
76 |
+optional_policy(` |
77 |
+ exim_read_spool_files(system_cronjob_t) |
78 |
+') |
79 |
+ |
80 |
+optional_policy(` |
81 |
ftp_read_log(system_cronjob_t) |
82 |
') |
83 |
|
84 |
@@ -568,6 +601,10 @@ optional_policy(` |
85 |
') |
86 |
|
87 |
optional_policy(` |
88 |
+ livecd_read_tmp_files(system_cronjob_t) |
89 |
+') |
90 |
+ |
91 |
+optional_policy(` |
92 |
lpd_list_spool(system_cronjob_t) |
93 |
') |
94 |
|
95 |
@@ -627,23 +664,9 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; |
96 |
allow cronjob_t self:unix_stream_socket create_stream_socket_perms; |
97 |
allow cronjob_t self:unix_dgram_socket create_socket_perms; |
98 |
|
99 |
-# The entrypoint interface is not used as this is not |
100 |
-# a regular entrypoint. Since crontab files are |
101 |
-# not directly executed, crond must ensure that |
102 |
-# the crontab file has a type that is appropriate |
103 |
-# for the domain of the user cron job. It |
104 |
-# performs an entrypoint permission check |
105 |
-# for this purpose. |
106 |
allow cronjob_t user_cron_spool_t:file entrypoint; |
107 |
|
108 |
-# Permit a transition from the crond_t domain to this domain. |
109 |
-# The transition is requested explicitly by the modified crond |
110 |
-# via setexeccon. There is no way to set up an automatic |
111 |
-# transition, since crontabs are configuration files, not executables. |
112 |
-allow crond_t cronjob_t:process transition; |
113 |
-dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh }; |
114 |
-allow crond_t cronjob_t:fd use; |
115 |
-allow crond_t cronjob_t:key create; |
116 |
+#allow crond_t cronjob_t:key create; |
117 |
allow cronjob_t crond_t:fd use; |
118 |
allow cronjob_t crond_t:fifo_file rw_file_perms; |
119 |
allow cronjob_t crond_t:process sigchld; |