1 |
commit: 037a40b8a9a5a201db1cdb0d01e697f227d0dbcd |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Tue Sep 25 13:55:55 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Thu Sep 27 17:45:02 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=037a40b8 |
7 |
|
8 |
Changes to the cron policy module and relevant dependencies |
9 |
|
10 |
Ported from Fedora with changes |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be> |
14 |
|
15 |
--- |
16 |
policy/modules/contrib/cron.fc | 69 ++++---- |
17 |
policy/modules/contrib/cron.if | 202 ++++++++++------------- |
18 |
policy/modules/contrib/cron.te | 359 +++++++++++++++++++++++++--------------- |
19 |
policy/modules/contrib/rpm.fc | 1 - |
20 |
4 files changed, 347 insertions(+), 284 deletions(-) |
21 |
|
22 |
diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc |
23 |
index 3559a05..df819a3 100644 |
24 |
--- a/policy/modules/contrib/cron.fc |
25 |
+++ b/policy/modules/contrib/cron.fc |
26 |
@@ -1,56 +1,61 @@ |
27 |
-/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) |
28 |
+/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) |
29 |
|
30 |
-/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) |
31 |
-/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) |
32 |
+/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) |
33 |
+/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) |
34 |
|
35 |
-/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0) |
36 |
-/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0) |
37 |
+/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0) |
38 |
+/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0) |
39 |
|
40 |
-/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0) |
41 |
-/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0) |
42 |
-/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0) |
43 |
-/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0) |
44 |
-/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0) |
45 |
+/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0) |
46 |
+/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0) |
47 |
+/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0) |
48 |
+/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0) |
49 |
+/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0) |
50 |
|
51 |
-/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) |
52 |
-/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) |
53 |
-/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) |
54 |
-/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0) |
55 |
-/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) |
56 |
-/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) |
57 |
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) |
58 |
|
59 |
-/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) |
60 |
-/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) |
61 |
+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) |
62 |
|
63 |
-/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) |
64 |
-#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) |
65 |
-/var/spool/cron/[^/]* -- <<none>> |
66 |
+/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) |
67 |
+/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) |
68 |
+/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) |
69 |
+/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0) |
70 |
+/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) |
71 |
+/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) |
72 |
+/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0) |
73 |
|
74 |
-/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) |
75 |
+/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) |
76 |
+/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) |
77 |
+ |
78 |
+/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) |
79 |
+#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) |
80 |
+/var/spool/cron/[^/]* -- <<none>> |
81 |
+ |
82 |
+/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) |
83 |
/var/spool/cron/crontabs/.* -- <<none>> |
84 |
#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) |
85 |
|
86 |
-/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0) |
87 |
-/var/spool/fcron/.* <<none>> |
88 |
+/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0) |
89 |
+/var/spool/fcron/.* <<none>> |
90 |
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) |
91 |
-/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) |
92 |
+/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) |
93 |
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) |
94 |
|
95 |
ifdef(`distro_debian',` |
96 |
-/var/log/prelink.log -- gen_context(system_u:object_r:cron_log_t,s0) |
97 |
+/var/log/prelink.log.* -- gen_context(system_u:object_r:cron_log_t,s0) |
98 |
|
99 |
-/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0) |
100 |
+/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0) |
101 |
/var/spool/cron/atjobs/[^/]* -- <<none>> |
102 |
-/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0) |
103 |
+/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0) |
104 |
') |
105 |
|
106 |
ifdef(`distro_gentoo',` |
107 |
-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) |
108 |
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) |
109 |
/var/spool/cron/lastrun/[^/]* -- <<none>> |
110 |
') |
111 |
|
112 |
-ifdef(`distro_suse', ` |
113 |
-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) |
114 |
+ifdef(`distro_suse',` |
115 |
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) |
116 |
/var/spool/cron/lastrun/[^/]* -- <<none>> |
117 |
-/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) |
118 |
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) |
119 |
') |
120 |
|
121 |
diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if |
122 |
index 6e12dc7..ddc323e 100644 |
123 |
--- a/policy/modules/contrib/cron.if |
124 |
+++ b/policy/modules/contrib/cron.if |
125 |
@@ -2,22 +2,26 @@ |
126 |
|
127 |
####################################### |
128 |
## <summary> |
129 |
-## The common rules for a crontab domain. |
130 |
+## The template to define a crontab domain. |
131 |
## </summary> |
132 |
-## <param name="userdomain_prefix"> |
133 |
+## <param name="domain_prefix"> |
134 |
## <summary> |
135 |
-## The prefix of the user domain (e.g., user |
136 |
-## is the prefix for user_t). |
137 |
+## Domain prefix to be used. |
138 |
## </summary> |
139 |
## </param> |
140 |
# |
141 |
template(`cron_common_crontab_template',` |
142 |
+ gen_require(` |
143 |
+ attribute crontab_domain; |
144 |
+ type crontab_exec_t; |
145 |
+ ') |
146 |
+ |
147 |
############################## |
148 |
# |
149 |
# Declarations |
150 |
# |
151 |
|
152 |
- type $1_t; |
153 |
+ type $1_t, crontab_domain; |
154 |
userdom_user_application_domain($1_t, crontab_exec_t) |
155 |
|
156 |
type $1_tmp_t; |
157 |
@@ -28,63 +32,12 @@ template(`cron_common_crontab_template',` |
158 |
# Local policy |
159 |
# |
160 |
|
161 |
- # dac_override is to create the file in the directory under /tmp |
162 |
- allow $1_t self:capability { fowner setuid setgid chown dac_override }; |
163 |
- allow $1_t self:process { setsched signal_perms }; |
164 |
- allow $1_t self:fifo_file rw_fifo_file_perms; |
165 |
- |
166 |
- allow $1_t $1_tmp_t:file manage_file_perms; |
167 |
- files_tmp_filetrans($1_t, $1_tmp_t, file) |
168 |
- |
169 |
- # create files in /var/spool/cron |
170 |
- manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) |
171 |
- filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file) |
172 |
- files_list_spool($1_t) |
173 |
- |
174 |
- # crontab signals crond by updating the mtime on the spooldir |
175 |
- allow $1_t cron_spool_t:dir setattr; |
176 |
- |
177 |
- kernel_read_system_state($1_t) |
178 |
- |
179 |
- # for the checks used by crontab -u |
180 |
- selinux_dontaudit_search_fs($1_t) |
181 |
- |
182 |
- fs_getattr_xattr_fs($1_t) |
183 |
- |
184 |
- domain_use_interactive_fds($1_t) |
185 |
- |
186 |
- files_read_etc_files($1_t) |
187 |
- files_read_usr_files($1_t) |
188 |
- files_dontaudit_search_pids($1_t) |
189 |
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) |
190 |
+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) |
191 |
+ files_tmp_filetrans($1_t, $1_tmp_t, { dir file }) |
192 |
|
193 |
auth_domtrans_chk_passwd($1_t) |
194 |
- |
195 |
- logging_send_syslog_msg($1_t) |
196 |
- logging_send_audit_msgs($1_t) |
197 |
- |
198 |
- init_dontaudit_write_utmp($1_t) |
199 |
- init_read_utmp($1_t) |
200 |
- |
201 |
- miscfiles_read_localization($1_t) |
202 |
- |
203 |
- seutil_read_config($1_t) |
204 |
- |
205 |
- userdom_manage_user_tmp_dirs($1_t) |
206 |
- userdom_manage_user_tmp_files($1_t) |
207 |
- # Access terminals. |
208 |
- userdom_use_user_terminals($1_t) |
209 |
- # Read user crontabs |
210 |
- userdom_read_user_home_content_files($1_t) |
211 |
- |
212 |
- tunable_policy(`fcron_crond',` |
213 |
- # fcron wants an instant update of a crontab change for the administrator |
214 |
- # also crontab does a security check for crontab -u |
215 |
- dontaudit $1_t crond_t:process signal; |
216 |
- ') |
217 |
- |
218 |
- optional_policy(` |
219 |
- nscd_socket_use($1_t) |
220 |
- ') |
221 |
+ auth_use_nsswitch($1_t) |
222 |
') |
223 |
|
224 |
######################################## |
225 |
@@ -93,38 +46,52 @@ template(`cron_common_crontab_template',` |
226 |
## </summary> |
227 |
## <param name="role"> |
228 |
## <summary> |
229 |
-## Role allowed access |
230 |
+## Role allowed access. |
231 |
## </summary> |
232 |
## </param> |
233 |
## <param name="domain"> |
234 |
## <summary> |
235 |
-## User domain for the role |
236 |
+## User domain for the role. |
237 |
## </summary> |
238 |
## </param> |
239 |
+## <rolecap/> |
240 |
# |
241 |
interface(`cron_role',` |
242 |
gen_require(` |
243 |
type cronjob_t, crontab_t, crontab_exec_t; |
244 |
+ type user_cron_spool_t, crond_t; |
245 |
') |
246 |
|
247 |
+ ############################## |
248 |
+ # |
249 |
+ # Declarations |
250 |
+ # |
251 |
+ |
252 |
role $1 types { cronjob_t crontab_t }; |
253 |
|
254 |
- # cronjob shows up in user ps |
255 |
- ps_process_pattern($2, cronjob_t) |
256 |
+ ############################## |
257 |
+ # |
258 |
+ # Local policy |
259 |
+ # |
260 |
|
261 |
- # Transition from the user domain to the derived domain. |
262 |
domtrans_pattern($2, crontab_exec_t, crontab_t) |
263 |
|
264 |
- # crontab shows up in user ps |
265 |
- ps_process_pattern($2, crontab_t) |
266 |
- allow $2 crontab_t:process signal; |
267 |
+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; |
268 |
+ allow $2 crond_t:process sigchld; |
269 |
+ |
270 |
+ allow $2 user_cron_spool_t:file { getattr read write ioctl }; |
271 |
+ |
272 |
+ allow $2 crontab_t:process { ptrace signal_perms }; |
273 |
+ ps_process_pattern($2, { cronjob_t crontab_t }) |
274 |
|
275 |
- # Run helper programs as the user domain |
276 |
- #corecmd_bin_domtrans(crontab_t, $2) |
277 |
- #corecmd_shell_domtrans(crontab_t, $2) |
278 |
corecmd_exec_bin(crontab_t) |
279 |
corecmd_exec_shell(crontab_t) |
280 |
|
281 |
+ tunable_policy(`cron_userdomain_transition',` |
282 |
+ allow crond_t $2:process transition; |
283 |
+ allow $2 user_cron_spool_t:file entrypoint; |
284 |
+ ') |
285 |
+ |
286 |
optional_policy(` |
287 |
gen_require(` |
288 |
class dbus send_msg; |
289 |
@@ -133,7 +100,7 @@ interface(`cron_role',` |
290 |
dbus_stub(cronjob_t) |
291 |
|
292 |
allow cronjob_t $2:dbus send_msg; |
293 |
- ') |
294 |
+ ') |
295 |
') |
296 |
|
297 |
######################################## |
298 |
@@ -153,24 +120,28 @@ interface(`cron_role',` |
299 |
# |
300 |
interface(`cron_unconfined_role',` |
301 |
gen_require(` |
302 |
- type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t; |
303 |
+ type unconfined_cronjob_t, crontab_t, crontab_exec_t; |
304 |
') |
305 |
|
306 |
+ ############################## |
307 |
+ # |
308 |
+ # Declarations |
309 |
+ # |
310 |
+ |
311 |
role $1 types { unconfined_cronjob_t crontab_t }; |
312 |
|
313 |
- # cronjob shows up in user ps |
314 |
+ ############################## |
315 |
+ # |
316 |
+ # Local policy |
317 |
+ # |
318 |
+ |
319 |
ps_process_pattern($2, unconfined_cronjob_t) |
320 |
|
321 |
- # Transition from the user domain to the derived domain. |
322 |
- domtrans_pattern($2, crontab_exec_t, crontab_t) |
323 |
+ # domtrans_pattern($2, crontab_exec_t, crontab_t) |
324 |
|
325 |
- # crontab shows up in user ps |
326 |
+ allow $2 crontab_t:process { ptrace signal_perms }; |
327 |
ps_process_pattern($2, crontab_t) |
328 |
- allow $2 crontab_t:process signal; |
329 |
|
330 |
- # Run helper programs as the user domain |
331 |
- #corecmd_bin_domtrans(crontab_t, $2) |
332 |
- #corecmd_shell_domtrans(crontab_t, $2) |
333 |
corecmd_exec_bin(crontab_t) |
334 |
corecmd_exec_shell(crontab_t) |
335 |
|
336 |
@@ -182,7 +153,7 @@ interface(`cron_unconfined_role',` |
337 |
dbus_stub(unconfined_cronjob_t) |
338 |
|
339 |
allow unconfined_cronjob_t $2:dbus send_msg; |
340 |
- ') |
341 |
+ ') |
342 |
') |
343 |
|
344 |
######################################## |
345 |
@@ -202,28 +173,22 @@ interface(`cron_unconfined_role',` |
346 |
# |
347 |
interface(`cron_admin_role',` |
348 |
gen_require(` |
349 |
- type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t; |
350 |
+ type cronjob_t, crontab_exec_t, admin_crontab_t; |
351 |
class passwd crontab; |
352 |
') |
353 |
|
354 |
- role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t }; |
355 |
+ role $1 types { cronjob_t admin_crontab_t }; |
356 |
|
357 |
- # cronjob shows up in user ps |
358 |
ps_process_pattern($2, cronjob_t) |
359 |
|
360 |
# Manipulate other users crontab. |
361 |
allow $2 self:passwd crontab; |
362 |
|
363 |
- # Transition from the user domain to the derived domain. |
364 |
domtrans_pattern($2, crontab_exec_t, admin_crontab_t) |
365 |
|
366 |
- # crontab shows up in user ps |
367 |
+ allow $2 admin_crontab_t:process { ptrace signal_perms }; |
368 |
ps_process_pattern($2, admin_crontab_t) |
369 |
- allow $2 admin_crontab_t:process signal; |
370 |
|
371 |
- # Run helper programs as the user domain |
372 |
- #corecmd_bin_domtrans(admin_crontab_t, $2) |
373 |
- #corecmd_shell_domtrans(admin_crontab_t, $2) |
374 |
corecmd_exec_bin(admin_crontab_t) |
375 |
corecmd_exec_shell(admin_crontab_t) |
376 |
|
377 |
@@ -235,13 +200,13 @@ interface(`cron_admin_role',` |
378 |
dbus_stub(admin_cronjob_t) |
379 |
|
380 |
allow cronjob_t $2:dbus send_msg; |
381 |
- ') |
382 |
+ ') |
383 |
') |
384 |
|
385 |
######################################## |
386 |
## <summary> |
387 |
-## Make the specified program domain accessable |
388 |
-## from the system cron jobs. |
389 |
+## Make the specified program domain |
390 |
+## accessable from the system cron jobs. |
391 |
## </summary> |
392 |
## <param name="domain"> |
393 |
## <summary> |
394 |
@@ -280,12 +245,13 @@ interface(`cron_domtrans',` |
395 |
type system_cronjob_t, crond_exec_t; |
396 |
') |
397 |
|
398 |
+ corecmd_search_bin($1) |
399 |
domtrans_pattern($1, crond_exec_t, system_cronjob_t) |
400 |
') |
401 |
|
402 |
######################################## |
403 |
## <summary> |
404 |
-## Execute crond_exec_t |
405 |
+## Execute crond in the caller domain. |
406 |
## </summary> |
407 |
## <param name="domain"> |
408 |
## <summary> |
409 |
@@ -298,12 +264,13 @@ interface(`cron_exec',` |
410 |
type crond_exec_t; |
411 |
') |
412 |
|
413 |
+ corecmd_search_bin($1) |
414 |
can_exec($1, crond_exec_t) |
415 |
') |
416 |
|
417 |
######################################## |
418 |
## <summary> |
419 |
-## Execute crond server in the nscd domain. |
420 |
+## Execute crond server in the crond domain. |
421 |
## </summary> |
422 |
## <param name="domain"> |
423 |
## <summary> |
424 |
@@ -321,8 +288,7 @@ interface(`cron_initrc_domtrans',` |
425 |
|
426 |
######################################## |
427 |
## <summary> |
428 |
-## Inherit and use a file descriptor |
429 |
-## from the cron daemon. |
430 |
+## Use crond file descriptors. |
431 |
## </summary> |
432 |
## <param name="domain"> |
433 |
## <summary> |
434 |
@@ -340,7 +306,7 @@ interface(`cron_use_fds',` |
435 |
|
436 |
######################################## |
437 |
## <summary> |
438 |
-## Send a SIGCHLD signal to the cron daemon. |
439 |
+## Send child terminated signals to crond. |
440 |
## </summary> |
441 |
## <param name="domain"> |
442 |
## <summary> |
443 |
@@ -358,7 +324,7 @@ interface(`cron_sigchld',` |
444 |
|
445 |
######################################## |
446 |
## <summary> |
447 |
-## Read a cron daemon unnamed pipe. |
448 |
+## Read cron daemon unnamed pipes. |
449 |
## </summary> |
450 |
## <param name="domain"> |
451 |
## <summary> |
452 |
@@ -376,7 +342,8 @@ interface(`cron_read_pipes',` |
453 |
|
454 |
######################################## |
455 |
## <summary> |
456 |
-## Do not audit attempts to write cron daemon unnamed pipes. |
457 |
+## Do not audit attempts to write |
458 |
+## cron daemon unnamed pipes. |
459 |
## </summary> |
460 |
## <param name="domain"> |
461 |
## <summary> |
462 |
@@ -394,7 +361,7 @@ interface(`cron_dontaudit_write_pipes',` |
463 |
|
464 |
######################################## |
465 |
## <summary> |
466 |
-## Read and write a cron daemon unnamed pipe. |
467 |
+## Read and write crond unnamed pipes. |
468 |
## </summary> |
469 |
## <param name="domain"> |
470 |
## <summary> |
471 |
@@ -412,7 +379,7 @@ interface(`cron_rw_pipes',` |
472 |
|
473 |
######################################## |
474 |
## <summary> |
475 |
-## Read, and write cron daemon TCP sockets. |
476 |
+## Read and write crond TCP sockets. |
477 |
## </summary> |
478 |
## <param name="domain"> |
479 |
## <summary> |
480 |
@@ -430,7 +397,8 @@ interface(`cron_rw_tcp_sockets',` |
481 |
|
482 |
######################################## |
483 |
## <summary> |
484 |
-## Dontaudit Read, and write cron daemon TCP sockets. |
485 |
+## Do not audit attempts to read and |
486 |
+## write cron daemon TCP sockets. |
487 |
## </summary> |
488 |
## <param name="domain"> |
489 |
## <summary> |
490 |
@@ -448,7 +416,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',` |
491 |
|
492 |
######################################## |
493 |
## <summary> |
494 |
-## Search the directory containing user cron tables. |
495 |
+## Search cron spool directories. |
496 |
## </summary> |
497 |
## <param name="domain"> |
498 |
## <summary> |
499 |
@@ -467,7 +435,8 @@ interface(`cron_search_spool',` |
500 |
|
501 |
######################################## |
502 |
## <summary> |
503 |
-## Manage pid files used by cron |
504 |
+## Create, read, write, and delete |
505 |
+## crond pid files. |
506 |
## </summary> |
507 |
## <param name="domain"> |
508 |
## <summary> |
509 |
@@ -485,7 +454,8 @@ interface(`cron_manage_pid_files',` |
510 |
|
511 |
######################################## |
512 |
## <summary> |
513 |
-## Execute anacron in the cron system domain. |
514 |
+## Execute anacron in the cron |
515 |
+## system domain. |
516 |
## </summary> |
517 |
## <param name="domain"> |
518 |
## <summary> |
519 |
@@ -498,13 +468,13 @@ interface(`cron_anacron_domtrans_system_job',` |
520 |
type system_cronjob_t, anacron_exec_t; |
521 |
') |
522 |
|
523 |
+ corecmd_search_bin($1) |
524 |
domtrans_pattern($1, anacron_exec_t, system_cronjob_t) |
525 |
') |
526 |
|
527 |
######################################## |
528 |
## <summary> |
529 |
-## Inherit and use a file descriptor |
530 |
-## from system cron jobs. |
531 |
+## Use system cron job file descriptors. |
532 |
## </summary> |
533 |
## <param name="domain"> |
534 |
## <summary> |
535 |
@@ -522,7 +492,7 @@ interface(`cron_use_system_job_fds',` |
536 |
|
537 |
######################################## |
538 |
## <summary> |
539 |
-## Write a system cron job unnamed pipe. |
540 |
+## Write system cron job unnamed pipes. |
541 |
## </summary> |
542 |
## <param name="domain"> |
543 |
## <summary> |
544 |
@@ -540,7 +510,8 @@ interface(`cron_write_system_job_pipes',` |
545 |
|
546 |
######################################## |
547 |
## <summary> |
548 |
-## Read and write a system cron job unnamed pipe. |
549 |
+## Read and write system cron job |
550 |
+## unnamed pipes. |
551 |
## </summary> |
552 |
## <param name="domain"> |
553 |
## <summary> |
554 |
@@ -558,7 +529,8 @@ interface(`cron_rw_system_job_pipes',` |
555 |
|
556 |
######################################## |
557 |
## <summary> |
558 |
-## Allow read/write unix stream sockets from the system cron jobs. |
559 |
+## Read and write inherited system cron |
560 |
+## job unix domain stream sockets. |
561 |
## </summary> |
562 |
## <param name="domain"> |
563 |
## <summary> |
564 |
@@ -576,7 +548,7 @@ interface(`cron_rw_system_job_stream_sockets',` |
565 |
|
566 |
######################################## |
567 |
## <summary> |
568 |
-## Read temporary files from the system cron jobs. |
569 |
+## Read system cron job temporary files. |
570 |
## </summary> |
571 |
## <param name="domain"> |
572 |
## <summary> |
573 |
@@ -596,7 +568,7 @@ interface(`cron_read_system_job_tmp_files',` |
574 |
######################################## |
575 |
## <summary> |
576 |
## Do not audit attempts to append temporary |
577 |
-## files from the system cron jobs. |
578 |
+## system cron job files. |
579 |
## </summary> |
580 |
## <param name="domain"> |
581 |
## <summary> |
582 |
@@ -615,7 +587,7 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` |
583 |
######################################## |
584 |
## <summary> |
585 |
## Do not audit attempts to write temporary |
586 |
-## files from the system cron jobs. |
587 |
+## system cron job files. |
588 |
## </summary> |
589 |
## <param name="domain"> |
590 |
## <summary> |
591 |
|
592 |
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te |
593 |
index f25d9d1..c48cc70 100644 |
594 |
--- a/policy/modules/contrib/cron.te |
595 |
+++ b/policy/modules/contrib/cron.te |
596 |
@@ -1,4 +1,4 @@ |
597 |
-policy_module(cron, 2.4.0) |
598 |
+policy_module(cron, 2.5.0) |
599 |
|
600 |
gen_require(` |
601 |
class passwd rootok; |
602 |
@@ -10,37 +10,47 @@ gen_require(` |
603 |
# |
604 |
|
605 |
## <desc> |
606 |
-## <p> |
607 |
-## Allow system cron jobs to relabel filesystem |
608 |
-## for restoring file contexts. |
609 |
-## </p> |
610 |
+## <p> |
611 |
+## Determine whether system cron jobs |
612 |
+## can relabel filesystem for |
613 |
+## restoring file contexts. |
614 |
+## </p> |
615 |
## </desc> |
616 |
gen_tunable(cron_can_relabel, false) |
617 |
|
618 |
## <desc> |
619 |
-## <p> |
620 |
-## Enable extra rules in the cron domain |
621 |
-## to support fcron. |
622 |
-## </p> |
623 |
+## <p> |
624 |
+## Determine whether crond can execute jobs |
625 |
+## in the user domain as opposed to the |
626 |
+## the generic cronjob domain. |
627 |
+## </p> |
628 |
+## </desc> |
629 |
+gen_tunable(cron_userdomain_transition, false) |
630 |
+ |
631 |
+## <desc> |
632 |
+## <p> |
633 |
+## Determine whether extra rules |
634 |
+## should beenabled to support fcron. |
635 |
+## </p> |
636 |
## </desc> |
637 |
gen_tunable(fcron_crond, false) |
638 |
|
639 |
attribute cron_spool_type; |
640 |
+attribute crontab_domain; |
641 |
|
642 |
type anacron_exec_t; |
643 |
application_executable_file(anacron_exec_t) |
644 |
|
645 |
type cron_spool_t; |
646 |
files_type(cron_spool_t) |
647 |
+mta_system_content(cron_spool_t) |
648 |
|
649 |
-# var/lib files |
650 |
type cron_var_lib_t; |
651 |
files_type(cron_var_lib_t) |
652 |
|
653 |
type cron_var_run_t; |
654 |
-files_type(cron_var_run_t) |
655 |
+files_pid_file(cron_var_run_t) |
656 |
|
657 |
-# var/log files |
658 |
type cron_log_t; |
659 |
logging_log_file(cron_log_t) |
660 |
|
661 |
@@ -64,9 +74,12 @@ init_script_file(crond_initrc_exec_t) |
662 |
|
663 |
type crond_tmp_t; |
664 |
files_tmp_file(crond_tmp_t) |
665 |
+files_poly_parent(crond_tmp_t) |
666 |
+mta_system_content(crond_tmp_t) |
667 |
|
668 |
type crond_var_run_t; |
669 |
files_pid_file(crond_var_run_t) |
670 |
+mta_system_content(crond_var_run_t) |
671 |
|
672 |
type crontab_exec_t; |
673 |
application_executable_file(crontab_exec_t) |
674 |
@@ -96,30 +109,95 @@ files_lock_file(system_cronjob_lock_t) |
675 |
type system_cronjob_tmp_t alias system_crond_tmp_t; |
676 |
files_tmp_file(system_cronjob_tmp_t) |
677 |
|
678 |
-ifdef(`enable_mcs',` |
679 |
- init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) |
680 |
-') |
681 |
+type system_cronjob_var_lib_t; |
682 |
+files_type(system_cronjob_var_lib_t) |
683 |
+ |
684 |
+type system_cronjob_var_run_t; |
685 |
+files_pid_file(system_cronjob_var_run_t) |
686 |
|
687 |
type unconfined_cronjob_t; |
688 |
domain_type(unconfined_cronjob_t) |
689 |
domain_cron_exemption_target(unconfined_cronjob_t) |
690 |
|
691 |
-# Type of user crontabs once moved to cron spool. |
692 |
type user_cron_spool_t, cron_spool_type; |
693 |
typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; |
694 |
typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; |
695 |
files_type(user_cron_spool_t) |
696 |
ubac_constrained(user_cron_spool_t) |
697 |
+mta_system_content(user_cron_spool_t) |
698 |
+ |
699 |
+ifdef(`enable_mcs',` |
700 |
+ init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) |
701 |
+') |
702 |
+ |
703 |
+############################## |
704 |
+# |
705 |
+# Common local policy |
706 |
+# |
707 |
+ |
708 |
+allow crontab_domain self:capability { fowner setuid setgid chown dac_override }; |
709 |
+allow crontab_domain self:process { getcap setsched signal_perms }; |
710 |
+allow crontab_domain self:fifo_file rw_fifo_file_perms; |
711 |
+ |
712 |
+manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) |
713 |
+filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file) |
714 |
+ |
715 |
+allow crontab_domain cron_spool_t:dir setattr_dir_perms; |
716 |
+ |
717 |
+allow crontab_domain crond_t:process signal; |
718 |
+allow crontab_domain crond_var_run_t:file read_file_perms; |
719 |
+ |
720 |
+kernel_read_system_state(crontab_domain) |
721 |
+ |
722 |
+selinux_dontaudit_search_fs(crontab_domain) |
723 |
+ |
724 |
+files_list_spool(crontab_domain) |
725 |
+files_read_etc_files(crontab_domain) |
726 |
+files_read_usr_files(crontab_domain) |
727 |
+files_dontaudit_search_pids(crontab_domain) |
728 |
+ |
729 |
+fs_getattr_xattr_fs(crontab_domain) |
730 |
+fs_manage_cgroup_dirs(crontab_domain) |
731 |
+fs_rw_cgroup_files(crontab_domain) |
732 |
+ |
733 |
+domain_use_interactive_fds(crontab_domain) |
734 |
+ |
735 |
+fs_dontaudit_rw_anon_inodefs_files(crontab_domain) |
736 |
+ |
737 |
+auth_rw_var_auth(crontab_domain) |
738 |
+ |
739 |
+logging_send_syslog_msg(crontab_domain) |
740 |
+logging_send_audit_msgs(crontab_domain) |
741 |
+ |
742 |
+init_dontaudit_write_utmp(crontab_domain) |
743 |
+init_read_utmp(crontab_domain) |
744 |
+init_read_state(crontab_domain) |
745 |
+ |
746 |
+miscfiles_read_localization(crontab_domain) |
747 |
+ |
748 |
+seutil_read_config(crontab_domain) |
749 |
+ |
750 |
+userdom_manage_user_tmp_dirs(crontab_domain) |
751 |
+userdom_manage_user_tmp_files(crontab_domain) |
752 |
+userdom_use_user_terminals(crontab_domain) |
753 |
+userdom_read_user_home_content_files(crontab_domain) |
754 |
+userdom_read_user_home_content_symlinks(crontab_domain) |
755 |
+ |
756 |
+tunable_policy(`cron_userdomain_transition',` |
757 |
+ logging_set_loginuid(crontab_domain) |
758 |
+') |
759 |
+ |
760 |
+tunable_policy(`fcron_crond',` |
761 |
+ dontaudit crontab_domain crond_t:process signal; |
762 |
+') |
763 |
|
764 |
######################################## |
765 |
# |
766 |
-# Admin crontab local policy |
767 |
+# Admin local policy |
768 |
# |
769 |
|
770 |
-# Allow our crontab domain to unlink a user cron spool file. |
771 |
-allow admin_crontab_t user_cron_spool_t:file { getattr read unlink }; |
772 |
+allow admin_crontab_t crond_t:process signal; |
773 |
|
774 |
-# Manipulate other users crontab. |
775 |
selinux_get_fs_mount(admin_crontab_t) |
776 |
selinux_validate_context(admin_crontab_t) |
777 |
selinux_compute_access_vector(admin_crontab_t) |
778 |
@@ -127,32 +205,29 @@ selinux_compute_create_context(admin_crontab_t) |
779 |
selinux_compute_relabel_context(admin_crontab_t) |
780 |
selinux_compute_user_contexts(admin_crontab_t) |
781 |
|
782 |
-tunable_policy(`fcron_crond', ` |
783 |
- # fcron wants an instant update of a crontab change for the administrator |
784 |
- # also crontab does a security check for crontab -u |
785 |
+tunable_policy(`fcron_crond',` |
786 |
allow admin_crontab_t self:process setfscreate; |
787 |
') |
788 |
|
789 |
######################################## |
790 |
# |
791 |
-# Cron daemon local policy |
792 |
+# Daemon local policy |
793 |
# |
794 |
|
795 |
-allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; |
796 |
+allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search }; |
797 |
dontaudit crond_t self:capability { sys_resource sys_tty_config }; |
798 |
-allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
799 |
+allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; |
800 |
allow crond_t self:process { setexec setfscreate }; |
801 |
allow crond_t self:fd use; |
802 |
allow crond_t self:fifo_file rw_fifo_file_perms; |
803 |
-allow crond_t self:unix_dgram_socket create_socket_perms; |
804 |
-allow crond_t self:unix_stream_socket create_stream_socket_perms; |
805 |
allow crond_t self:unix_dgram_socket sendto; |
806 |
-allow crond_t self:unix_stream_socket connectto; |
807 |
+allow crond_t self:unix_stream_socket { accept connectto listen }; |
808 |
allow crond_t self:shm create_shm_perms; |
809 |
allow crond_t self:sem create_sem_perms; |
810 |
allow crond_t self:msgq create_msgq_perms; |
811 |
allow crond_t self:msg { send receive }; |
812 |
allow crond_t self:key { search write link }; |
813 |
+dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit; |
814 |
|
815 |
manage_files_pattern(crond_t, cron_log_t, cron_log_t) |
816 |
logging_log_filetrans(crond_t, cron_log_t, file) |
817 |
@@ -164,69 +239,89 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) |
818 |
|
819 |
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) |
820 |
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) |
821 |
-files_tmp_filetrans(crond_t, crond_tmp_t, { file dir }) |
822 |
+files_tmp_filetrans(crond_t, crond_tmp_t, { dir file }) |
823 |
|
824 |
list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) |
825 |
read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) |
826 |
|
827 |
+list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) |
828 |
+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) |
829 |
+read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) |
830 |
+read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) |
831 |
+allow crond_t user_cron_spool_t:file manage_lnk_file_perms; |
832 |
+ |
833 |
+allow crond_t { cronjob_t system_cronjob_t unconfined_cronjob_t }:process transition; |
834 |
+allow crond_t { cronjob_t system_cronjob_t unconfined_cronjob_t }:fd use; |
835 |
+allow crond_t { cronjob_t system_cronjob_t unconfined_cronjob_t }:key manage_key_perms; |
836 |
+dontaudit crond_t { cronjob_t system_cronjob_t unconfined_cronjob_t }:process { noatsecure siginh rlimitinh }; |
837 |
+ |
838 |
+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t) |
839 |
+ |
840 |
kernel_read_kernel_sysctls(crond_t) |
841 |
kernel_read_fs_sysctls(crond_t) |
842 |
kernel_search_key(crond_t) |
843 |
|
844 |
-dev_read_sysfs(crond_t) |
845 |
-selinux_get_fs_mount(crond_t) |
846 |
-selinux_validate_context(crond_t) |
847 |
-selinux_compute_access_vector(crond_t) |
848 |
-selinux_compute_create_context(crond_t) |
849 |
-selinux_compute_relabel_context(crond_t) |
850 |
-selinux_compute_user_contexts(crond_t) |
851 |
+corecmd_exec_shell(crond_t) |
852 |
+corecmd_exec_bin(crond_t) |
853 |
+corecmd_list_bin(crond_t) |
854 |
|
855 |
+dev_read_sysfs(crond_t) |
856 |
dev_read_urand(crond_t) |
857 |
|
858 |
+domain_use_interactive_fds(crond_t) |
859 |
+domain_subj_id_change_exemption(crond_t) |
860 |
+domain_role_change_exemption(crond_t) |
861 |
+ |
862 |
fs_getattr_all_fs(crond_t) |
863 |
-fs_search_auto_mountpoints(crond_t) |
864 |
fs_list_inotifyfs(crond_t) |
865 |
- |
866 |
-# need auth_chkpwd to check for locked accounts. |
867 |
-auth_domtrans_chk_passwd(crond_t) |
868 |
- |
869 |
-corecmd_exec_shell(crond_t) |
870 |
-corecmd_list_bin(crond_t) |
871 |
-corecmd_read_bin_symlinks(crond_t) |
872 |
- |
873 |
-domain_use_interactive_fds(crond_t) |
874 |
+fs_manage_cgroup_dirs(crond_t) |
875 |
+fs_rw_cgroup_files(crond_t) |
876 |
+fs_search_auto_mountpoints(crond_t) |
877 |
|
878 |
files_read_usr_files(crond_t) |
879 |
files_read_etc_runtime_files(crond_t) |
880 |
-files_read_etc_files(crond_t) |
881 |
files_read_generic_spool(crond_t) |
882 |
files_list_usr(crond_t) |
883 |
-# Read from /var/spool/cron. |
884 |
files_search_var_lib(crond_t) |
885 |
files_search_default(crond_t) |
886 |
|
887 |
+mls_fd_share_all_levels(crond_t) |
888 |
+# crontab -e and kernel check of transition |
889 |
+mls_file_read_all_levels(crond_t) |
890 |
+mls_file_write_all_levels(crond_t) |
891 |
+mls_process_set_level(crond_t) |
892 |
+mls_trusted_object(crond_t) |
893 |
+ |
894 |
+selinux_get_fs_mount(crond_t) |
895 |
+selinux_validate_context(crond_t) |
896 |
+selinux_compute_access_vector(crond_t) |
897 |
+selinux_compute_create_context(crond_t) |
898 |
+selinux_compute_relabel_context(crond_t) |
899 |
+selinux_compute_user_contexts(crond_t) |
900 |
+ |
901 |
+init_read_state(crond_t) |
902 |
init_rw_utmp(crond_t) |
903 |
init_spec_domtrans_script(crond_t) |
904 |
|
905 |
+auth_domtrans_chk_passwd(crond_t) |
906 |
+auth_manage_var_auth(crond_t) |
907 |
auth_use_nsswitch(crond_t) |
908 |
|
909 |
+logging_send_audit_msgs(crond_t) |
910 |
logging_send_syslog_msg(crond_t) |
911 |
logging_set_loginuid(crond_t) |
912 |
|
913 |
seutil_read_config(crond_t) |
914 |
seutil_read_default_contexts(crond_t) |
915 |
-seutil_sigchld_newrole(crond_t) |
916 |
|
917 |
miscfiles_read_localization(crond_t) |
918 |
|
919 |
userdom_use_unpriv_users_fds(crond_t) |
920 |
-# Not sure why this is needed |
921 |
userdom_list_user_home_dirs(crond_t) |
922 |
|
923 |
mta_send_mail(crond_t) |
924 |
|
925 |
ifdef(`distro_debian',` |
926 |
- # pam_limits is used |
927 |
allow crond_t self:process setrlimit; |
928 |
|
929 |
optional_policy(` |
930 |
@@ -235,9 +330,7 @@ ifdef(`distro_debian',` |
931 |
') |
932 |
') |
933 |
|
934 |
-ifdef(`distro_redhat', ` |
935 |
- # Run the rpm program in the rpm_t domain. Allow creation of RPM log files |
936 |
- # via redirection of standard out. |
937 |
+ifdef(`distro_redhat',` |
938 |
optional_policy(` |
939 |
rpm_manage_log(crond_t) |
940 |
') |
941 |
@@ -252,6 +345,27 @@ tunable_policy(`fcron_crond', ` |
942 |
') |
943 |
|
944 |
optional_policy(` |
945 |
+ apache_search_sys_content(crond_t) |
946 |
+') |
947 |
+ |
948 |
+optional_policy(` |
949 |
+ dbus_system_bus_client(crond_t) |
950 |
+ |
951 |
+ optional_policy(` |
952 |
+ hal_dbus_chat(crond_t) |
953 |
+ ') |
954 |
+ |
955 |
+ optional_policy(` |
956 |
+ unconfined_dbus_send(crond_t) |
957 |
+ ') |
958 |
+') |
959 |
+ |
960 |
+optional_policy(` |
961 |
+ djbdns_search_tinydns_keys(crond_t) |
962 |
+ djbdns_link_tinydns_keys(crond_t) |
963 |
+') |
964 |
+ |
965 |
+optional_policy(` |
966 |
locallogin_search_keys(crond_t) |
967 |
locallogin_link_keys(crond_t) |
968 |
') |
969 |
@@ -265,11 +379,10 @@ optional_policy(` |
970 |
') |
971 |
|
972 |
optional_policy(` |
973 |
- hal_dbus_chat(crond_t) |
974 |
+ hal_write_log(crond_t) |
975 |
') |
976 |
|
977 |
optional_policy(` |
978 |
- # cjp: why? |
979 |
munin_search_lib(crond_t) |
980 |
') |
981 |
|
982 |
@@ -278,22 +391,24 @@ optional_policy(` |
983 |
') |
984 |
|
985 |
optional_policy(` |
986 |
- # Commonly used from postinst scripts |
987 |
rpm_read_pipes(crond_t) |
988 |
') |
989 |
|
990 |
optional_policy(` |
991 |
- # allow crond to find /usr/lib/postgresql/bin/do.maintenance |
992 |
postgresql_search_db(crond_t) |
993 |
') |
994 |
|
995 |
optional_policy(` |
996 |
+ seutil_sigchld_newrole(crond_t) |
997 |
+') |
998 |
+ |
999 |
+optional_policy(` |
1000 |
udev_read_db(crond_t) |
1001 |
') |
1002 |
|
1003 |
######################################## |
1004 |
# |
1005 |
-# System cron process domain |
1006 |
+# System local policy |
1007 |
# |
1008 |
|
1009 |
allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; |
1010 |
@@ -301,56 +416,41 @@ allow system_cronjob_t self:process { signal_perms getsched setsched }; |
1011 |
allow system_cronjob_t self:fifo_file rw_fifo_file_perms; |
1012 |
allow system_cronjob_t self:passwd rootok; |
1013 |
|
1014 |
-# This is to handle creation of files in /var/log directory. |
1015 |
-# Used currently by rpm script log files |
1016 |
allow system_cronjob_t cron_log_t:file manage_file_perms; |
1017 |
logging_log_filetrans(system_cronjob_t, cron_log_t, file) |
1018 |
|
1019 |
-# This is to handle /var/lib/misc directory. Used currently |
1020 |
-# by prelink var/lib files for cron |
1021 |
-allow system_cronjob_t cron_var_lib_t:file manage_file_perms; |
1022 |
+allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms }; |
1023 |
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) |
1024 |
|
1025 |
-allow system_cronjob_t system_cron_spool_t:file read_file_perms; |
1026 |
-# The entrypoint interface is not used as this is not |
1027 |
-# a regular entrypoint. Since crontab files are |
1028 |
-# not directly executed, crond must ensure that |
1029 |
-# the crontab file has a type that is appropriate |
1030 |
-# for the domain of the user cron job. It |
1031 |
-# performs an entrypoint permission check |
1032 |
-# for this purpose. |
1033 |
-allow system_cronjob_t system_cron_spool_t:file entrypoint; |
1034 |
+allow system_cronjob_t cron_var_run_t:file manage_file_perms; |
1035 |
+files_pid_filetrans(system_cronjob_t, cron_var_run_t, file) |
1036 |
|
1037 |
-# Permit a transition from the crond_t domain to this domain. |
1038 |
-# The transition is requested explicitly by the modified crond |
1039 |
-# via setexeccon. There is no way to set up an automatic |
1040 |
-# transition, since crontabs are configuration files, not executables. |
1041 |
-allow crond_t system_cronjob_t:process transition; |
1042 |
-dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh }; |
1043 |
-allow crond_t system_cronjob_t:fd use; |
1044 |
-allow system_cronjob_t crond_t:fd use; |
1045 |
-allow system_cronjob_t crond_t:fifo_file rw_file_perms; |
1046 |
-allow system_cronjob_t crond_t:process sigchld; |
1047 |
+manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t) |
1048 |
+allow system_cronjob_t system_cron_spool_t:file entrypoint; |
1049 |
|
1050 |
-# Write /var/lock/makewhatis.lock. |
1051 |
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; |
1052 |
files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file) |
1053 |
|
1054 |
-# write temporary files |
1055 |
manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) |
1056 |
manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) |
1057 |
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) |
1058 |
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) |
1059 |
|
1060 |
-# Read from /var/spool/cron. |
1061 |
+files_search_var_lib(system_cronjob_t) |
1062 |
+manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) |
1063 |
+ |
1064 |
+allow system_cronjob_t crond_t:fd use; |
1065 |
+allow system_cronjob_t crond_t:fifo_file rw_file_perms; |
1066 |
+allow system_cronjob_t crond_t:process sigchld; |
1067 |
+ |
1068 |
allow system_cronjob_t cron_spool_t:dir list_dir_perms; |
1069 |
-allow system_cronjob_t cron_spool_t:file read_file_perms; |
1070 |
+allow system_cronjob_t cron_spool_t:file rw_file_perms; |
1071 |
|
1072 |
kernel_read_kernel_sysctls(system_cronjob_t) |
1073 |
+kernel_read_network_state(system_cronjob_t) |
1074 |
kernel_read_system_state(system_cronjob_t) |
1075 |
kernel_read_software_raid_state(system_cronjob_t) |
1076 |
|
1077 |
-# ps does not need to access /boot when run from cron |
1078 |
files_dontaudit_search_boot(system_cronjob_t) |
1079 |
|
1080 |
corecmd_exec_all_executables(system_cronjob_t) |
1081 |
@@ -367,6 +467,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) |
1082 |
dev_getattr_all_blk_files(system_cronjob_t) |
1083 |
dev_getattr_all_chr_files(system_cronjob_t) |
1084 |
dev_read_urand(system_cronjob_t) |
1085 |
+dev_read_sysfs(system_cronjob_t) |
1086 |
|
1087 |
fs_getattr_all_fs(system_cronjob_t) |
1088 |
fs_getattr_all_files(system_cronjob_t) |
1089 |
@@ -374,11 +475,9 @@ fs_getattr_all_symlinks(system_cronjob_t) |
1090 |
fs_getattr_all_pipes(system_cronjob_t) |
1091 |
fs_getattr_all_sockets(system_cronjob_t) |
1092 |
|
1093 |
-# quiet other ps operations |
1094 |
domain_dontaudit_read_all_domains_state(system_cronjob_t) |
1095 |
|
1096 |
files_exec_etc_files(system_cronjob_t) |
1097 |
-files_read_etc_files(system_cronjob_t) |
1098 |
files_read_etc_runtime_files(system_cronjob_t) |
1099 |
files_list_all(system_cronjob_t) |
1100 |
files_getattr_all_dirs(system_cronjob_t) |
1101 |
@@ -388,16 +487,14 @@ files_getattr_all_pipes(system_cronjob_t) |
1102 |
files_getattr_all_sockets(system_cronjob_t) |
1103 |
files_read_usr_files(system_cronjob_t) |
1104 |
files_read_var_files(system_cronjob_t) |
1105 |
-# for nscd: |
1106 |
files_dontaudit_search_pids(system_cronjob_t) |
1107 |
-# Access other spool directories like |
1108 |
-# /var/spool/anacron and /var/spool/slrnpull. |
1109 |
files_manage_generic_spool(system_cronjob_t) |
1110 |
+files_create_boot_flag(system_cronjob_t) |
1111 |
+ |
1112 |
+mls_file_read_to_clearance(system_cronjob_t) |
1113 |
|
1114 |
init_use_script_fds(system_cronjob_t) |
1115 |
-init_read_utmp(system_cronjob_t) |
1116 |
-init_dontaudit_rw_utmp(system_cronjob_t) |
1117 |
-# prelink tells init to restart it self, we either need to allow or dontaudit |
1118 |
+init_rw_utmp(system_cronjob_t) |
1119 |
init_telinit(system_cronjob_t) |
1120 |
init_domtrans_script(system_cronjob_t) |
1121 |
|
1122 |
@@ -415,9 +512,7 @@ miscfiles_manage_man_pages(system_cronjob_t) |
1123 |
|
1124 |
seutil_read_config(system_cronjob_t) |
1125 |
|
1126 |
-ifdef(`distro_redhat', ` |
1127 |
- # Run the rpm program in the rpm_t domain. Allow creation of RPM log files |
1128 |
- # via redirection of standard out. |
1129 |
+ifdef(`distro_redhat',` |
1130 |
optional_policy(` |
1131 |
rpm_manage_log(system_cronjob_t) |
1132 |
') |
1133 |
@@ -436,7 +531,6 @@ tunable_policy(`cron_can_relabel',` |
1134 |
') |
1135 |
|
1136 |
optional_policy(` |
1137 |
- # Needed for certwatch |
1138 |
apache_exec_modules(system_cronjob_t) |
1139 |
apache_read_config(system_cronjob_t) |
1140 |
apache_read_log(system_cronjob_t) |
1141 |
@@ -448,6 +542,18 @@ optional_policy(` |
1142 |
') |
1143 |
|
1144 |
optional_policy(` |
1145 |
+ dbus_system_bus_client(system_cronjob_t) |
1146 |
+ |
1147 |
+ optional_policy(` |
1148 |
+ networkmanager_dbus_chat(system_cronjob_t) |
1149 |
+ ') |
1150 |
+') |
1151 |
+ |
1152 |
+optional_policy(` |
1153 |
+ exim_read_spool_files(system_cronjob_t) |
1154 |
+') |
1155 |
+ |
1156 |
+optional_policy(` |
1157 |
ftp_read_log(system_cronjob_t) |
1158 |
') |
1159 |
|
1160 |
@@ -458,6 +564,10 @@ optional_policy(` |
1161 |
') |
1162 |
|
1163 |
optional_policy(` |
1164 |
+ livecd_read_tmp_files(system_cronjob_t) |
1165 |
+') |
1166 |
+ |
1167 |
+optional_policy(` |
1168 |
lpd_list_spool(system_cronjob_t) |
1169 |
') |
1170 |
|
1171 |
@@ -466,6 +576,7 @@ optional_policy(` |
1172 |
') |
1173 |
|
1174 |
optional_policy(` |
1175 |
+ mta_read_config(system_cronjob_t) |
1176 |
mta_send_mail(system_cronjob_t) |
1177 |
') |
1178 |
|
1179 |
@@ -488,7 +599,6 @@ optional_policy(` |
1180 |
optional_policy(` |
1181 |
samba_read_config(system_cronjob_t) |
1182 |
samba_read_log(system_cronjob_t) |
1183 |
- #samba_read_secrets(system_cronjob_t) |
1184 |
') |
1185 |
|
1186 |
optional_policy(` |
1187 |
@@ -504,13 +614,12 @@ optional_policy(` |
1188 |
') |
1189 |
|
1190 |
optional_policy(` |
1191 |
- unconfined_domain(system_cronjob_t) |
1192 |
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) |
1193 |
') |
1194 |
|
1195 |
######################################## |
1196 |
# |
1197 |
-# User cronjobs local policy |
1198 |
+# Cronjob local policy |
1199 |
# |
1200 |
|
1201 |
allow cronjob_t self:process { signal_perms setsched }; |
1202 |
@@ -542,7 +651,6 @@ allow cronjob_t crond_t:process sigchld; |
1203 |
kernel_read_system_state(cronjob_t) |
1204 |
kernel_read_kernel_sysctls(cronjob_t) |
1205 |
|
1206 |
-# ps does not need to access /boot when run from cron |
1207 |
files_dontaudit_search_boot(cronjob_t) |
1208 |
|
1209 |
corenet_all_recvfrom_unlabeled(cronjob_t) |
1210 |
@@ -553,31 +661,29 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) |
1211 |
corenet_udp_sendrecv_generic_node(cronjob_t) |
1212 |
corenet_tcp_sendrecv_all_ports(cronjob_t) |
1213 |
corenet_udp_sendrecv_all_ports(cronjob_t) |
1214 |
-corenet_tcp_connect_all_ports(cronjob_t) |
1215 |
+ |
1216 |
corenet_sendrecv_all_client_packets(cronjob_t) |
1217 |
+corenet_tcp_connect_all_ports(cronjob_t) |
1218 |
+ |
1219 |
+corecmd_exec_all_executables(cronjob_t) |
1220 |
|
1221 |
dev_read_urand(cronjob_t) |
1222 |
|
1223 |
fs_getattr_all_fs(cronjob_t) |
1224 |
|
1225 |
-corecmd_exec_all_executables(cronjob_t) |
1226 |
- |
1227 |
-# quiet other ps operations |
1228 |
domain_dontaudit_read_all_domains_state(cronjob_t) |
1229 |
domain_dontaudit_getattr_all_domains(cronjob_t) |
1230 |
|
1231 |
-files_read_usr_files(cronjob_t) |
1232 |
files_exec_etc_files(cronjob_t) |
1233 |
-# for nscd: |
1234 |
+files_read_etc_runtime_files(cronjob_t) |
1235 |
+files_read_var_files(cronjob_t) |
1236 |
+files_read_usr_files(cronjob_t) |
1237 |
+files_search_spool(cronjob_t) |
1238 |
files_dontaudit_search_pids(cronjob_t) |
1239 |
|
1240 |
libs_exec_lib_files(cronjob_t) |
1241 |
libs_exec_ld_so(cronjob_t) |
1242 |
|
1243 |
-files_read_etc_runtime_files(cronjob_t) |
1244 |
-files_read_var_files(cronjob_t) |
1245 |
-files_search_spool(cronjob_t) |
1246 |
- |
1247 |
logging_search_logs(cronjob_t) |
1248 |
|
1249 |
seutil_read_config(cronjob_t) |
1250 |
@@ -588,44 +694,25 @@ userdom_manage_user_tmp_files(cronjob_t) |
1251 |
userdom_manage_user_tmp_symlinks(cronjob_t) |
1252 |
userdom_manage_user_tmp_pipes(cronjob_t) |
1253 |
userdom_manage_user_tmp_sockets(cronjob_t) |
1254 |
-# Run scripts in user home directory and access shared libs. |
1255 |
userdom_exec_user_home_content_files(cronjob_t) |
1256 |
-# Access user files and dirs. |
1257 |
userdom_manage_user_home_content_files(cronjob_t) |
1258 |
userdom_manage_user_home_content_symlinks(cronjob_t) |
1259 |
userdom_manage_user_home_content_pipes(cronjob_t) |
1260 |
userdom_manage_user_home_content_sockets(cronjob_t) |
1261 |
-#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) |
1262 |
|
1263 |
-list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) |
1264 |
-read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) |
1265 |
- |
1266 |
-tunable_policy(`fcron_crond', ` |
1267 |
+tunable_policy(`fcron_crond',` |
1268 |
allow crond_t user_cron_spool_t:file manage_file_perms; |
1269 |
') |
1270 |
|
1271 |
-# need a per-role version of this: |
1272 |
-#optional_policy(` |
1273 |
-# mono_domtrans(cronjob_t) |
1274 |
-#') |
1275 |
- |
1276 |
optional_policy(` |
1277 |
nis_use_ypbind(cronjob_t) |
1278 |
') |
1279 |
|
1280 |
######################################## |
1281 |
# |
1282 |
-# Unconfined cronjobs local policy |
1283 |
+# Unconfined local policy |
1284 |
# |
1285 |
|
1286 |
optional_policy(` |
1287 |
- # Permit a transition from the crond_t domain to this domain. |
1288 |
- # The transition is requested explicitly by the modified crond |
1289 |
- # via setexeccon. There is no way to set up an automatic |
1290 |
- # transition, since crontabs are configuration files, not executables. |
1291 |
- allow crond_t unconfined_cronjob_t:process transition; |
1292 |
- dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh }; |
1293 |
- allow crond_t unconfined_cronjob_t:fd use; |
1294 |
- |
1295 |
unconfined_domain(unconfined_cronjob_t) |
1296 |
') |
1297 |
|
1298 |
diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc |
1299 |
index b2a0b6a..02223c4 100644 |
1300 |
--- a/policy/modules/contrib/rpm.fc |
1301 |
+++ b/policy/modules/contrib/rpm.fc |
1302 |
@@ -36,7 +36,6 @@ ifdef(`distro_redhat', ` |
1303 |
/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) |
1304 |
/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) |
1305 |
|
1306 |
-/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0) |
1307 |
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) |
1308 |
|
1309 |
/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) |