| 1 |
commit: 037a40b8a9a5a201db1cdb0d01e697f227d0dbcd |
| 2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
| 3 |
AuthorDate: Tue Sep 25 13:55:55 2012 +0000 |
| 4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 5 |
CommitDate: Thu Sep 27 17:45:02 2012 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=037a40b8 |
| 7 |
|
| 8 |
Changes to the cron policy module and relevant dependencies |
| 9 |
|
| 10 |
Ported from Fedora with changes |
| 11 |
|
| 12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
| 13 |
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be> |
| 14 |
|
| 15 |
--- |
| 16 |
policy/modules/contrib/cron.fc | 69 ++++---- |
| 17 |
policy/modules/contrib/cron.if | 202 ++++++++++------------- |
| 18 |
policy/modules/contrib/cron.te | 359 +++++++++++++++++++++++++--------------- |
| 19 |
policy/modules/contrib/rpm.fc | 1 - |
| 20 |
4 files changed, 347 insertions(+), 284 deletions(-) |
| 21 |
|
| 22 |
diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc |
| 23 |
index 3559a05..df819a3 100644 |
| 24 |
--- a/policy/modules/contrib/cron.fc |
| 25 |
+++ b/policy/modules/contrib/cron.fc |
| 26 |
@@ -1,56 +1,61 @@ |
| 27 |
-/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) |
| 28 |
+/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) |
| 29 |
|
| 30 |
-/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) |
| 31 |
-/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) |
| 32 |
+/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) |
| 33 |
+/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) |
| 34 |
|
| 35 |
-/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0) |
| 36 |
-/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0) |
| 37 |
+/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0) |
| 38 |
+/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0) |
| 39 |
|
| 40 |
-/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0) |
| 41 |
-/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0) |
| 42 |
-/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0) |
| 43 |
-/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0) |
| 44 |
-/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0) |
| 45 |
+/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0) |
| 46 |
+/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0) |
| 47 |
+/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0) |
| 48 |
+/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0) |
| 49 |
+/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0) |
| 50 |
|
| 51 |
-/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) |
| 52 |
-/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) |
| 53 |
-/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) |
| 54 |
-/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0) |
| 55 |
-/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) |
| 56 |
-/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) |
| 57 |
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) |
| 58 |
|
| 59 |
-/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) |
| 60 |
-/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) |
| 61 |
+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) |
| 62 |
|
| 63 |
-/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) |
| 64 |
-#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) |
| 65 |
-/var/spool/cron/[^/]* -- <<none>> |
| 66 |
+/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) |
| 67 |
+/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) |
| 68 |
+/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) |
| 69 |
+/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0) |
| 70 |
+/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) |
| 71 |
+/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) |
| 72 |
+/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0) |
| 73 |
|
| 74 |
-/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) |
| 75 |
+/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) |
| 76 |
+/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) |
| 77 |
+ |
| 78 |
+/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) |
| 79 |
+#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) |
| 80 |
+/var/spool/cron/[^/]* -- <<none>> |
| 81 |
+ |
| 82 |
+/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) |
| 83 |
/var/spool/cron/crontabs/.* -- <<none>> |
| 84 |
#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) |
| 85 |
|
| 86 |
-/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0) |
| 87 |
-/var/spool/fcron/.* <<none>> |
| 88 |
+/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0) |
| 89 |
+/var/spool/fcron/.* <<none>> |
| 90 |
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) |
| 91 |
-/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) |
| 92 |
+/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) |
| 93 |
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) |
| 94 |
|
| 95 |
ifdef(`distro_debian',` |
| 96 |
-/var/log/prelink.log -- gen_context(system_u:object_r:cron_log_t,s0) |
| 97 |
+/var/log/prelink.log.* -- gen_context(system_u:object_r:cron_log_t,s0) |
| 98 |
|
| 99 |
-/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0) |
| 100 |
+/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0) |
| 101 |
/var/spool/cron/atjobs/[^/]* -- <<none>> |
| 102 |
-/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0) |
| 103 |
+/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0) |
| 104 |
') |
| 105 |
|
| 106 |
ifdef(`distro_gentoo',` |
| 107 |
-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) |
| 108 |
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) |
| 109 |
/var/spool/cron/lastrun/[^/]* -- <<none>> |
| 110 |
') |
| 111 |
|
| 112 |
-ifdef(`distro_suse', ` |
| 113 |
-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) |
| 114 |
+ifdef(`distro_suse',` |
| 115 |
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) |
| 116 |
/var/spool/cron/lastrun/[^/]* -- <<none>> |
| 117 |
-/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) |
| 118 |
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) |
| 119 |
') |
| 120 |
|
| 121 |
diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if |
| 122 |
index 6e12dc7..ddc323e 100644 |
| 123 |
--- a/policy/modules/contrib/cron.if |
| 124 |
+++ b/policy/modules/contrib/cron.if |
| 125 |
@@ -2,22 +2,26 @@ |
| 126 |
|
| 127 |
####################################### |
| 128 |
## <summary> |
| 129 |
-## The common rules for a crontab domain. |
| 130 |
+## The template to define a crontab domain. |
| 131 |
## </summary> |
| 132 |
-## <param name="userdomain_prefix"> |
| 133 |
+## <param name="domain_prefix"> |
| 134 |
## <summary> |
| 135 |
-## The prefix of the user domain (e.g., user |
| 136 |
-## is the prefix for user_t). |
| 137 |
+## Domain prefix to be used. |
| 138 |
## </summary> |
| 139 |
## </param> |
| 140 |
# |
| 141 |
template(`cron_common_crontab_template',` |
| 142 |
+ gen_require(` |
| 143 |
+ attribute crontab_domain; |
| 144 |
+ type crontab_exec_t; |
| 145 |
+ ') |
| 146 |
+ |
| 147 |
############################## |
| 148 |
# |
| 149 |
# Declarations |
| 150 |
# |
| 151 |
|
| 152 |
- type $1_t; |
| 153 |
+ type $1_t, crontab_domain; |
| 154 |
userdom_user_application_domain($1_t, crontab_exec_t) |
| 155 |
|
| 156 |
type $1_tmp_t; |
| 157 |
@@ -28,63 +32,12 @@ template(`cron_common_crontab_template',` |
| 158 |
# Local policy |
| 159 |
# |
| 160 |
|
| 161 |
- # dac_override is to create the file in the directory under /tmp |
| 162 |
- allow $1_t self:capability { fowner setuid setgid chown dac_override }; |
| 163 |
- allow $1_t self:process { setsched signal_perms }; |
| 164 |
- allow $1_t self:fifo_file rw_fifo_file_perms; |
| 165 |
- |
| 166 |
- allow $1_t $1_tmp_t:file manage_file_perms; |
| 167 |
- files_tmp_filetrans($1_t, $1_tmp_t, file) |
| 168 |
- |
| 169 |
- # create files in /var/spool/cron |
| 170 |
- manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) |
| 171 |
- filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file) |
| 172 |
- files_list_spool($1_t) |
| 173 |
- |
| 174 |
- # crontab signals crond by updating the mtime on the spooldir |
| 175 |
- allow $1_t cron_spool_t:dir setattr; |
| 176 |
- |
| 177 |
- kernel_read_system_state($1_t) |
| 178 |
- |
| 179 |
- # for the checks used by crontab -u |
| 180 |
- selinux_dontaudit_search_fs($1_t) |
| 181 |
- |
| 182 |
- fs_getattr_xattr_fs($1_t) |
| 183 |
- |
| 184 |
- domain_use_interactive_fds($1_t) |
| 185 |
- |
| 186 |
- files_read_etc_files($1_t) |
| 187 |
- files_read_usr_files($1_t) |
| 188 |
- files_dontaudit_search_pids($1_t) |
| 189 |
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) |
| 190 |
+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) |
| 191 |
+ files_tmp_filetrans($1_t, $1_tmp_t, { dir file }) |
| 192 |
|
| 193 |
auth_domtrans_chk_passwd($1_t) |
| 194 |
- |
| 195 |
- logging_send_syslog_msg($1_t) |
| 196 |
- logging_send_audit_msgs($1_t) |
| 197 |
- |
| 198 |
- init_dontaudit_write_utmp($1_t) |
| 199 |
- init_read_utmp($1_t) |
| 200 |
- |
| 201 |
- miscfiles_read_localization($1_t) |
| 202 |
- |
| 203 |
- seutil_read_config($1_t) |
| 204 |
- |
| 205 |
- userdom_manage_user_tmp_dirs($1_t) |
| 206 |
- userdom_manage_user_tmp_files($1_t) |
| 207 |
- # Access terminals. |
| 208 |
- userdom_use_user_terminals($1_t) |
| 209 |
- # Read user crontabs |
| 210 |
- userdom_read_user_home_content_files($1_t) |
| 211 |
- |
| 212 |
- tunable_policy(`fcron_crond',` |
| 213 |
- # fcron wants an instant update of a crontab change for the administrator |
| 214 |
- # also crontab does a security check for crontab -u |
| 215 |
- dontaudit $1_t crond_t:process signal; |
| 216 |
- ') |
| 217 |
- |
| 218 |
- optional_policy(` |
| 219 |
- nscd_socket_use($1_t) |
| 220 |
- ') |
| 221 |
+ auth_use_nsswitch($1_t) |
| 222 |
') |
| 223 |
|
| 224 |
######################################## |
| 225 |
@@ -93,38 +46,52 @@ template(`cron_common_crontab_template',` |
| 226 |
## </summary> |
| 227 |
## <param name="role"> |
| 228 |
## <summary> |
| 229 |
-## Role allowed access |
| 230 |
+## Role allowed access. |
| 231 |
## </summary> |
| 232 |
## </param> |
| 233 |
## <param name="domain"> |
| 234 |
## <summary> |
| 235 |
-## User domain for the role |
| 236 |
+## User domain for the role. |
| 237 |
## </summary> |
| 238 |
## </param> |
| 239 |
+## <rolecap/> |
| 240 |
# |
| 241 |
interface(`cron_role',` |
| 242 |
gen_require(` |
| 243 |
type cronjob_t, crontab_t, crontab_exec_t; |
| 244 |
+ type user_cron_spool_t, crond_t; |
| 245 |
') |
| 246 |
|
| 247 |
+ ############################## |
| 248 |
+ # |
| 249 |
+ # Declarations |
| 250 |
+ # |
| 251 |
+ |
| 252 |
role $1 types { cronjob_t crontab_t }; |
| 253 |
|
| 254 |
- # cronjob shows up in user ps |
| 255 |
- ps_process_pattern($2, cronjob_t) |
| 256 |
+ ############################## |
| 257 |
+ # |
| 258 |
+ # Local policy |
| 259 |
+ # |
| 260 |
|
| 261 |
- # Transition from the user domain to the derived domain. |
| 262 |
domtrans_pattern($2, crontab_exec_t, crontab_t) |
| 263 |
|
| 264 |
- # crontab shows up in user ps |
| 265 |
- ps_process_pattern($2, crontab_t) |
| 266 |
- allow $2 crontab_t:process signal; |
| 267 |
+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; |
| 268 |
+ allow $2 crond_t:process sigchld; |
| 269 |
+ |
| 270 |
+ allow $2 user_cron_spool_t:file { getattr read write ioctl }; |
| 271 |
+ |
| 272 |
+ allow $2 crontab_t:process { ptrace signal_perms }; |
| 273 |
+ ps_process_pattern($2, { cronjob_t crontab_t }) |
| 274 |
|
| 275 |
- # Run helper programs as the user domain |
| 276 |
- #corecmd_bin_domtrans(crontab_t, $2) |
| 277 |
- #corecmd_shell_domtrans(crontab_t, $2) |
| 278 |
corecmd_exec_bin(crontab_t) |
| 279 |
corecmd_exec_shell(crontab_t) |
| 280 |
|
| 281 |
+ tunable_policy(`cron_userdomain_transition',` |
| 282 |
+ allow crond_t $2:process transition; |
| 283 |
+ allow $2 user_cron_spool_t:file entrypoint; |
| 284 |
+ ') |
| 285 |
+ |
| 286 |
optional_policy(` |
| 287 |
gen_require(` |
| 288 |
class dbus send_msg; |
| 289 |
@@ -133,7 +100,7 @@ interface(`cron_role',` |
| 290 |
dbus_stub(cronjob_t) |
| 291 |
|
| 292 |
allow cronjob_t $2:dbus send_msg; |
| 293 |
- ') |
| 294 |
+ ') |
| 295 |
') |
| 296 |
|
| 297 |
######################################## |
| 298 |
@@ -153,24 +120,28 @@ interface(`cron_role',` |
| 299 |
# |
| 300 |
interface(`cron_unconfined_role',` |
| 301 |
gen_require(` |
| 302 |
- type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t; |
| 303 |
+ type unconfined_cronjob_t, crontab_t, crontab_exec_t; |
| 304 |
') |
| 305 |
|
| 306 |
+ ############################## |
| 307 |
+ # |
| 308 |
+ # Declarations |
| 309 |
+ # |
| 310 |
+ |
| 311 |
role $1 types { unconfined_cronjob_t crontab_t }; |
| 312 |
|
| 313 |
- # cronjob shows up in user ps |
| 314 |
+ ############################## |
| 315 |
+ # |
| 316 |
+ # Local policy |
| 317 |
+ # |
| 318 |
+ |
| 319 |
ps_process_pattern($2, unconfined_cronjob_t) |
| 320 |
|
| 321 |
- # Transition from the user domain to the derived domain. |
| 322 |
- domtrans_pattern($2, crontab_exec_t, crontab_t) |
| 323 |
+ # domtrans_pattern($2, crontab_exec_t, crontab_t) |
| 324 |
|
| 325 |
- # crontab shows up in user ps |
| 326 |
+ allow $2 crontab_t:process { ptrace signal_perms }; |
| 327 |
ps_process_pattern($2, crontab_t) |
| 328 |
- allow $2 crontab_t:process signal; |
| 329 |
|
| 330 |
- # Run helper programs as the user domain |
| 331 |
- #corecmd_bin_domtrans(crontab_t, $2) |
| 332 |
- #corecmd_shell_domtrans(crontab_t, $2) |
| 333 |
corecmd_exec_bin(crontab_t) |
| 334 |
corecmd_exec_shell(crontab_t) |
| 335 |
|
| 336 |
@@ -182,7 +153,7 @@ interface(`cron_unconfined_role',` |
| 337 |
dbus_stub(unconfined_cronjob_t) |
| 338 |
|
| 339 |
allow unconfined_cronjob_t $2:dbus send_msg; |
| 340 |
- ') |
| 341 |
+ ') |
| 342 |
') |
| 343 |
|
| 344 |
######################################## |
| 345 |
@@ -202,28 +173,22 @@ interface(`cron_unconfined_role',` |
| 346 |
# |
| 347 |
interface(`cron_admin_role',` |
| 348 |
gen_require(` |
| 349 |
- type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t; |
| 350 |
+ type cronjob_t, crontab_exec_t, admin_crontab_t; |
| 351 |
class passwd crontab; |
| 352 |
') |
| 353 |
|
| 354 |
- role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t }; |
| 355 |
+ role $1 types { cronjob_t admin_crontab_t }; |
| 356 |
|
| 357 |
- # cronjob shows up in user ps |
| 358 |
ps_process_pattern($2, cronjob_t) |
| 359 |
|
| 360 |
# Manipulate other users crontab. |
| 361 |
allow $2 self:passwd crontab; |
| 362 |
|
| 363 |
- # Transition from the user domain to the derived domain. |
| 364 |
domtrans_pattern($2, crontab_exec_t, admin_crontab_t) |
| 365 |
|
| 366 |
- # crontab shows up in user ps |
| 367 |
+ allow $2 admin_crontab_t:process { ptrace signal_perms }; |
| 368 |
ps_process_pattern($2, admin_crontab_t) |
| 369 |
- allow $2 admin_crontab_t:process signal; |
| 370 |
|
| 371 |
- # Run helper programs as the user domain |
| 372 |
- #corecmd_bin_domtrans(admin_crontab_t, $2) |
| 373 |
- #corecmd_shell_domtrans(admin_crontab_t, $2) |
| 374 |
corecmd_exec_bin(admin_crontab_t) |
| 375 |
corecmd_exec_shell(admin_crontab_t) |
| 376 |
|
| 377 |
@@ -235,13 +200,13 @@ interface(`cron_admin_role',` |
| 378 |
dbus_stub(admin_cronjob_t) |
| 379 |
|
| 380 |
allow cronjob_t $2:dbus send_msg; |
| 381 |
- ') |
| 382 |
+ ') |
| 383 |
') |
| 384 |
|
| 385 |
######################################## |
| 386 |
## <summary> |
| 387 |
-## Make the specified program domain accessable |
| 388 |
-## from the system cron jobs. |
| 389 |
+## Make the specified program domain |
| 390 |
+## accessable from the system cron jobs. |
| 391 |
## </summary> |
| 392 |
## <param name="domain"> |
| 393 |
## <summary> |
| 394 |
@@ -280,12 +245,13 @@ interface(`cron_domtrans',` |
| 395 |
type system_cronjob_t, crond_exec_t; |
| 396 |
') |
| 397 |
|
| 398 |
+ corecmd_search_bin($1) |
| 399 |
domtrans_pattern($1, crond_exec_t, system_cronjob_t) |
| 400 |
') |
| 401 |
|
| 402 |
######################################## |
| 403 |
## <summary> |
| 404 |
-## Execute crond_exec_t |
| 405 |
+## Execute crond in the caller domain. |
| 406 |
## </summary> |
| 407 |
## <param name="domain"> |
| 408 |
## <summary> |
| 409 |
@@ -298,12 +264,13 @@ interface(`cron_exec',` |
| 410 |
type crond_exec_t; |
| 411 |
') |
| 412 |
|
| 413 |
+ corecmd_search_bin($1) |
| 414 |
can_exec($1, crond_exec_t) |
| 415 |
') |
| 416 |
|
| 417 |
######################################## |
| 418 |
## <summary> |
| 419 |
-## Execute crond server in the nscd domain. |
| 420 |
+## Execute crond server in the crond domain. |
| 421 |
## </summary> |
| 422 |
## <param name="domain"> |
| 423 |
## <summary> |
| 424 |
@@ -321,8 +288,7 @@ interface(`cron_initrc_domtrans',` |
| 425 |
|
| 426 |
######################################## |
| 427 |
## <summary> |
| 428 |
-## Inherit and use a file descriptor |
| 429 |
-## from the cron daemon. |
| 430 |
+## Use crond file descriptors. |
| 431 |
## </summary> |
| 432 |
## <param name="domain"> |
| 433 |
## <summary> |
| 434 |
@@ -340,7 +306,7 @@ interface(`cron_use_fds',` |
| 435 |
|
| 436 |
######################################## |
| 437 |
## <summary> |
| 438 |
-## Send a SIGCHLD signal to the cron daemon. |
| 439 |
+## Send child terminated signals to crond. |
| 440 |
## </summary> |
| 441 |
## <param name="domain"> |
| 442 |
## <summary> |
| 443 |
@@ -358,7 +324,7 @@ interface(`cron_sigchld',` |
| 444 |
|
| 445 |
######################################## |
| 446 |
## <summary> |
| 447 |
-## Read a cron daemon unnamed pipe. |
| 448 |
+## Read cron daemon unnamed pipes. |
| 449 |
## </summary> |
| 450 |
## <param name="domain"> |
| 451 |
## <summary> |
| 452 |
@@ -376,7 +342,8 @@ interface(`cron_read_pipes',` |
| 453 |
|
| 454 |
######################################## |
| 455 |
## <summary> |
| 456 |
-## Do not audit attempts to write cron daemon unnamed pipes. |
| 457 |
+## Do not audit attempts to write |
| 458 |
+## cron daemon unnamed pipes. |
| 459 |
## </summary> |
| 460 |
## <param name="domain"> |
| 461 |
## <summary> |
| 462 |
@@ -394,7 +361,7 @@ interface(`cron_dontaudit_write_pipes',` |
| 463 |
|
| 464 |
######################################## |
| 465 |
## <summary> |
| 466 |
-## Read and write a cron daemon unnamed pipe. |
| 467 |
+## Read and write crond unnamed pipes. |
| 468 |
## </summary> |
| 469 |
## <param name="domain"> |
| 470 |
## <summary> |
| 471 |
@@ -412,7 +379,7 @@ interface(`cron_rw_pipes',` |
| 472 |
|
| 473 |
######################################## |
| 474 |
## <summary> |
| 475 |
-## Read, and write cron daemon TCP sockets. |
| 476 |
+## Read and write crond TCP sockets. |
| 477 |
## </summary> |
| 478 |
## <param name="domain"> |
| 479 |
## <summary> |
| 480 |
@@ -430,7 +397,8 @@ interface(`cron_rw_tcp_sockets',` |
| 481 |
|
| 482 |
######################################## |
| 483 |
## <summary> |
| 484 |
-## Dontaudit Read, and write cron daemon TCP sockets. |
| 485 |
+## Do not audit attempts to read and |
| 486 |
+## write cron daemon TCP sockets. |
| 487 |
## </summary> |
| 488 |
## <param name="domain"> |
| 489 |
## <summary> |
| 490 |
@@ -448,7 +416,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',` |
| 491 |
|
| 492 |
######################################## |
| 493 |
## <summary> |
| 494 |
-## Search the directory containing user cron tables. |
| 495 |
+## Search cron spool directories. |
| 496 |
## </summary> |
| 497 |
## <param name="domain"> |
| 498 |
## <summary> |
| 499 |
@@ -467,7 +435,8 @@ interface(`cron_search_spool',` |
| 500 |
|
| 501 |
######################################## |
| 502 |
## <summary> |
| 503 |
-## Manage pid files used by cron |
| 504 |
+## Create, read, write, and delete |
| 505 |
+## crond pid files. |
| 506 |
## </summary> |
| 507 |
## <param name="domain"> |
| 508 |
## <summary> |
| 509 |
@@ -485,7 +454,8 @@ interface(`cron_manage_pid_files',` |
| 510 |
|
| 511 |
######################################## |
| 512 |
## <summary> |
| 513 |
-## Execute anacron in the cron system domain. |
| 514 |
+## Execute anacron in the cron |
| 515 |
+## system domain. |
| 516 |
## </summary> |
| 517 |
## <param name="domain"> |
| 518 |
## <summary> |
| 519 |
@@ -498,13 +468,13 @@ interface(`cron_anacron_domtrans_system_job',` |
| 520 |
type system_cronjob_t, anacron_exec_t; |
| 521 |
') |
| 522 |
|
| 523 |
+ corecmd_search_bin($1) |
| 524 |
domtrans_pattern($1, anacron_exec_t, system_cronjob_t) |
| 525 |
') |
| 526 |
|
| 527 |
######################################## |
| 528 |
## <summary> |
| 529 |
-## Inherit and use a file descriptor |
| 530 |
-## from system cron jobs. |
| 531 |
+## Use system cron job file descriptors. |
| 532 |
## </summary> |
| 533 |
## <param name="domain"> |
| 534 |
## <summary> |
| 535 |
@@ -522,7 +492,7 @@ interface(`cron_use_system_job_fds',` |
| 536 |
|
| 537 |
######################################## |
| 538 |
## <summary> |
| 539 |
-## Write a system cron job unnamed pipe. |
| 540 |
+## Write system cron job unnamed pipes. |
| 541 |
## </summary> |
| 542 |
## <param name="domain"> |
| 543 |
## <summary> |
| 544 |
@@ -540,7 +510,8 @@ interface(`cron_write_system_job_pipes',` |
| 545 |
|
| 546 |
######################################## |
| 547 |
## <summary> |
| 548 |
-## Read and write a system cron job unnamed pipe. |
| 549 |
+## Read and write system cron job |
| 550 |
+## unnamed pipes. |
| 551 |
## </summary> |
| 552 |
## <param name="domain"> |
| 553 |
## <summary> |
| 554 |
@@ -558,7 +529,8 @@ interface(`cron_rw_system_job_pipes',` |
| 555 |
|
| 556 |
######################################## |
| 557 |
## <summary> |
| 558 |
-## Allow read/write unix stream sockets from the system cron jobs. |
| 559 |
+## Read and write inherited system cron |
| 560 |
+## job unix domain stream sockets. |
| 561 |
## </summary> |
| 562 |
## <param name="domain"> |
| 563 |
## <summary> |
| 564 |
@@ -576,7 +548,7 @@ interface(`cron_rw_system_job_stream_sockets',` |
| 565 |
|
| 566 |
######################################## |
| 567 |
## <summary> |
| 568 |
-## Read temporary files from the system cron jobs. |
| 569 |
+## Read system cron job temporary files. |
| 570 |
## </summary> |
| 571 |
## <param name="domain"> |
| 572 |
## <summary> |
| 573 |
@@ -596,7 +568,7 @@ interface(`cron_read_system_job_tmp_files',` |
| 574 |
######################################## |
| 575 |
## <summary> |
| 576 |
## Do not audit attempts to append temporary |
| 577 |
-## files from the system cron jobs. |
| 578 |
+## system cron job files. |
| 579 |
## </summary> |
| 580 |
## <param name="domain"> |
| 581 |
## <summary> |
| 582 |
@@ -615,7 +587,7 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` |
| 583 |
######################################## |
| 584 |
## <summary> |
| 585 |
## Do not audit attempts to write temporary |
| 586 |
-## files from the system cron jobs. |
| 587 |
+## system cron job files. |
| 588 |
## </summary> |
| 589 |
## <param name="domain"> |
| 590 |
## <summary> |
| 591 |
|
| 592 |
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te |
| 593 |
index f25d9d1..c48cc70 100644 |
| 594 |
--- a/policy/modules/contrib/cron.te |
| 595 |
+++ b/policy/modules/contrib/cron.te |
| 596 |
@@ -1,4 +1,4 @@ |
| 597 |
-policy_module(cron, 2.4.0) |
| 598 |
+policy_module(cron, 2.5.0) |
| 599 |
|
| 600 |
gen_require(` |
| 601 |
class passwd rootok; |
| 602 |
@@ -10,37 +10,47 @@ gen_require(` |
| 603 |
# |
| 604 |
|
| 605 |
## <desc> |
| 606 |
-## <p> |
| 607 |
-## Allow system cron jobs to relabel filesystem |
| 608 |
-## for restoring file contexts. |
| 609 |
-## </p> |
| 610 |
+## <p> |
| 611 |
+## Determine whether system cron jobs |
| 612 |
+## can relabel filesystem for |
| 613 |
+## restoring file contexts. |
| 614 |
+## </p> |
| 615 |
## </desc> |
| 616 |
gen_tunable(cron_can_relabel, false) |
| 617 |
|
| 618 |
## <desc> |
| 619 |
-## <p> |
| 620 |
-## Enable extra rules in the cron domain |
| 621 |
-## to support fcron. |
| 622 |
-## </p> |
| 623 |
+## <p> |
| 624 |
+## Determine whether crond can execute jobs |
| 625 |
+## in the user domain as opposed to the |
| 626 |
+## the generic cronjob domain. |
| 627 |
+## </p> |
| 628 |
+## </desc> |
| 629 |
+gen_tunable(cron_userdomain_transition, false) |
| 630 |
+ |
| 631 |
+## <desc> |
| 632 |
+## <p> |
| 633 |
+## Determine whether extra rules |
| 634 |
+## should beenabled to support fcron. |
| 635 |
+## </p> |
| 636 |
## </desc> |
| 637 |
gen_tunable(fcron_crond, false) |
| 638 |
|
| 639 |
attribute cron_spool_type; |
| 640 |
+attribute crontab_domain; |
| 641 |
|
| 642 |
type anacron_exec_t; |
| 643 |
application_executable_file(anacron_exec_t) |
| 644 |
|
| 645 |
type cron_spool_t; |
| 646 |
files_type(cron_spool_t) |
| 647 |
+mta_system_content(cron_spool_t) |
| 648 |
|
| 649 |
-# var/lib files |
| 650 |
type cron_var_lib_t; |
| 651 |
files_type(cron_var_lib_t) |
| 652 |
|
| 653 |
type cron_var_run_t; |
| 654 |
-files_type(cron_var_run_t) |
| 655 |
+files_pid_file(cron_var_run_t) |
| 656 |
|
| 657 |
-# var/log files |
| 658 |
type cron_log_t; |
| 659 |
logging_log_file(cron_log_t) |
| 660 |
|
| 661 |
@@ -64,9 +74,12 @@ init_script_file(crond_initrc_exec_t) |
| 662 |
|
| 663 |
type crond_tmp_t; |
| 664 |
files_tmp_file(crond_tmp_t) |
| 665 |
+files_poly_parent(crond_tmp_t) |
| 666 |
+mta_system_content(crond_tmp_t) |
| 667 |
|
| 668 |
type crond_var_run_t; |
| 669 |
files_pid_file(crond_var_run_t) |
| 670 |
+mta_system_content(crond_var_run_t) |
| 671 |
|
| 672 |
type crontab_exec_t; |
| 673 |
application_executable_file(crontab_exec_t) |
| 674 |
@@ -96,30 +109,95 @@ files_lock_file(system_cronjob_lock_t) |
| 675 |
type system_cronjob_tmp_t alias system_crond_tmp_t; |
| 676 |
files_tmp_file(system_cronjob_tmp_t) |
| 677 |
|
| 678 |
-ifdef(`enable_mcs',` |
| 679 |
- init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) |
| 680 |
-') |
| 681 |
+type system_cronjob_var_lib_t; |
| 682 |
+files_type(system_cronjob_var_lib_t) |
| 683 |
+ |
| 684 |
+type system_cronjob_var_run_t; |
| 685 |
+files_pid_file(system_cronjob_var_run_t) |
| 686 |
|
| 687 |
type unconfined_cronjob_t; |
| 688 |
domain_type(unconfined_cronjob_t) |
| 689 |
domain_cron_exemption_target(unconfined_cronjob_t) |
| 690 |
|
| 691 |
-# Type of user crontabs once moved to cron spool. |
| 692 |
type user_cron_spool_t, cron_spool_type; |
| 693 |
typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; |
| 694 |
typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; |
| 695 |
files_type(user_cron_spool_t) |
| 696 |
ubac_constrained(user_cron_spool_t) |
| 697 |
+mta_system_content(user_cron_spool_t) |
| 698 |
+ |
| 699 |
+ifdef(`enable_mcs',` |
| 700 |
+ init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) |
| 701 |
+') |
| 702 |
+ |
| 703 |
+############################## |
| 704 |
+# |
| 705 |
+# Common local policy |
| 706 |
+# |
| 707 |
+ |
| 708 |
+allow crontab_domain self:capability { fowner setuid setgid chown dac_override }; |
| 709 |
+allow crontab_domain self:process { getcap setsched signal_perms }; |
| 710 |
+allow crontab_domain self:fifo_file rw_fifo_file_perms; |
| 711 |
+ |
| 712 |
+manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) |
| 713 |
+filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file) |
| 714 |
+ |
| 715 |
+allow crontab_domain cron_spool_t:dir setattr_dir_perms; |
| 716 |
+ |
| 717 |
+allow crontab_domain crond_t:process signal; |
| 718 |
+allow crontab_domain crond_var_run_t:file read_file_perms; |
| 719 |
+ |
| 720 |
+kernel_read_system_state(crontab_domain) |
| 721 |
+ |
| 722 |
+selinux_dontaudit_search_fs(crontab_domain) |
| 723 |
+ |
| 724 |
+files_list_spool(crontab_domain) |
| 725 |
+files_read_etc_files(crontab_domain) |
| 726 |
+files_read_usr_files(crontab_domain) |
| 727 |
+files_dontaudit_search_pids(crontab_domain) |
| 728 |
+ |
| 729 |
+fs_getattr_xattr_fs(crontab_domain) |
| 730 |
+fs_manage_cgroup_dirs(crontab_domain) |
| 731 |
+fs_rw_cgroup_files(crontab_domain) |
| 732 |
+ |
| 733 |
+domain_use_interactive_fds(crontab_domain) |
| 734 |
+ |
| 735 |
+fs_dontaudit_rw_anon_inodefs_files(crontab_domain) |
| 736 |
+ |
| 737 |
+auth_rw_var_auth(crontab_domain) |
| 738 |
+ |
| 739 |
+logging_send_syslog_msg(crontab_domain) |
| 740 |
+logging_send_audit_msgs(crontab_domain) |
| 741 |
+ |
| 742 |
+init_dontaudit_write_utmp(crontab_domain) |
| 743 |
+init_read_utmp(crontab_domain) |
| 744 |
+init_read_state(crontab_domain) |
| 745 |
+ |
| 746 |
+miscfiles_read_localization(crontab_domain) |
| 747 |
+ |
| 748 |
+seutil_read_config(crontab_domain) |
| 749 |
+ |
| 750 |
+userdom_manage_user_tmp_dirs(crontab_domain) |
| 751 |
+userdom_manage_user_tmp_files(crontab_domain) |
| 752 |
+userdom_use_user_terminals(crontab_domain) |
| 753 |
+userdom_read_user_home_content_files(crontab_domain) |
| 754 |
+userdom_read_user_home_content_symlinks(crontab_domain) |
| 755 |
+ |
| 756 |
+tunable_policy(`cron_userdomain_transition',` |
| 757 |
+ logging_set_loginuid(crontab_domain) |
| 758 |
+') |
| 759 |
+ |
| 760 |
+tunable_policy(`fcron_crond',` |
| 761 |
+ dontaudit crontab_domain crond_t:process signal; |
| 762 |
+') |
| 763 |
|
| 764 |
######################################## |
| 765 |
# |
| 766 |
-# Admin crontab local policy |
| 767 |
+# Admin local policy |
| 768 |
# |
| 769 |
|
| 770 |
-# Allow our crontab domain to unlink a user cron spool file. |
| 771 |
-allow admin_crontab_t user_cron_spool_t:file { getattr read unlink }; |
| 772 |
+allow admin_crontab_t crond_t:process signal; |
| 773 |
|
| 774 |
-# Manipulate other users crontab. |
| 775 |
selinux_get_fs_mount(admin_crontab_t) |
| 776 |
selinux_validate_context(admin_crontab_t) |
| 777 |
selinux_compute_access_vector(admin_crontab_t) |
| 778 |
@@ -127,32 +205,29 @@ selinux_compute_create_context(admin_crontab_t) |
| 779 |
selinux_compute_relabel_context(admin_crontab_t) |
| 780 |
selinux_compute_user_contexts(admin_crontab_t) |
| 781 |
|
| 782 |
-tunable_policy(`fcron_crond', ` |
| 783 |
- # fcron wants an instant update of a crontab change for the administrator |
| 784 |
- # also crontab does a security check for crontab -u |
| 785 |
+tunable_policy(`fcron_crond',` |
| 786 |
allow admin_crontab_t self:process setfscreate; |
| 787 |
') |
| 788 |
|
| 789 |
######################################## |
| 790 |
# |
| 791 |
-# Cron daemon local policy |
| 792 |
+# Daemon local policy |
| 793 |
# |
| 794 |
|
| 795 |
-allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; |
| 796 |
+allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search }; |
| 797 |
dontaudit crond_t self:capability { sys_resource sys_tty_config }; |
| 798 |
-allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
| 799 |
+allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; |
| 800 |
allow crond_t self:process { setexec setfscreate }; |
| 801 |
allow crond_t self:fd use; |
| 802 |
allow crond_t self:fifo_file rw_fifo_file_perms; |
| 803 |
-allow crond_t self:unix_dgram_socket create_socket_perms; |
| 804 |
-allow crond_t self:unix_stream_socket create_stream_socket_perms; |
| 805 |
allow crond_t self:unix_dgram_socket sendto; |
| 806 |
-allow crond_t self:unix_stream_socket connectto; |
| 807 |
+allow crond_t self:unix_stream_socket { accept connectto listen }; |
| 808 |
allow crond_t self:shm create_shm_perms; |
| 809 |
allow crond_t self:sem create_sem_perms; |
| 810 |
allow crond_t self:msgq create_msgq_perms; |
| 811 |
allow crond_t self:msg { send receive }; |
| 812 |
allow crond_t self:key { search write link }; |
| 813 |
+dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit; |
| 814 |
|
| 815 |
manage_files_pattern(crond_t, cron_log_t, cron_log_t) |
| 816 |
logging_log_filetrans(crond_t, cron_log_t, file) |
| 817 |
@@ -164,69 +239,89 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) |
| 818 |
|
| 819 |
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) |
| 820 |
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) |
| 821 |
-files_tmp_filetrans(crond_t, crond_tmp_t, { file dir }) |
| 822 |
+files_tmp_filetrans(crond_t, crond_tmp_t, { dir file }) |
| 823 |
|
| 824 |
list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) |
| 825 |
read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) |
| 826 |
|
| 827 |
+list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) |
| 828 |
+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) |
| 829 |
+read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) |
| 830 |
+read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) |
| 831 |
+allow crond_t user_cron_spool_t:file manage_lnk_file_perms; |
| 832 |
+ |
| 833 |
+allow crond_t { cronjob_t system_cronjob_t unconfined_cronjob_t }:process transition; |
| 834 |
+allow crond_t { cronjob_t system_cronjob_t unconfined_cronjob_t }:fd use; |
| 835 |
+allow crond_t { cronjob_t system_cronjob_t unconfined_cronjob_t }:key manage_key_perms; |
| 836 |
+dontaudit crond_t { cronjob_t system_cronjob_t unconfined_cronjob_t }:process { noatsecure siginh rlimitinh }; |
| 837 |
+ |
| 838 |
+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t) |
| 839 |
+ |
| 840 |
kernel_read_kernel_sysctls(crond_t) |
| 841 |
kernel_read_fs_sysctls(crond_t) |
| 842 |
kernel_search_key(crond_t) |
| 843 |
|
| 844 |
-dev_read_sysfs(crond_t) |
| 845 |
-selinux_get_fs_mount(crond_t) |
| 846 |
-selinux_validate_context(crond_t) |
| 847 |
-selinux_compute_access_vector(crond_t) |
| 848 |
-selinux_compute_create_context(crond_t) |
| 849 |
-selinux_compute_relabel_context(crond_t) |
| 850 |
-selinux_compute_user_contexts(crond_t) |
| 851 |
+corecmd_exec_shell(crond_t) |
| 852 |
+corecmd_exec_bin(crond_t) |
| 853 |
+corecmd_list_bin(crond_t) |
| 854 |
|
| 855 |
+dev_read_sysfs(crond_t) |
| 856 |
dev_read_urand(crond_t) |
| 857 |
|
| 858 |
+domain_use_interactive_fds(crond_t) |
| 859 |
+domain_subj_id_change_exemption(crond_t) |
| 860 |
+domain_role_change_exemption(crond_t) |
| 861 |
+ |
| 862 |
fs_getattr_all_fs(crond_t) |
| 863 |
-fs_search_auto_mountpoints(crond_t) |
| 864 |
fs_list_inotifyfs(crond_t) |
| 865 |
- |
| 866 |
-# need auth_chkpwd to check for locked accounts. |
| 867 |
-auth_domtrans_chk_passwd(crond_t) |
| 868 |
- |
| 869 |
-corecmd_exec_shell(crond_t) |
| 870 |
-corecmd_list_bin(crond_t) |
| 871 |
-corecmd_read_bin_symlinks(crond_t) |
| 872 |
- |
| 873 |
-domain_use_interactive_fds(crond_t) |
| 874 |
+fs_manage_cgroup_dirs(crond_t) |
| 875 |
+fs_rw_cgroup_files(crond_t) |
| 876 |
+fs_search_auto_mountpoints(crond_t) |
| 877 |
|
| 878 |
files_read_usr_files(crond_t) |
| 879 |
files_read_etc_runtime_files(crond_t) |
| 880 |
-files_read_etc_files(crond_t) |
| 881 |
files_read_generic_spool(crond_t) |
| 882 |
files_list_usr(crond_t) |
| 883 |
-# Read from /var/spool/cron. |
| 884 |
files_search_var_lib(crond_t) |
| 885 |
files_search_default(crond_t) |
| 886 |
|
| 887 |
+mls_fd_share_all_levels(crond_t) |
| 888 |
+# crontab -e and kernel check of transition |
| 889 |
+mls_file_read_all_levels(crond_t) |
| 890 |
+mls_file_write_all_levels(crond_t) |
| 891 |
+mls_process_set_level(crond_t) |
| 892 |
+mls_trusted_object(crond_t) |
| 893 |
+ |
| 894 |
+selinux_get_fs_mount(crond_t) |
| 895 |
+selinux_validate_context(crond_t) |
| 896 |
+selinux_compute_access_vector(crond_t) |
| 897 |
+selinux_compute_create_context(crond_t) |
| 898 |
+selinux_compute_relabel_context(crond_t) |
| 899 |
+selinux_compute_user_contexts(crond_t) |
| 900 |
+ |
| 901 |
+init_read_state(crond_t) |
| 902 |
init_rw_utmp(crond_t) |
| 903 |
init_spec_domtrans_script(crond_t) |
| 904 |
|
| 905 |
+auth_domtrans_chk_passwd(crond_t) |
| 906 |
+auth_manage_var_auth(crond_t) |
| 907 |
auth_use_nsswitch(crond_t) |
| 908 |
|
| 909 |
+logging_send_audit_msgs(crond_t) |
| 910 |
logging_send_syslog_msg(crond_t) |
| 911 |
logging_set_loginuid(crond_t) |
| 912 |
|
| 913 |
seutil_read_config(crond_t) |
| 914 |
seutil_read_default_contexts(crond_t) |
| 915 |
-seutil_sigchld_newrole(crond_t) |
| 916 |
|
| 917 |
miscfiles_read_localization(crond_t) |
| 918 |
|
| 919 |
userdom_use_unpriv_users_fds(crond_t) |
| 920 |
-# Not sure why this is needed |
| 921 |
userdom_list_user_home_dirs(crond_t) |
| 922 |
|
| 923 |
mta_send_mail(crond_t) |
| 924 |
|
| 925 |
ifdef(`distro_debian',` |
| 926 |
- # pam_limits is used |
| 927 |
allow crond_t self:process setrlimit; |
| 928 |
|
| 929 |
optional_policy(` |
| 930 |
@@ -235,9 +330,7 @@ ifdef(`distro_debian',` |
| 931 |
') |
| 932 |
') |
| 933 |
|
| 934 |
-ifdef(`distro_redhat', ` |
| 935 |
- # Run the rpm program in the rpm_t domain. Allow creation of RPM log files |
| 936 |
- # via redirection of standard out. |
| 937 |
+ifdef(`distro_redhat',` |
| 938 |
optional_policy(` |
| 939 |
rpm_manage_log(crond_t) |
| 940 |
') |
| 941 |
@@ -252,6 +345,27 @@ tunable_policy(`fcron_crond', ` |
| 942 |
') |
| 943 |
|
| 944 |
optional_policy(` |
| 945 |
+ apache_search_sys_content(crond_t) |
| 946 |
+') |
| 947 |
+ |
| 948 |
+optional_policy(` |
| 949 |
+ dbus_system_bus_client(crond_t) |
| 950 |
+ |
| 951 |
+ optional_policy(` |
| 952 |
+ hal_dbus_chat(crond_t) |
| 953 |
+ ') |
| 954 |
+ |
| 955 |
+ optional_policy(` |
| 956 |
+ unconfined_dbus_send(crond_t) |
| 957 |
+ ') |
| 958 |
+') |
| 959 |
+ |
| 960 |
+optional_policy(` |
| 961 |
+ djbdns_search_tinydns_keys(crond_t) |
| 962 |
+ djbdns_link_tinydns_keys(crond_t) |
| 963 |
+') |
| 964 |
+ |
| 965 |
+optional_policy(` |
| 966 |
locallogin_search_keys(crond_t) |
| 967 |
locallogin_link_keys(crond_t) |
| 968 |
') |
| 969 |
@@ -265,11 +379,10 @@ optional_policy(` |
| 970 |
') |
| 971 |
|
| 972 |
optional_policy(` |
| 973 |
- hal_dbus_chat(crond_t) |
| 974 |
+ hal_write_log(crond_t) |
| 975 |
') |
| 976 |
|
| 977 |
optional_policy(` |
| 978 |
- # cjp: why? |
| 979 |
munin_search_lib(crond_t) |
| 980 |
') |
| 981 |
|
| 982 |
@@ -278,22 +391,24 @@ optional_policy(` |
| 983 |
') |
| 984 |
|
| 985 |
optional_policy(` |
| 986 |
- # Commonly used from postinst scripts |
| 987 |
rpm_read_pipes(crond_t) |
| 988 |
') |
| 989 |
|
| 990 |
optional_policy(` |
| 991 |
- # allow crond to find /usr/lib/postgresql/bin/do.maintenance |
| 992 |
postgresql_search_db(crond_t) |
| 993 |
') |
| 994 |
|
| 995 |
optional_policy(` |
| 996 |
+ seutil_sigchld_newrole(crond_t) |
| 997 |
+') |
| 998 |
+ |
| 999 |
+optional_policy(` |
| 1000 |
udev_read_db(crond_t) |
| 1001 |
') |
| 1002 |
|
| 1003 |
######################################## |
| 1004 |
# |
| 1005 |
-# System cron process domain |
| 1006 |
+# System local policy |
| 1007 |
# |
| 1008 |
|
| 1009 |
allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; |
| 1010 |
@@ -301,56 +416,41 @@ allow system_cronjob_t self:process { signal_perms getsched setsched }; |
| 1011 |
allow system_cronjob_t self:fifo_file rw_fifo_file_perms; |
| 1012 |
allow system_cronjob_t self:passwd rootok; |
| 1013 |
|
| 1014 |
-# This is to handle creation of files in /var/log directory. |
| 1015 |
-# Used currently by rpm script log files |
| 1016 |
allow system_cronjob_t cron_log_t:file manage_file_perms; |
| 1017 |
logging_log_filetrans(system_cronjob_t, cron_log_t, file) |
| 1018 |
|
| 1019 |
-# This is to handle /var/lib/misc directory. Used currently |
| 1020 |
-# by prelink var/lib files for cron |
| 1021 |
-allow system_cronjob_t cron_var_lib_t:file manage_file_perms; |
| 1022 |
+allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms }; |
| 1023 |
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) |
| 1024 |
|
| 1025 |
-allow system_cronjob_t system_cron_spool_t:file read_file_perms; |
| 1026 |
-# The entrypoint interface is not used as this is not |
| 1027 |
-# a regular entrypoint. Since crontab files are |
| 1028 |
-# not directly executed, crond must ensure that |
| 1029 |
-# the crontab file has a type that is appropriate |
| 1030 |
-# for the domain of the user cron job. It |
| 1031 |
-# performs an entrypoint permission check |
| 1032 |
-# for this purpose. |
| 1033 |
-allow system_cronjob_t system_cron_spool_t:file entrypoint; |
| 1034 |
+allow system_cronjob_t cron_var_run_t:file manage_file_perms; |
| 1035 |
+files_pid_filetrans(system_cronjob_t, cron_var_run_t, file) |
| 1036 |
|
| 1037 |
-# Permit a transition from the crond_t domain to this domain. |
| 1038 |
-# The transition is requested explicitly by the modified crond |
| 1039 |
-# via setexeccon. There is no way to set up an automatic |
| 1040 |
-# transition, since crontabs are configuration files, not executables. |
| 1041 |
-allow crond_t system_cronjob_t:process transition; |
| 1042 |
-dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh }; |
| 1043 |
-allow crond_t system_cronjob_t:fd use; |
| 1044 |
-allow system_cronjob_t crond_t:fd use; |
| 1045 |
-allow system_cronjob_t crond_t:fifo_file rw_file_perms; |
| 1046 |
-allow system_cronjob_t crond_t:process sigchld; |
| 1047 |
+manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t) |
| 1048 |
+allow system_cronjob_t system_cron_spool_t:file entrypoint; |
| 1049 |
|
| 1050 |
-# Write /var/lock/makewhatis.lock. |
| 1051 |
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; |
| 1052 |
files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file) |
| 1053 |
|
| 1054 |
-# write temporary files |
| 1055 |
manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) |
| 1056 |
manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) |
| 1057 |
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) |
| 1058 |
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) |
| 1059 |
|
| 1060 |
-# Read from /var/spool/cron. |
| 1061 |
+files_search_var_lib(system_cronjob_t) |
| 1062 |
+manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) |
| 1063 |
+ |
| 1064 |
+allow system_cronjob_t crond_t:fd use; |
| 1065 |
+allow system_cronjob_t crond_t:fifo_file rw_file_perms; |
| 1066 |
+allow system_cronjob_t crond_t:process sigchld; |
| 1067 |
+ |
| 1068 |
allow system_cronjob_t cron_spool_t:dir list_dir_perms; |
| 1069 |
-allow system_cronjob_t cron_spool_t:file read_file_perms; |
| 1070 |
+allow system_cronjob_t cron_spool_t:file rw_file_perms; |
| 1071 |
|
| 1072 |
kernel_read_kernel_sysctls(system_cronjob_t) |
| 1073 |
+kernel_read_network_state(system_cronjob_t) |
| 1074 |
kernel_read_system_state(system_cronjob_t) |
| 1075 |
kernel_read_software_raid_state(system_cronjob_t) |
| 1076 |
|
| 1077 |
-# ps does not need to access /boot when run from cron |
| 1078 |
files_dontaudit_search_boot(system_cronjob_t) |
| 1079 |
|
| 1080 |
corecmd_exec_all_executables(system_cronjob_t) |
| 1081 |
@@ -367,6 +467,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) |
| 1082 |
dev_getattr_all_blk_files(system_cronjob_t) |
| 1083 |
dev_getattr_all_chr_files(system_cronjob_t) |
| 1084 |
dev_read_urand(system_cronjob_t) |
| 1085 |
+dev_read_sysfs(system_cronjob_t) |
| 1086 |
|
| 1087 |
fs_getattr_all_fs(system_cronjob_t) |
| 1088 |
fs_getattr_all_files(system_cronjob_t) |
| 1089 |
@@ -374,11 +475,9 @@ fs_getattr_all_symlinks(system_cronjob_t) |
| 1090 |
fs_getattr_all_pipes(system_cronjob_t) |
| 1091 |
fs_getattr_all_sockets(system_cronjob_t) |
| 1092 |
|
| 1093 |
-# quiet other ps operations |
| 1094 |
domain_dontaudit_read_all_domains_state(system_cronjob_t) |
| 1095 |
|
| 1096 |
files_exec_etc_files(system_cronjob_t) |
| 1097 |
-files_read_etc_files(system_cronjob_t) |
| 1098 |
files_read_etc_runtime_files(system_cronjob_t) |
| 1099 |
files_list_all(system_cronjob_t) |
| 1100 |
files_getattr_all_dirs(system_cronjob_t) |
| 1101 |
@@ -388,16 +487,14 @@ files_getattr_all_pipes(system_cronjob_t) |
| 1102 |
files_getattr_all_sockets(system_cronjob_t) |
| 1103 |
files_read_usr_files(system_cronjob_t) |
| 1104 |
files_read_var_files(system_cronjob_t) |
| 1105 |
-# for nscd: |
| 1106 |
files_dontaudit_search_pids(system_cronjob_t) |
| 1107 |
-# Access other spool directories like |
| 1108 |
-# /var/spool/anacron and /var/spool/slrnpull. |
| 1109 |
files_manage_generic_spool(system_cronjob_t) |
| 1110 |
+files_create_boot_flag(system_cronjob_t) |
| 1111 |
+ |
| 1112 |
+mls_file_read_to_clearance(system_cronjob_t) |
| 1113 |
|
| 1114 |
init_use_script_fds(system_cronjob_t) |
| 1115 |
-init_read_utmp(system_cronjob_t) |
| 1116 |
-init_dontaudit_rw_utmp(system_cronjob_t) |
| 1117 |
-# prelink tells init to restart it self, we either need to allow or dontaudit |
| 1118 |
+init_rw_utmp(system_cronjob_t) |
| 1119 |
init_telinit(system_cronjob_t) |
| 1120 |
init_domtrans_script(system_cronjob_t) |
| 1121 |
|
| 1122 |
@@ -415,9 +512,7 @@ miscfiles_manage_man_pages(system_cronjob_t) |
| 1123 |
|
| 1124 |
seutil_read_config(system_cronjob_t) |
| 1125 |
|
| 1126 |
-ifdef(`distro_redhat', ` |
| 1127 |
- # Run the rpm program in the rpm_t domain. Allow creation of RPM log files |
| 1128 |
- # via redirection of standard out. |
| 1129 |
+ifdef(`distro_redhat',` |
| 1130 |
optional_policy(` |
| 1131 |
rpm_manage_log(system_cronjob_t) |
| 1132 |
') |
| 1133 |
@@ -436,7 +531,6 @@ tunable_policy(`cron_can_relabel',` |
| 1134 |
') |
| 1135 |
|
| 1136 |
optional_policy(` |
| 1137 |
- # Needed for certwatch |
| 1138 |
apache_exec_modules(system_cronjob_t) |
| 1139 |
apache_read_config(system_cronjob_t) |
| 1140 |
apache_read_log(system_cronjob_t) |
| 1141 |
@@ -448,6 +542,18 @@ optional_policy(` |
| 1142 |
') |
| 1143 |
|
| 1144 |
optional_policy(` |
| 1145 |
+ dbus_system_bus_client(system_cronjob_t) |
| 1146 |
+ |
| 1147 |
+ optional_policy(` |
| 1148 |
+ networkmanager_dbus_chat(system_cronjob_t) |
| 1149 |
+ ') |
| 1150 |
+') |
| 1151 |
+ |
| 1152 |
+optional_policy(` |
| 1153 |
+ exim_read_spool_files(system_cronjob_t) |
| 1154 |
+') |
| 1155 |
+ |
| 1156 |
+optional_policy(` |
| 1157 |
ftp_read_log(system_cronjob_t) |
| 1158 |
') |
| 1159 |
|
| 1160 |
@@ -458,6 +564,10 @@ optional_policy(` |
| 1161 |
') |
| 1162 |
|
| 1163 |
optional_policy(` |
| 1164 |
+ livecd_read_tmp_files(system_cronjob_t) |
| 1165 |
+') |
| 1166 |
+ |
| 1167 |
+optional_policy(` |
| 1168 |
lpd_list_spool(system_cronjob_t) |
| 1169 |
') |
| 1170 |
|
| 1171 |
@@ -466,6 +576,7 @@ optional_policy(` |
| 1172 |
') |
| 1173 |
|
| 1174 |
optional_policy(` |
| 1175 |
+ mta_read_config(system_cronjob_t) |
| 1176 |
mta_send_mail(system_cronjob_t) |
| 1177 |
') |
| 1178 |
|
| 1179 |
@@ -488,7 +599,6 @@ optional_policy(` |
| 1180 |
optional_policy(` |
| 1181 |
samba_read_config(system_cronjob_t) |
| 1182 |
samba_read_log(system_cronjob_t) |
| 1183 |
- #samba_read_secrets(system_cronjob_t) |
| 1184 |
') |
| 1185 |
|
| 1186 |
optional_policy(` |
| 1187 |
@@ -504,13 +614,12 @@ optional_policy(` |
| 1188 |
') |
| 1189 |
|
| 1190 |
optional_policy(` |
| 1191 |
- unconfined_domain(system_cronjob_t) |
| 1192 |
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) |
| 1193 |
') |
| 1194 |
|
| 1195 |
######################################## |
| 1196 |
# |
| 1197 |
-# User cronjobs local policy |
| 1198 |
+# Cronjob local policy |
| 1199 |
# |
| 1200 |
|
| 1201 |
allow cronjob_t self:process { signal_perms setsched }; |
| 1202 |
@@ -542,7 +651,6 @@ allow cronjob_t crond_t:process sigchld; |
| 1203 |
kernel_read_system_state(cronjob_t) |
| 1204 |
kernel_read_kernel_sysctls(cronjob_t) |
| 1205 |
|
| 1206 |
-# ps does not need to access /boot when run from cron |
| 1207 |
files_dontaudit_search_boot(cronjob_t) |
| 1208 |
|
| 1209 |
corenet_all_recvfrom_unlabeled(cronjob_t) |
| 1210 |
@@ -553,31 +661,29 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) |
| 1211 |
corenet_udp_sendrecv_generic_node(cronjob_t) |
| 1212 |
corenet_tcp_sendrecv_all_ports(cronjob_t) |
| 1213 |
corenet_udp_sendrecv_all_ports(cronjob_t) |
| 1214 |
-corenet_tcp_connect_all_ports(cronjob_t) |
| 1215 |
+ |
| 1216 |
corenet_sendrecv_all_client_packets(cronjob_t) |
| 1217 |
+corenet_tcp_connect_all_ports(cronjob_t) |
| 1218 |
+ |
| 1219 |
+corecmd_exec_all_executables(cronjob_t) |
| 1220 |
|
| 1221 |
dev_read_urand(cronjob_t) |
| 1222 |
|
| 1223 |
fs_getattr_all_fs(cronjob_t) |
| 1224 |
|
| 1225 |
-corecmd_exec_all_executables(cronjob_t) |
| 1226 |
- |
| 1227 |
-# quiet other ps operations |
| 1228 |
domain_dontaudit_read_all_domains_state(cronjob_t) |
| 1229 |
domain_dontaudit_getattr_all_domains(cronjob_t) |
| 1230 |
|
| 1231 |
-files_read_usr_files(cronjob_t) |
| 1232 |
files_exec_etc_files(cronjob_t) |
| 1233 |
-# for nscd: |
| 1234 |
+files_read_etc_runtime_files(cronjob_t) |
| 1235 |
+files_read_var_files(cronjob_t) |
| 1236 |
+files_read_usr_files(cronjob_t) |
| 1237 |
+files_search_spool(cronjob_t) |
| 1238 |
files_dontaudit_search_pids(cronjob_t) |
| 1239 |
|
| 1240 |
libs_exec_lib_files(cronjob_t) |
| 1241 |
libs_exec_ld_so(cronjob_t) |
| 1242 |
|
| 1243 |
-files_read_etc_runtime_files(cronjob_t) |
| 1244 |
-files_read_var_files(cronjob_t) |
| 1245 |
-files_search_spool(cronjob_t) |
| 1246 |
- |
| 1247 |
logging_search_logs(cronjob_t) |
| 1248 |
|
| 1249 |
seutil_read_config(cronjob_t) |
| 1250 |
@@ -588,44 +694,25 @@ userdom_manage_user_tmp_files(cronjob_t) |
| 1251 |
userdom_manage_user_tmp_symlinks(cronjob_t) |
| 1252 |
userdom_manage_user_tmp_pipes(cronjob_t) |
| 1253 |
userdom_manage_user_tmp_sockets(cronjob_t) |
| 1254 |
-# Run scripts in user home directory and access shared libs. |
| 1255 |
userdom_exec_user_home_content_files(cronjob_t) |
| 1256 |
-# Access user files and dirs. |
| 1257 |
userdom_manage_user_home_content_files(cronjob_t) |
| 1258 |
userdom_manage_user_home_content_symlinks(cronjob_t) |
| 1259 |
userdom_manage_user_home_content_pipes(cronjob_t) |
| 1260 |
userdom_manage_user_home_content_sockets(cronjob_t) |
| 1261 |
-#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) |
| 1262 |
|
| 1263 |
-list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) |
| 1264 |
-read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) |
| 1265 |
- |
| 1266 |
-tunable_policy(`fcron_crond', ` |
| 1267 |
+tunable_policy(`fcron_crond',` |
| 1268 |
allow crond_t user_cron_spool_t:file manage_file_perms; |
| 1269 |
') |
| 1270 |
|
| 1271 |
-# need a per-role version of this: |
| 1272 |
-#optional_policy(` |
| 1273 |
-# mono_domtrans(cronjob_t) |
| 1274 |
-#') |
| 1275 |
- |
| 1276 |
optional_policy(` |
| 1277 |
nis_use_ypbind(cronjob_t) |
| 1278 |
') |
| 1279 |
|
| 1280 |
######################################## |
| 1281 |
# |
| 1282 |
-# Unconfined cronjobs local policy |
| 1283 |
+# Unconfined local policy |
| 1284 |
# |
| 1285 |
|
| 1286 |
optional_policy(` |
| 1287 |
- # Permit a transition from the crond_t domain to this domain. |
| 1288 |
- # The transition is requested explicitly by the modified crond |
| 1289 |
- # via setexeccon. There is no way to set up an automatic |
| 1290 |
- # transition, since crontabs are configuration files, not executables. |
| 1291 |
- allow crond_t unconfined_cronjob_t:process transition; |
| 1292 |
- dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh }; |
| 1293 |
- allow crond_t unconfined_cronjob_t:fd use; |
| 1294 |
- |
| 1295 |
unconfined_domain(unconfined_cronjob_t) |
| 1296 |
') |
| 1297 |
|
| 1298 |
diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc |
| 1299 |
index b2a0b6a..02223c4 100644 |
| 1300 |
--- a/policy/modules/contrib/rpm.fc |
| 1301 |
+++ b/policy/modules/contrib/rpm.fc |
| 1302 |
@@ -36,7 +36,6 @@ ifdef(`distro_redhat', ` |
| 1303 |
/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) |
| 1304 |
/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) |
| 1305 |
|
| 1306 |
-/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0) |
| 1307 |
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) |
| 1308 |
|
| 1309 |
/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) |
Archives