[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Wed, 21 Nov 2012 21:03:00
Message-Id:	`1353531517.18a25fea6f668acb55b05bd8f791448f3a230172.SwifT@gentoo`

1

commit:     18a25fea6f668acb55b05bd8f791448f3a230172

2

Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

3

AuthorDate: Sat Nov 17 20:58:51 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Wed Nov 21 20:58:37 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=18a25fea

7

8

Support at service

9

10

The at daemon allows users and system administrators to define tasks to be

11

executed once on a particular time. The at service captures the current

12

session's environment and stores it as part of the task to be executed.

13

14

When ran, at "locks" the job (in the /var/spool/at/atjobs location) and executes

15

it, capturing its output in the /var/spool/at/atspool location.

16

17

Because of this log output capturing, it doesn't make sense to keep the atspool

18

location as user_cron_spool_t as any service ran through at needs to be able to

19

write to this location, and we don't want such services to have write access to

20

the user_cron_spool_t type. Hence we introduce the user_cron_spool_log_t type

21

for the logging output, allow it to be read by the system mailer (as it is

22

invoked to send the resulting output) and written by any service that is allowed

23

to be called by cron (through cron_system_entry).

24

25

The cron daemon requires manage privileges on the /var/spool/at/atjobs location

26

(labeled user_cron_spool_t) as it uses locking techniques on the at job scripts

27

themselves (lock files) and removes the scripts once executed.

28

29

The capability for the admin_crontab_t only seems to be needed for the

30

admin_crontab_t domain, using the regular crontab_t domain for users does not

31

exhibit this behavior.

32

33

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

34

35

---

36

 policy/modules/contrib/cron.fc |    1 +

37

 policy/modules/contrib/cron.if |    3 +++

38

 policy/modules/contrib/cron.te |   10 +++++++++-

39

 3 files changed, 13 insertions(+), 1 deletions(-)

40

41

diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc

42

index 8e3db6b..b2d6309 100644

43

--- a/policy/modules/contrib/cron.fc

44

+++ b/policy/modules/contrib/cron.fc

45

@@ -27,6 +27,7 @@

46

47

 /var/spool/anacron(/.*)?	gen_context(system_u:object_r:system_cron_spool_t,s0)

48

 /var/spool/at(/.*)?	gen_context(system_u:object_r:user_cron_spool_t,s0)

49

+/var/spool/at/atspool(/.*)?	gen_context(system_u:object_r:user_cron_spool_log_t,s0)

50

51

 /var/spool/cron	-d	gen_context(system_u:object_r:cron_spool_t,s0)

52

 #/var/spool/cron/root	--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)

53

54

diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if

55

index 5d1a48e..2b859e5 100644

56

--- a/policy/modules/contrib/cron.if

57

+++ b/policy/modules/contrib/cron.if

58

@@ -307,8 +307,11 @@ interface(`cron_admin_role',`

59

 interface(`cron_system_entry',`

60

 	gen_require(`

61

 		type crond_t, system_cronjob_t;

62

+		type user_cron_spool_log_t;

63

')

64

65

+	rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t)

66

+

67

 	domtrans_pattern(system_cronjob_t, $2, $1)

68

 	domtrans_pattern(crond_t, $2, $1)

69

70

71

diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te

72

index 2f67878..d4b839b 100644

73

--- a/policy/modules/contrib/cron.te

74

+++ b/policy/modules/contrib/cron.te

75

@@ -134,6 +134,11 @@ ifdef(`distro_gentoo',`

76

 	logging_syslog_managed_log_file(cron_log_t, "cron.log")

77

')

78

79

+type user_cron_spool_log_t;

80

+logging_log_file(user_cron_spool_log_t)

81

+ubac_constrained(user_cron_spool_log_t)

82

+mta_system_content(user_cron_spool_log_t)

83

+

84

 ifdef(`enable_mcs',`

85

 	init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)

86

')

87

@@ -201,6 +206,7 @@ tunable_policy(`fcron_crond',`

88

 # Admin local policy

89

#

90

91

+allow admin_crontab_t self:capability fsetid;

92

 allow admin_crontab_t crond_t:process signal;

93

94

 selinux_get_fs_mount(admin_crontab_t)

95

@@ -254,9 +260,11 @@ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)

96

 read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)

97

98

 rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)

99

-read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)

100

+manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)

101

 manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)

102

103

+manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)

104

+

105

 allow crond_t system_cronjob_t:process transition;

106

 allow crond_t system_cronjob_t:fd use;

107

 allow crond_t system_cronjob_t:key manage_key_perms;

1	commit: 18a25fea6f668acb55b05bd8f791448f3a230172
2	Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3	AuthorDate: Sat Nov 17 20:58:51 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Wed Nov 21 20:58:37 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=18a25fea
7
8	Support at service
9
10	The at daemon allows users and system administrators to define tasks to be
11	executed once on a particular time. The at service captures the current
12	session's environment and stores it as part of the task to be executed.
13
14	When ran, at "locks" the job (in the /var/spool/at/atjobs location) and executes
15	it, capturing its output in the /var/spool/at/atspool location.
16
17	Because of this log output capturing, it doesn't make sense to keep the atspool
18	location as user_cron_spool_t as any service ran through at needs to be able to
19	write to this location, and we don't want such services to have write access to
20	the user_cron_spool_t type. Hence we introduce the user_cron_spool_log_t type
21	for the logging output, allow it to be read by the system mailer (as it is
22	invoked to send the resulting output) and written by any service that is allowed
23	to be called by cron (through cron_system_entry).
24
25	The cron daemon requires manage privileges on the /var/spool/at/atjobs location
26	(labeled user_cron_spool_t) as it uses locking techniques on the at job scripts
27	themselves (lock files) and removes the scripts once executed.
28
29	The capability for the admin_crontab_t only seems to be needed for the
30	admin_crontab_t domain, using the regular crontab_t domain for users does not
31	exhibit this behavior.
32
33	Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
34
35	---
36	policy/modules/contrib/cron.fc \| 1 +
37	policy/modules/contrib/cron.if \| 3 +++
38	policy/modules/contrib/cron.te \| 10 +++++++++-
39	3 files changed, 13 insertions(+), 1 deletions(-)
40
41	diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc
42	index 8e3db6b..b2d6309 100644
43	--- a/policy/modules/contrib/cron.fc
44	+++ b/policy/modules/contrib/cron.fc
45	@@ -27,6 +27,7 @@
46
47	/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
48	/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
49	+/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0)
50
51	/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
52	#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
53
54	diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
55	index 5d1a48e..2b859e5 100644
56	--- a/policy/modules/contrib/cron.if
57	+++ b/policy/modules/contrib/cron.if
58	@@ -307,8 +307,11 @@ interface(`cron_admin_role',`
59	interface(`cron_system_entry',`
60	gen_require(`
61	type crond_t, system_cronjob_t;
62	+ type user_cron_spool_log_t;
63	')
64
65	+ rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t)
66	+
67	domtrans_pattern(system_cronjob_t, $2, $1)
68	domtrans_pattern(crond_t, $2, $1)
69
70
71	diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
72	index 2f67878..d4b839b 100644
73	--- a/policy/modules/contrib/cron.te
74	+++ b/policy/modules/contrib/cron.te
75	@@ -134,6 +134,11 @@ ifdef(`distro_gentoo',`
76	logging_syslog_managed_log_file(cron_log_t, "cron.log")
77	')
78
79	+type user_cron_spool_log_t;
80	+logging_log_file(user_cron_spool_log_t)
81	+ubac_constrained(user_cron_spool_log_t)
82	+mta_system_content(user_cron_spool_log_t)
83	+
84	ifdef(`enable_mcs',`
85	init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
86	')
87	@@ -201,6 +206,7 @@ tunable_policy(`fcron_crond',`
88	# Admin local policy
89	#
90
91	+allow admin_crontab_t self:capability fsetid;
92	allow admin_crontab_t crond_t:process signal;
93
94	selinux_get_fs_mount(admin_crontab_t)
95	@@ -254,9 +260,11 @@ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
96	read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
97
98	rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
99	-read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
100	+manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
101	manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
102
103	+manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)
104	+
105	allow crond_t system_cronjob_t:process transition;
106	allow crond_t system_cronjob_t:fd use;
107	allow crond_t system_cronjob_t:key manage_key_perms;

Gentoo Archives: gentoo-commits