1 |
commit: 18a25fea6f668acb55b05bd8f791448f3a230172 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Sat Nov 17 20:58:51 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Wed Nov 21 20:58:37 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=18a25fea |
7 |
|
8 |
Support at service |
9 |
|
10 |
The at daemon allows users and system administrators to define tasks to be |
11 |
executed once on a particular time. The at service captures the current |
12 |
session's environment and stores it as part of the task to be executed. |
13 |
|
14 |
When ran, at "locks" the job (in the /var/spool/at/atjobs location) and executes |
15 |
it, capturing its output in the /var/spool/at/atspool location. |
16 |
|
17 |
Because of this log output capturing, it doesn't make sense to keep the atspool |
18 |
location as user_cron_spool_t as any service ran through at needs to be able to |
19 |
write to this location, and we don't want such services to have write access to |
20 |
the user_cron_spool_t type. Hence we introduce the user_cron_spool_log_t type |
21 |
for the logging output, allow it to be read by the system mailer (as it is |
22 |
invoked to send the resulting output) and written by any service that is allowed |
23 |
to be called by cron (through cron_system_entry). |
24 |
|
25 |
The cron daemon requires manage privileges on the /var/spool/at/atjobs location |
26 |
(labeled user_cron_spool_t) as it uses locking techniques on the at job scripts |
27 |
themselves (lock files) and removes the scripts once executed. |
28 |
|
29 |
The capability for the admin_crontab_t only seems to be needed for the |
30 |
admin_crontab_t domain, using the regular crontab_t domain for users does not |
31 |
exhibit this behavior. |
32 |
|
33 |
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be> |
34 |
|
35 |
--- |
36 |
policy/modules/contrib/cron.fc | 1 + |
37 |
policy/modules/contrib/cron.if | 3 +++ |
38 |
policy/modules/contrib/cron.te | 10 +++++++++- |
39 |
3 files changed, 13 insertions(+), 1 deletions(-) |
40 |
|
41 |
diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc |
42 |
index 8e3db6b..b2d6309 100644 |
43 |
--- a/policy/modules/contrib/cron.fc |
44 |
+++ b/policy/modules/contrib/cron.fc |
45 |
@@ -27,6 +27,7 @@ |
46 |
|
47 |
/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) |
48 |
/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) |
49 |
+/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0) |
50 |
|
51 |
/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) |
52 |
#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) |
53 |
|
54 |
diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if |
55 |
index 5d1a48e..2b859e5 100644 |
56 |
--- a/policy/modules/contrib/cron.if |
57 |
+++ b/policy/modules/contrib/cron.if |
58 |
@@ -307,8 +307,11 @@ interface(`cron_admin_role',` |
59 |
interface(`cron_system_entry',` |
60 |
gen_require(` |
61 |
type crond_t, system_cronjob_t; |
62 |
+ type user_cron_spool_log_t; |
63 |
') |
64 |
|
65 |
+ rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t) |
66 |
+ |
67 |
domtrans_pattern(system_cronjob_t, $2, $1) |
68 |
domtrans_pattern(crond_t, $2, $1) |
69 |
|
70 |
|
71 |
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te |
72 |
index 2f67878..d4b839b 100644 |
73 |
--- a/policy/modules/contrib/cron.te |
74 |
+++ b/policy/modules/contrib/cron.te |
75 |
@@ -134,6 +134,11 @@ ifdef(`distro_gentoo',` |
76 |
logging_syslog_managed_log_file(cron_log_t, "cron.log") |
77 |
') |
78 |
|
79 |
+type user_cron_spool_log_t; |
80 |
+logging_log_file(user_cron_spool_log_t) |
81 |
+ubac_constrained(user_cron_spool_log_t) |
82 |
+mta_system_content(user_cron_spool_log_t) |
83 |
+ |
84 |
ifdef(`enable_mcs',` |
85 |
init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) |
86 |
') |
87 |
@@ -201,6 +206,7 @@ tunable_policy(`fcron_crond',` |
88 |
# Admin local policy |
89 |
# |
90 |
|
91 |
+allow admin_crontab_t self:capability fsetid; |
92 |
allow admin_crontab_t crond_t:process signal; |
93 |
|
94 |
selinux_get_fs_mount(admin_crontab_t) |
95 |
@@ -254,9 +260,11 @@ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) |
96 |
read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) |
97 |
|
98 |
rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) |
99 |
-read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) |
100 |
+manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) |
101 |
manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) |
102 |
|
103 |
+manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t) |
104 |
+ |
105 |
allow crond_t system_cronjob_t:process transition; |
106 |
allow crond_t system_cronjob_t:fd use; |
107 |
allow crond_t system_cronjob_t:key manage_key_perms; |