Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS, USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A80F3C43387 for ; Sun, 6 Jan 2019 02:43:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 72B7E20836 for ; Sun, 6 Jan 2019 02:43:48 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="Vn/MlwL6" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726378AbfAFCns (ORCPT ); Sat, 5 Jan 2019 21:43:48 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:39948 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726372AbfAFCns (ORCPT ); Sat, 5 Jan 2019 21:43:48 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 3183DECBC for ; Sun, 6 Jan 2019 13:43:46 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1546742626; bh=saQ9PQMIhPSs5mhBxZs+kHEajr/5LwoSkTxT6VdTtUA=; l=3040; h=Date:From:To:Subject:From; b=Vn/MlwL6SANYHiJrJGhg+VDe+WOz24gR8cI/RJMhB4O1z9HN3gU1RW7S4AV6iozYD LJC+QLVI9oFjb7jqSoEP8yQAPZoNohD70QYcvWNUP/bX4OFtdPfGgyzStAiHdjDh90 FVZLtynuSzlPOF/gl2uLBvf07RZiPjJm5Aez0g5g= Received: by xev.coker.com.au (Postfix, from userid 1001) id 91122C3CF3C; Sun, 6 Jan 2019 13:43:41 +1100 (AEDT) Date: Sun, 6 Jan 2019 13:43:41 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] cron trivial Message-ID: <20190106024341.GB17569@xev> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Here are the most trivial cron patches I have, I would like to get this in before discussing the more significant cron patches. Index: refpolicy-2.20180701/policy/modules/services/cron.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/services/cron.te +++ refpolicy-2.20180701/policy/modules/services/cron.te @@ -339,6 +339,7 @@ ifdef(`distro_debian',` allow crond_t self:process setrlimit; optional_policy(` + apt_domtrans(system_cronjob_t) apt_manage_cache(system_cronjob_t) apt_read_db(system_cronjob_t) @@ -437,6 +438,7 @@ optional_policy(` ') optional_policy(` + init_dbus_chat(crond_t) systemd_dbus_chat_logind(system_cronjob_t) systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) # so cron jobs can restart daemons @@ -459,7 +461,7 @@ allow system_cronjob_t self:fd use; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; -allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +allow system_cronjob_t cron_log_t:file manage_file_perms; logging_log_filetrans(system_cronjob_t, cron_log_t, file) allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms }; @@ -491,6 +493,11 @@ allow system_cronjob_t cron_spool_t:file allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms; +# popcon wants to stat /proc/kmsg and /proc/kcore +kernel_getattr_core_if(system_cronjob_t) +kernel_getattr_message_if(system_cronjob_t) + +kernel_read_crypto_sysctls(system_cronjob_t) kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_network_state(system_cronjob_t) kernel_read_system_state(system_cronjob_t) @@ -513,6 +520,8 @@ dev_getattr_all_blk_files(system_cronjob dev_getattr_all_chr_files(system_cronjob_t) dev_read_urand(system_cronjob_t) dev_read_sysfs(system_cronjob_t) +# for checkarray to write to sync_action +dev_rw_sysfs(system_cronjob_t) fs_getattr_all_fs(system_cronjob_t) fs_getattr_all_files(system_cronjob_t) @@ -535,6 +544,7 @@ files_read_var_files(system_cronjob_t) files_dontaudit_search_pids(system_cronjob_t) files_manage_generic_spool(system_cronjob_t) files_create_boot_flag(system_cronjob_t) +files_read_var_lib_symlinks(system_cronjob_t) mls_file_read_to_clearance(system_cronjob_t) Index: refpolicy-2.20180701/policy/modules/services/cron.fc =================================================================== --- refpolicy-2.20180701.orig/policy/modules/services/cron.fc +++ refpolicy-2.20180701/policy/modules/services/cron.fc @@ -26,6 +26,7 @@ /var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) /var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0) +/var/log/popularity-contest.* gen_context(system_u:object_r:cron_log_t,s0) /var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) /run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)