Return-Path: <SRS0=BFOT=PO=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS,
	USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A80F3C43387
	for <selinux-refpolicy@archiver.kernel.org>; Sun,  6 Jan 2019 02:43:48 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 72B7E20836
	for <selinux-refpolicy@archiver.kernel.org>; Sun,  6 Jan 2019 02:43:48 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="Vn/MlwL6"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726378AbfAFCns (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Sat, 5 Jan 2019 21:43:48 -0500
Received: from smtp.sws.net.au ([46.4.88.250]:39948 "EHLO smtp.sws.net.au"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726372AbfAFCns (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Sat, 5 Jan 2019 21:43:48 -0500
Received: from xev.coker.com.au (localhost [127.0.0.1])
        by smtp.sws.net.au (Postfix) with ESMTP id 3183DECBC
        for <selinux-refpolicy@vger.kernel.org>; Sun,  6 Jan 2019 13:43:46 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1546742626;
        bh=saQ9PQMIhPSs5mhBxZs+kHEajr/5LwoSkTxT6VdTtUA=; l=3040;
        h=Date:From:To:Subject:From;
        b=Vn/MlwL6SANYHiJrJGhg+VDe+WOz24gR8cI/RJMhB4O1z9HN3gU1RW7S4AV6iozYD
         LJC+QLVI9oFjb7jqSoEP8yQAPZoNohD70QYcvWNUP/bX4OFtdPfGgyzStAiHdjDh90
         FVZLtynuSzlPOF/gl2uLBvf07RZiPjJm5Aez0g5g=
Received: by xev.coker.com.au (Postfix, from userid 1001)
        id 91122C3CF3C; Sun,  6 Jan 2019 13:43:41 +1100 (AEDT)
Date:   Sun, 6 Jan 2019 13:43:41 +1100
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Subject: [PATCH] cron trivial
Message-ID: <20190106024341.GB17569@xev>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Here are the most trivial cron patches I have, I would like to get this in
before discussing the more significant cron patches.


Index: refpolicy-2.20180701/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/cron.te
+++ refpolicy-2.20180701/policy/modules/services/cron.te
@@ -339,6 +339,7 @@ ifdef(`distro_debian',`
 	allow crond_t self:process setrlimit;
 
 	optional_policy(`
+		apt_domtrans(system_cronjob_t)
 		apt_manage_cache(system_cronjob_t)
 		apt_read_db(system_cronjob_t)
 
@@ -437,6 +438,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	init_dbus_chat(crond_t)
 	systemd_dbus_chat_logind(system_cronjob_t)
 	systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
 	# so cron jobs can restart daemons
@@ -459,7 +461,7 @@ allow system_cronjob_t self:fd use;
 allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
 allow system_cronjob_t self:passwd rootok;
 
-allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow system_cronjob_t cron_log_t:file manage_file_perms;
 logging_log_filetrans(system_cronjob_t, cron_log_t, file)
 
 allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
@@ -491,6 +493,11 @@ allow system_cronjob_t cron_spool_t:file
 
 allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
 
+# popcon wants to stat /proc/kmsg and /proc/kcore
+kernel_getattr_core_if(system_cronjob_t)
+kernel_getattr_message_if(system_cronjob_t)
+
+kernel_read_crypto_sysctls(system_cronjob_t)
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_network_state(system_cronjob_t)
 kernel_read_system_state(system_cronjob_t)
@@ -513,6 +520,8 @@ dev_getattr_all_blk_files(system_cronjob
 dev_getattr_all_chr_files(system_cronjob_t)
 dev_read_urand(system_cronjob_t)
 dev_read_sysfs(system_cronjob_t)
+# for checkarray to write to sync_action
+dev_rw_sysfs(system_cronjob_t)
 
 fs_getattr_all_fs(system_cronjob_t)
 fs_getattr_all_files(system_cronjob_t)
@@ -535,6 +544,7 @@ files_read_var_files(system_cronjob_t)
 files_dontaudit_search_pids(system_cronjob_t)
 files_manage_generic_spool(system_cronjob_t)
 files_create_boot_flag(system_cronjob_t)
+files_read_var_lib_symlinks(system_cronjob_t)
 
 mls_file_read_to_clearance(system_cronjob_t)
 
Index: refpolicy-2.20180701/policy/modules/services/cron.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/cron.fc
+++ refpolicy-2.20180701/policy/modules/services/cron.fc
@@ -26,6 +26,7 @@
 /var/lib/glpi/files(/.*)?	gen_context(system_u:object_r:cron_var_lib_t,s0)
 
 /var/log/cron.*	gen_context(system_u:object_r:cron_log_t,s0)
+/var/log/popularity-contest.*	gen_context(system_u:object_r:cron_log_t,s0)
 /var/log/rpmpkgs.*	--	gen_context(system_u:object_r:cron_log_t,s0)
 
 /run/anacron\.pid	--	gen_context(system_u:object_r:crond_var_run_t,s0)