Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS, USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CC483C43387 for ; Mon, 7 Jan 2019 03:04:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 863B32085B for ; Mon, 7 Jan 2019 03:04:11 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="AUDerw4T" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726298AbfAGDEL (ORCPT ); Sun, 6 Jan 2019 22:04:11 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:50340 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726176AbfAGDEK (ORCPT ); Sun, 6 Jan 2019 22:04:10 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 64A84EC76 for ; Mon, 7 Jan 2019 14:04:08 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1546830249; bh=LGB1gnhFoF1XG8PxRwwMEzvMZmRwbirIVo+xhLW1CuQ=; l=4587; h=Date:From:To:Subject:From; b=AUDerw4THGoJxb4uLnNFJmwwTBZMh/O3iFmcgF2KnKe3RBqy+x50eHqx+23XbR7Um Je1Pxfuowm0MwnZbsWvQfkWpjlR0ctp/IsRPO6p4iVRRLCXU0uwLegt9i9JkWjgoFu okQdV+xylx346xviNi5rBPqPuBH7eJ7Kawsul8k4= Received: by xev.coker.com.au (Postfix, from userid 1001) id BFAFAC3DBCE; Mon, 7 Jan 2019 14:04:02 +1100 (AEDT) Date: Mon, 7 Jan 2019 14:04:02 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH cron 1/2] stem Message-ID: <20190107030402.GA29392@xev> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org This patch makes the parameter the stem of the user role (EG "user") instead of the user domain (EG "user_t") the parameter. Separate from the next patch to make things easier to understand. Index: refpolicy-2.20180701/policy/modules/services/cron.if =================================================================== --- refpolicy-2.20180701.orig/policy/modules/services/cron.if +++ refpolicy-2.20180701/policy/modules/services/cron.if @@ -51,15 +51,16 @@ template(`cron_common_crontab_template', ## ## ## -## User domain for the role. +## stem of domain for the role. ## ## ## # interface(`cron_role',` gen_require(` - type cronjob_t, crontab_t, crontab_exec_t; - type user_cron_spool_t, crond_t; + type cronjob_t; + type crontab_exec_t, crond_t; + type crontab_t, user_cron_spool_t; bool cron_userdomain_transition; ') @@ -68,47 +69,48 @@ interface(`cron_role',` # Declarations # - role $1 types { cronjob_t crontab_t }; + role $1 types { cronjob_t }; + role $1 types { crontab_t }; ############################## # # Local policy # - domtrans_pattern($2, crontab_exec_t, crontab_t) + domtrans_pattern($2_t, crontab_exec_t, crontab_t) - dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; - allow $2 crond_t:process sigchld; + dontaudit crond_t $2_t:process { noatsecure siginh rlimitinh }; + allow $2_t crond_t:process sigchld; - allow $2 user_cron_spool_t:file { getattr read write ioctl }; + allow $2_t user_cron_spool_t:file { getattr read write ioctl }; - allow $2 crontab_t:process { ptrace signal_perms }; - ps_process_pattern($2, crontab_t) + allow $2_t crontab_t:process { ptrace signal_perms }; + ps_process_pattern($2_t, crontab_t) corecmd_exec_bin(crontab_t) corecmd_exec_shell(crontab_t) tunable_policy(`cron_userdomain_transition',` - allow crond_t $2:process transition; - allow crond_t $2:fd use; - allow crond_t $2:key manage_key_perms; + allow crond_t $2_t:process transition; + allow crond_t $2_t:fd use; + allow crond_t $2_t:key manage_key_perms; - allow $2 user_cron_spool_t:file entrypoint; + allow $2_t user_cron_spool_t:file entrypoint; - allow $2 crond_t:fifo_file rw_fifo_file_perms; + allow $2_t crond_t:fifo_file rw_fifo_file_perms; - allow $2 cronjob_t:process { ptrace signal_perms }; - ps_process_pattern($2, cronjob_t) + allow $2_t cronjob_t:process { ptrace signal_perms }; + ps_process_pattern($2_t, cronjob_t) ',` - dontaudit crond_t $2:process transition; - dontaudit crond_t $2:fd use; - dontaudit crond_t $2:key manage_key_perms; + dontaudit crond_t $2_t:process transition; + dontaudit crond_t $2_t:fd use; + dontaudit crond_t $2_t:key manage_key_perms; - dontaudit $2 user_cron_spool_t:file entrypoint; + dontaudit $2_t user_cron_spool_t:file entrypoint; - dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; + dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms; - dontaudit $2 cronjob_t:process { ptrace signal_perms }; + dontaudit $2_t cronjob_t:process { ptrace signal_perms }; ') optional_policy(` @@ -118,7 +120,7 @@ interface(`cron_role',` dbus_stub(cronjob_t) - allow cronjob_t $2:dbus send_msg; + allow cronjob_t $2_t:dbus send_msg; ') ') Index: refpolicy-2.20180701/policy/modules/roles/staff.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/roles/staff.te +++ refpolicy-2.20180701/policy/modules/roles/staff.te @@ -82,7 +82,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - cron_role(staff_r, staff_t) + cron_role(staff_r, staff) ') optional_policy(` Index: refpolicy-2.20180701/policy/modules/roles/unprivuser.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/roles/unprivuser.te +++ refpolicy-2.20180701/policy/modules/roles/unprivuser.te @@ -50,7 +50,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - cron_role(user_r, user_t) + cron_role(user_r, user) ') optional_policy(` Index: refpolicy-2.20180701/policy/modules/system/unconfined.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/unconfined.te +++ refpolicy-2.20180701/policy/modules/system/unconfined.te @@ -82,7 +82,7 @@ optional_policy(` ') optional_policy(` - cron_unconfined_role(unconfined_r, unconfined_t) + cron_role(unconfined_r, unconfined) ') optional_policy(`