Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,LONGWORDS, MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 73FB0C43387 for ; Mon, 7 Jan 2019 23:47:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 28B6D2087F for ; Mon, 7 Jan 2019 23:47:31 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="Wl6KZn9W" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726668AbfAGXrb (ORCPT ); Mon, 7 Jan 2019 18:47:31 -0500 Received: from mail-qt1-f193.google.com ([209.85.160.193]:36585 "EHLO mail-qt1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726667AbfAGXra (ORCPT ); Mon, 7 Jan 2019 18:47:30 -0500 Received: by mail-qt1-f193.google.com with SMTP id t13so2548208qtn.3 for ; Mon, 07 Jan 2019 15:47:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=Sc67FC+i3wemAmiZAx6A8eY4ahziveHXuO0/pa/Ox8Y=; b=Wl6KZn9W3c8JyDvcvajY5qYZfsG6Q4/Z2jcH1Y3irMhH3z2LiwwL4pvH8C95n0GTMh Zyrkro8fnOQvAZVwQ1CljYWUBSnIARMpVAsLecJYRPiGUXDt/JwJO4PmLLph9GKjsmn6 GAafgCK2IXVyZxK2RZr+k7gaecSb+JjjM9Vwc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=Sc67FC+i3wemAmiZAx6A8eY4ahziveHXuO0/pa/Ox8Y=; b=F7W6WhY3PrgYpHqyyqtsbxzvf7c25aRJo0e3cLzpIXvxIOO5ZDwlVoZRt79cs09qlx d6kclnRBKFDoGwsbTrD8+6BiANvKCztNWCHmfNb6xio9TyfX7TJH5XPcFOWcM1uunbXg GvQTu8jXsKhjnOMwicrklQSIXFo9jJuqxxu+mZxwadpPW3GkEnnZ7SqTpqLnp1lel+5j k/Yi9Szc25YlMy1bGalc0UmdmXFF5y1z/uGhpNIJdFqBbuGgqgQRhCOFnMXK9khXOrxG ujhVzG5F1lVUX9k8grcy28n3wVieG14oXamw23t0H1goZjFwwsdAWCJ4gBlrxHcE9w1i 91VA== X-Gm-Message-State: AA+aEWbCszm9oc42na5DQoWyJHJyIOXBSdLE3pMymEnpPhfqBYC9ID7y RHDlrvVaONLWw64kvjhpTt5n0ueR7z0= X-Google-Smtp-Source: AFSGD/Xz3sSzKU7sNFT2MgKE9xi5zgOq1xTeVLd6I8Z5nDdN0O+J99j4on1heYOAqOPf+nJtMPQoMg== X-Received: by 2002:ac8:39e5:: with SMTP id v92mr61698215qte.142.1546904849011; Mon, 07 Jan 2019 15:47:29 -0800 (PST) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id b8sm34965193qka.79.2019.01.07.15.47.28 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 07 Jan 2019 15:47:28 -0800 (PST) Subject: Re: [PATCH cron 2/2] user_crontab_t etc To: Russell Coker , selinux-refpolicy@vger.kernel.org References: <20190107031005.GA13945@aaa.coker.com.au> From: Chris PeBenito Message-ID: Date: Mon, 7 Jan 2019 18:47:27 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <20190107031005.GA13945@aaa.coker.com.au> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/6/19 10:10 PM, Russell Coker wrote: > This patch adds a $1_crontab_t domain and makes it a compile option for What is the goal for reintroducing a crontab domain per-user-domain? > having a $1_cronjob_t domain. > > I anticipate that even if this patch is accepted later on there will be some > changes required. Please review this not for inclusion immediately but for > changes necessary. However the previous patch is good to go if you like the > concept. I'm not keen on this. The current policy is intended to make it easy to decide if you want to use a *_cronjob_t domain or simply transition to the user's domain by tweaking the default_contexts. > Index: refpolicy-2.20180701/policy/modules/services/cron.if > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/services/cron.if > +++ refpolicy-2.20180701/policy/modules/services/cron.if > @@ -21,23 +21,33 @@ template(`cron_common_crontab_template', > # Declarations > # > > - type $1_t, crontab_domain; > - userdom_user_application_domain($1_t, crontab_exec_t) > + type $1_crontab_t, crontab_domain; > + userdom_user_application_domain($1_crontab_t, crontab_exec_t) > > - type $1_tmp_t; > - userdom_user_tmp_file($1_tmp_t) > + type $1_crontab_tmp_t; > + userdom_user_tmp_file($1_crontab_tmp_t) > + > + type $1_cron_spool_t, cron_spool_type; > > ############################## > # > # Local policy > # > > - manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) > - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) > - files_tmp_filetrans($1_t, $1_tmp_t, { dir file }) > + manage_dirs_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t) > + manage_files_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t) > + files_tmp_filetrans($1_crontab_t, $1_crontab_tmp_t, { dir file }) > + > + auth_domtrans_chk_passwd($1_crontab_t) > + auth_use_nsswitch($1_crontab_t) > + allow $1_crontab_t self:capability fsetid; > + > + files_type($1_cron_spool_t) > + ubac_constrained($1_cron_spool_t) > + mta_system_content($1_cron_spool_t) > > - auth_domtrans_chk_passwd($1_t) > - auth_use_nsswitch($1_t) > + manage_files_pattern($1_crontab_t, { cron_spool_t user_cron_spool_t }, $1_cron_spool_t) > + filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t, file) > ') > > ######################################## > @@ -58,9 +68,11 @@ template(`cron_common_crontab_template', > # > interface(`cron_role',` > gen_require(` > +ifdef(`cronjob_domain', ` > type cronjob_t; > +') > type crontab_exec_t, crond_t; > - type crontab_t, user_cron_spool_t; > + type $2_crontab_t, $2_cron_spool_t; > bool cron_userdomain_transition; > ') > > @@ -69,60 +81,51 @@ interface(`cron_role',` > # Declarations > # > > +ifdef(`cronjob_domain', ` > role $1 types { cronjob_t }; > - role $1 types { crontab_t }; > +') > + role $1 types { $2_crontab_t }; > > ############################## > # > # Local policy > # > > - domtrans_pattern($2_t, crontab_exec_t, crontab_t) > + domtrans_pattern($2_t, crontab_exec_t, $2_crontab_t) > > dontaudit crond_t $2_t:process { noatsecure siginh rlimitinh }; > allow $2_t crond_t:process sigchld; > > - allow $2_t user_cron_spool_t:file { getattr read write ioctl }; > + allow $2_t $2_cron_spool_t:file { getattr read write ioctl }; > > - allow $2_t crontab_t:process { ptrace signal_perms }; > - ps_process_pattern($2_t, crontab_t) > + allow $2_t $2_crontab_t:process { ptrace signal_perms }; > + ps_process_pattern($2_t, $2_crontab_t) > > - corecmd_exec_bin(crontab_t) > - corecmd_exec_shell(crontab_t) > + corecmd_exec_bin($2_crontab_t) > + corecmd_exec_shell($2_crontab_t) > > +ifndef(`cronjob_domain', ` > tunable_policy(`cron_userdomain_transition',` > +') > allow crond_t $2_t:process transition; > allow crond_t $2_t:fd use; > allow crond_t $2_t:key manage_key_perms; > > - allow $2_t user_cron_spool_t:file entrypoint; > + allow $2_t $2_cron_spool_t:file entrypoint; > > allow $2_t crond_t:fifo_file rw_fifo_file_perms; > - > - allow $2_t cronjob_t:process { ptrace signal_perms }; > - ps_process_pattern($2_t, cronjob_t) > +ifndef(`cronjob_domain', ` > ',` > dontaudit crond_t $2_t:process transition; > dontaudit crond_t $2_t:fd use; > dontaudit crond_t $2_t:key manage_key_perms; > > - dontaudit $2_t user_cron_spool_t:file entrypoint; > + dontaudit $2_t $2_cron_spool_t:file entrypoint; > > dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms; > - > - dontaudit $2_t cronjob_t:process { ptrace signal_perms }; > - ') > - > - optional_policy(` > - gen_require(` > - class dbus send_msg; > - ') > - > - dbus_stub(cronjob_t) > - > - allow cronjob_t $2_t:dbus send_msg; > ') > ') > +') > > ######################################## > ## > @@ -139,6 +142,7 @@ interface(`cron_role',` > ## > ## > # > +ifdef(`cronjob_domain', ` > interface(`cron_unconfined_role',` > gen_require(` > type unconfined_cronjob_t, crontab_t, crontab_exec_t; > @@ -204,6 +208,7 @@ interface(`cron_unconfined_role',` > allow unconfined_cronjob_t $2:dbus send_msg; > ') > ') > +') > > ######################################## > ## > Index: refpolicy-2.20180701/policy/modules/services/cron.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/services/cron.te > +++ refpolicy-2.20180701/policy/modules/services/cron.te > @@ -25,7 +25,9 @@ gen_tunable(cron_can_relabel, false) > ## the generic cronjob domain. > ##

> ## > -gen_tunable(cron_userdomain_transition, false) > +ifndef(`cronjob_domain', ` > +gen_tunable(cron_userdomain_transition, true) > +') > > ## > ##

> @@ -83,15 +85,16 @@ files_pid_file(crond_var_run_t) > type crontab_exec_t; > application_executable_file(crontab_exec_t) > > -cron_common_crontab_template(admin_crontab) > -typealias admin_crontab_t alias sysadm_crontab_t; > -typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t; > - > -cron_common_crontab_template(crontab) > -typealias crontab_t alias { user_crontab_t staff_crontab_t }; > -typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; > -typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; > -typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; > +cron_common_crontab_template(sysadm) > +typealias sysadm_crontab_t alias admin_crontab_t; > +typealias sysadm_crontab_tmp_t alias admin_crontab_tmp_t; > + > +cron_common_crontab_template(user) > +cron_common_crontab_template(staff) > +cron_common_crontab_template(unconfined) > +typealias user_crontab_t alias { crontab_t }; > +typealias sysadm_crontab_t alias { auditadm_crontab_t secadm_crontab_t }; > +typealias sysadm_crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; > > type system_cron_spool_t, cron_spool_type; > files_type(system_cron_spool_t) > @@ -113,11 +116,7 @@ files_type(system_cronjob_var_lib_t) > type system_cronjob_var_run_t; > files_pid_file(system_cronjob_var_run_t) > > -type user_cron_spool_t, cron_spool_type; > -typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; > -typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; > -files_type(user_cron_spool_t) > -ubac_constrained(user_cron_spool_t) > +typealias sysadm_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; > > type user_cron_spool_log_t; > logging_log_file(user_cron_spool_log_t) > @@ -145,9 +144,6 @@ allow crontab_domain self:capability { c > allow crontab_domain self:process { getcap setsched signal_perms }; > allow crontab_domain self:fifo_file rw_fifo_file_perms; > > -manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) > -filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file) > - > allow crontab_domain cron_spool_t:dir setattr_dir_perms; > > allow crontab_domain crond_t:process signal; > @@ -216,8 +212,8 @@ tunable_policy(`fcron_crond',` > # Daemon local policy > # > > -allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice }; > -dontaudit crond_t self:capability { sys_resource sys_tty_config }; > +allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice sys_resource }; > +dontaudit crond_t self:capability { sys_tty_config }; > > allow crond_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; > allow crond_t self:fd use; > @@ -231,6 +227,7 @@ allow crond_t self:msg { send receive }; > allow crond_t self:key { search write link }; > dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit; > > +allow crond_t cron_spool_type:file read_file_perms; > allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; > logging_log_filetrans(crond_t, cron_log_t, file) > > -- Chris PeBenito