Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3588792ybv; Sun, 16 Feb 2020 00:54:49 -0800 (PST) X-Google-Smtp-Source: APXvYqwYbtYc4pDLLywD+LKKssss0bRd8bwk45196HqkQX7/cKRJkSoRnTu2+K5TCUz1jIZqf0GG X-Received: by 2002:a05:6808:618:: with SMTP id y24mr6572281oih.86.1581843289343; Sun, 16 Feb 2020 00:54:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581843289; cv=none; d=google.com; s=arc-20160816; b=REFoRMZ6cFu683JRg510tFlplJ2TUfA1hjhmM38dmEDNPsoYws6bOHgIL/nlxJPGfX pAaZ30WGyBrsgEHbUq61ibx3pT6ahqXtpMMRBDWJ2zo8lYoMRbeJJ9aGbxiUQGtIMTJC W8sEbGuMKLcjdFmvuE2wWQmglATodUPgeb/X5wV/vNd4PH3z85BnQl+cg8RQRO6qloBc 0t8PDi6VWN/9igx9Qvj0PcYGvcMY7cKnz7XFr0UQE0qxMdnBD6F2I3iMSz+m48xmDdWR 3jlpy855IQ0oCuNkxULPucmtZYfN6hS3nejvR1URXuanlwE4MBdPZnv9lmFNeUKMBj9r KNvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=6rUf6P/yWtaOtkSbCJ0CsKTyjTaSw740k79GbRIiuY8=; b=1FJBhxoNTZ7rcYMy8tmXd5QfXd+k0IhP2kdLieheCCqaNdSHulanm9Vj49Equ92Jwj drc7eOR20wo7HmSzTpzHWJpdwKoddiK8Ldc95Rac/8ow9llZ/f19galD5kMMp1Ry9MO+ EZK1sLc+DlwffkfGemRCbiZPKkGTEZbhNb7OdfUer1SA+EwawYrp+YabN5HyBUrpzqdx r9sw6sAsNx0GFcD9CKkJpzd+96TIzyoSEtIW3WNjajx35KNsqRTFXar6iITGbLHVtQFx GIXy5W6NWsfWQF3eu2cCsavF2kZys0RS8alw4XFxaO18DoNjgBd7UUyVH3SY474uYZ64 FCPg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@perfinion-com.20150623.gappssmtp.com header.s=20150623 header.b=nqkFlN9k; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y73si4846029oia.246.2020.02.16.00.54.47; Sun, 16 Feb 2020 00:54:49 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@perfinion-com.20150623.gappssmtp.com header.s=20150623 header.b=nqkFlN9k; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726043AbgBPIyr (ORCPT + 13 others); Sun, 16 Feb 2020 03:54:47 -0500 Received: from mail-pl1-f170.google.com ([209.85.214.170]:42121 "EHLO mail-pl1-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725899AbgBPIyq (ORCPT ); Sun, 16 Feb 2020 03:54:46 -0500 Received: by mail-pl1-f170.google.com with SMTP id e8so5510225plt.9 for ; Sun, 16 Feb 2020 00:54:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=perfinion-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=6rUf6P/yWtaOtkSbCJ0CsKTyjTaSw740k79GbRIiuY8=; b=nqkFlN9kCqPNESapHICgZVgigIuwacQ/4niaDXp7szsnL5ZIdizIOuK3hVXfbxKPEi GIODQRCvhMY9X7j7I+iJ/laBnz8c17oKh3MalgyqzmTJWi8Zb8JfavmNREF6P/H6efRX lI0s2fM0p1pq+/JjLLh0djOuZWS5SREr2Vx5i4FmcDIUEGZlKcw+gCYqbytM4Xzmw2X7 DuuOOiiBBVuJUAViZ9/ndmY5PxvN9MiXcbNmBojJoobzVVQl2rs6xdFCms5mGFdhZ656 OC7pIgw+rj+Ck8f9J7SPdkRvA6U3km2aQ+ZmsUBV2MsjYY+xjMC9ZCyxSmcyNlcn0ta1 5nzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=6rUf6P/yWtaOtkSbCJ0CsKTyjTaSw740k79GbRIiuY8=; b=MCxMta5z1YoFaEx16HxJ6vdQlip2YN3dxuRSb5Q9sSEW0n7fgzdJ7+8NcZ5yiFuuiA qAcKdCHv0ks2d+6xu7/kfNPfsb03o1x8hMK/W6d1GDM48YHHTm1Zpm5ry4lWFT6sBZPH idMc2xiKGqCUqkNoTmgZ2T5uQGB5yRzZ7CY5mHCVZXwqVo31mS9+sBGutCzeNPQ3xqN5 OUPK2KALxg7aqSABHJqmTnGaw5nm9+x3cY9BF4u0koS5ywYZDOoLLtNEmsDxycGot1kb 21ires1niSOE+b+zJ0FtSfCNLwrjMEeIUr035rBJSRejIXcqVde3No05Jip8CLgIdZXS kd2Q== X-Gm-Message-State: APjAAAV34VIKlYtsFSYbZPSRmxEvU5UcQ6dXwEju5twa/DftQwboNMiE eIbOQ4fj7NW4IDwo+l2NNhvObFzQ7FNzpA== X-Received: by 2002:a17:90a:b10b:: with SMTP id z11mr13885796pjq.132.1581843284684; Sun, 16 Feb 2020 00:54:44 -0800 (PST) Received: from localhost ([101.127.140.252]) by smtp.gmail.com with ESMTPSA id b42sm12587208pjc.27.2020.02.16.00.54.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 16 Feb 2020 00:54:44 -0800 (PST) From: Jason Zaman To: selinux-refpolicy@vger.kernel.org Cc: Jason Zaman Subject: [PATCH 04/10] cron: watch cron spool Date: Sun, 16 Feb 2020 16:54:16 +0800 Message-Id: <20200216085422.36530-4-jason@perfinion.com> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200216085422.36530-1-jason@perfinion.com> References: <20200216085422.36530-1-jason@perfinion.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org From: Jason Zaman avc: denied { watch } for pid=7402 comm="crond" path="/var/spool/cron/crontabs" dev="zfs" ino=7627 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_spool_t:s0 tclass=dir permissive=0 avc: denied { watch } for pid=7402 comm="crond" path="/etc/cron.d" dev="zfs" ino=60131 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir permissive=0 avc: denied { watch } for pid=7402 comm="crond" path="/etc/crontab" dev="zfs" ino=1749860 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file permissive=0 --- policy/modules/services/cron.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index 46b64016..dbbd9dbf 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -228,6 +228,7 @@ manage_files_pattern(crond_t, crond_runtime_t, crond_runtime_t) files_pid_filetrans(crond_t, crond_runtime_t, file) manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) +allow crond_t cron_spool_t:dir watch; manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) @@ -235,10 +236,13 @@ files_tmp_filetrans(crond_t, crond_tmp_t, { dir file }) list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) +allow crond_t system_cron_spool_t:dir watch; +allow crond_t system_cron_spool_t:file watch; rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +allow crond_t user_cron_spool_t:dir watch; manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t) -- 2.24.1