Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp4035318ybv; Sun, 16 Feb 2020 12:03:57 -0800 (PST) X-Google-Smtp-Source: APXvYqxp+H06Zc6CTbX9Te1FMiWI62NDcn8Fh/YihSdtpi/db0N+P3HoP7+EGvIyUzq2EbnU5+TF X-Received: by 2002:a05:6830:114c:: with SMTP id x12mr9913918otq.324.1581883437352; Sun, 16 Feb 2020 12:03:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581883437; cv=none; d=google.com; s=arc-20160816; b=yrZE7vwU3hf1kK7O7WnBNCiSpjvbEgFjhLCSW4dFEgG3hz1t5FIiI24AKywjxpU277 ofnJpR0XTdm5a4OFXNM19DVD4vSYTWjr7a6u66v9qAeX59iapDQgyn85SuHt7mwoYyiz NBpV2GII/KG4lJ11H/K1esjKtyp/JO98ekVhhdkXEnApX8BhhOIX6CGEHL3Fletxlw// qjuB9vK5AJSiE1h3ZVc/3PLcB3Iw7PHOHLINCXcut/t35Ft9Bj/88qwV9+A8GvIGB/nt FT6KCFEYzOO0IJ41VjU10/ifa9A05Hn85xBF27/GHW16GOCfsyXs8gS6LjmzztOKBiGL r28w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=63FfvIYo/KRwspf0i6iuSJqgUerp3DDCtjMdrouqrLw=; b=bUoTRpSLgBKBjZjqoM/h+N8NSMmo+4WY5Y1F/Q9PQu0tdFLyGwiX2ywtaxonmJ3KYU HHebxwOnPx4ya/1IrblDyk8FCiRjdd3Tk14MzyxgwdtGYqmWP4BpGXNDwIcldNHClht5 yVMmcUYJrZOJMVxji3T5V/Gzh3V0/oH8mScaZ1bMYk0sGFdr5FVHBUOW9xzIgTLWMCSa SHYobwHBD8Ovf5WF47R/z7OHnQdTbiO/pjZ6Jx6Cm31pzkOW1PSntcTnh4FEr3yTPheZ SX4BvpI8w0wAX7Tu6ALGnTOAKftLkb/P8pb7ZyojaOWlBSrmwAfDk8vDbUwsmOIbEOaJ YGaw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@perfinion-com.20150623.gappssmtp.com header.s=20150623 header.b=yRmoHKiI; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s22si5287396oij.35.2020.02.16.12.03.55; Sun, 16 Feb 2020 12:03:57 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@perfinion-com.20150623.gappssmtp.com header.s=20150623 header.b=yRmoHKiI; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726059AbgBPUDz (ORCPT + 13 others); Sun, 16 Feb 2020 15:03:55 -0500 Received: from mail-pl1-f196.google.com ([209.85.214.196]:38343 "EHLO mail-pl1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726043AbgBPUDy (ORCPT ); Sun, 16 Feb 2020 15:03:54 -0500 Received: by mail-pl1-f196.google.com with SMTP id t6so5845862plj.5 for ; Sun, 16 Feb 2020 12:03:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=perfinion-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=63FfvIYo/KRwspf0i6iuSJqgUerp3DDCtjMdrouqrLw=; b=yRmoHKiIbz6nLHaRm6eT0SV34QBDK2Uysbv7C7/ikXV17BQRObYZ2IV11dmddTJg4u akWCtblWQ0o6WRJA1vHF72fJWkiXujzmY7dDTig3PGJQPWl+xaItDaqf4tmT//1W8Yr7 pnjZRY/q1PXAEZIs1DToITOcxJ1j3bBr1o2p6MYAV+DVfDq6Q687yH8ONgEVVJI+9C+V /3Egd/leUzpiu0uk6Bj/pyliVWtPcEeAha1E7ILMwM34Tqq1PTyjDHuASJOLB2ROiCb6 QYD4rcN4XyN/is6tx4JDh6allwpiMC3l5iN/L2/Am+HzLnBqGV2iQs8bxp4yiD4i4Aop /bWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=63FfvIYo/KRwspf0i6iuSJqgUerp3DDCtjMdrouqrLw=; b=Cr+/Nuiitze2lnx6Tn6b7zGCNQvrFEnnkIBOBW772jgNVf3LKUbPBnONE0pHe2WBxL ZtLRZqm0KXlbxPl9VMyxJQic3KckI4ZtXJ6aJGBR2cunOFoT4DoOjUtpJHtpNha/FuT6 +Yax9bexL7b1hBmKSGdEbt8Ow0/yx5tAdO7tNu1Xnep4gcRGp2dpBSH7e0yY6V3p8WEf 9+rUvgnW7xUEN3KloE3YjbzEvjisthkoKUCkXtD/TZZ6Bkg4x+qs+jrLEj5LDvi6D/cm tXRIMpgOESCZX5B4eFhPeb2wdDxoXiMiMEMtLKyPbnpaRgFhai2ItRNdzRgfvYJtmM/w tMzw== X-Gm-Message-State: APjAAAUcTMyjUh0Mbt66119RMo0ShCg+ec59n6YlHfc0BEVPMTR+SFYZ yiJ/jn6r0KII575nkJEZbJactPiZsE0= X-Received: by 2002:a17:90a:8b82:: with SMTP id z2mr16532727pjn.59.1581883433898; Sun, 16 Feb 2020 12:03:53 -0800 (PST) Received: from localhost ([101.127.140.252]) by smtp.gmail.com with ESMTPSA id 199sm14333277pfv.81.2020.02.16.12.03.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 16 Feb 2020 12:03:53 -0800 (PST) From: Jason Zaman To: selinux-refpolicy@vger.kernel.org Cc: Jason Zaman Subject: [PATCH 04/10] cron: watch cron spool Date: Mon, 17 Feb 2020 04:03:13 +0800 Message-Id: <20200216200319.39337-4-jason@perfinion.com> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200216200319.39337-1-jason@perfinion.com> References: <20200216200319.39337-1-jason@perfinion.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org avc: denied { watch } for pid=7402 comm="crond" path="/var/spool/cron/crontabs" dev="zfs" ino=7627 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_spool_t:s0 tclass=dir permissive=0 avc: denied { watch } for pid=7402 comm="crond" path="/etc/cron.d" dev="zfs" ino=60131 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir permissive=0 avc: denied { watch } for pid=7402 comm="crond" path="/etc/crontab" dev="zfs" ino=1749860 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file permissive=0 Signed-off-by: Jason Zaman --- policy/modules/services/cron.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index 46b64016..dbbd9dbf 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -228,6 +228,7 @@ manage_files_pattern(crond_t, crond_runtime_t, crond_runtime_t) files_pid_filetrans(crond_t, crond_runtime_t, file) manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) +allow crond_t cron_spool_t:dir watch; manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) @@ -235,10 +236,13 @@ files_tmp_filetrans(crond_t, crond_tmp_t, { dir file }) list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) +allow crond_t system_cron_spool_t:dir watch; +allow crond_t system_cron_spool_t:file watch; rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +allow crond_t user_cron_spool_t:dir watch; manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t) -- 2.24.1