This patch curbs on userdomain file read and/or write permissions
for the cron daemon module.
It aims to ensure user data confidentiality.
A boolean has been introduced to revert the previous read/write
behavior.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/cron.te | 55 ++++++++++++++++++++++++++++++++---------
1 file changed, 43 insertions(+), 12 deletions(-)
--- refpolicy-2.20170204-orig/policy/modules/contrib/cron.te 2017-02-04 19:30:41.000000000 +0100
+++ refpolicy-2.20170204/policy/modules/contrib/cron.te 2017-04-20 00:36:45.796443885 +0200
@@ -19,6 +19,15 @@ gen_require(`
gen_tunable(cron_can_relabel, false)
## <desc>
+## <p>
+## Determine whether cron can
+## manage the user home directories
+## and files.
+## </p>
+## </desc>
+gen_tunable(cron_enable_home_dirs, false)
+
+## <desc>
## <p>
## Determine whether crond can execute jobs
## in the user domain as opposed to the
@@ -184,8 +193,14 @@ seutil_read_config(crontab_domain)
userdom_manage_user_tmp_dirs(crontab_domain)
userdom_manage_user_tmp_files(crontab_domain)
userdom_use_user_terminals(crontab_domain)
-userdom_read_user_home_content_files(crontab_domain)
-userdom_read_user_home_content_symlinks(crontab_domain)
+
+tunable_policy(`cron_enable_home_dirs',`
+ userdom_read_user_home_content_files(crontab_domain)
+ userdom_read_user_home_content_symlinks(crontab_domain)
+',`
+ userdom_dontaudit_read_user_home_content_files(crontab_domain)
+ # FIXME: add dontaudit user_home_content symlinks
+')
tunable_policy(`fcron_crond',`
dontaudit crontab_domain crond_t:process signal;
@@ -318,7 +333,9 @@ seutil_read_default_contexts(crond_t)
miscfiles_read_localization(crond_t)
-userdom_list_user_home_dirs(crond_t)
+tunable_policy(`cron_enable_home_dirs',`
+ userdom_list_user_home_dirs(crond_t)
+')
tunable_policy(`cron_userdomain_transition',`
dontaudit crond_t cronjob_t:process transition;
@@ -544,6 +561,10 @@ tunable_policy(`cron_can_relabel',`
seutil_read_file_contexts(system_cronjob_t)
')
+tunable_policy(`cron_enable_home_dirs',`
+ userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
+')
+
optional_policy(`
apache_exec_modules(system_cronjob_t)
apache_read_config(system_cronjob_t)
@@ -620,10 +641,6 @@ optional_policy(`
sysstat_manage_log(system_cronjob_t)
')
-optional_policy(`
- userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
-')
-
########################################
#
# Cronjob local policy
@@ -680,11 +697,25 @@ userdom_manage_user_tmp_files(cronjob_t)
userdom_manage_user_tmp_symlinks(cronjob_t)
userdom_manage_user_tmp_pipes(cronjob_t)
userdom_manage_user_tmp_sockets(cronjob_t)
-userdom_exec_user_home_content_files(cronjob_t)
-userdom_manage_user_home_content_files(cronjob_t)
-userdom_manage_user_home_content_symlinks(cronjob_t)
-userdom_manage_user_home_content_pipes(cronjob_t)
-userdom_manage_user_home_content_sockets(cronjob_t)
+
+tunable_policy(`cron_enable_home_dirs',`
+ userdom_exec_user_home_content_files(cronjob_t)
+ userdom_manage_user_home_content_files(cronjob_t)
+ userdom_manage_user_home_content_pipes(cronjob_t)
+ userdom_manage_user_home_content_sockets(cronjob_t)
+ userdom_manage_user_home_content_symlinks(cronjob_t)
+',`
+ userdom_dontaudit_exec_user_home_content_files(cronjob_t)
+ userdom_dontaudit_manage_user_home_content_files(cronjob_t)
+')
+
+tunable_policy(`cron_enable_home_dirs && use_nfs_home_dirs',`
+ fs_exec_nfs_files(cronjob_t)
+')
+
+tunable_policy(`cron_enable_home_dirs && use_samba_home_dirs',`
+ fs_exec_cifs_files(cronjob_t)
+')
tunable_policy(`cron_userdomain_transition',`
dontaudit cronjob_t crond_t:fd use;