From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sat, 10 Nov 2012 17:50:18 +0100 Subject: [refpolicy] [PATCH 5/5] Support at service In-Reply-To: <1352566218-17772-1-git-send-email-sven.vermeulen@siphos.be> References: <1352566218-17772-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1352566218-17772-6-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The at daemon allows users and system administrators to define tasks to be executed once on a particular time. The at service captures the current session's environment and stores it as part of the task to be executed. When ran, at "locks" the job (in the /var/spool/at/atjobs location) and executes it, capturing its output in the /var/spool/at/atspool location. Because of this log output capturing, it doesn't make sense to keep the atspool location as user_cron_spool_t as any service ran through at needs to be able to write to this location, and we don't want such services to have write access to the user_cron_spool_t type. Hence we introduce the user_cron_spool_log_t type for the logging output, allow it to be read by the system mailer (as it is invoked to send the resulting output) and written by any service that is allowed to be called by cron (through cron_system_entry). Signed-off-by: Sven Vermeulen --- cron.fc | 1 + cron.if | 3 +++ cron.te | 10 +++++++++- 3 files changed, 13 insertions(+), 1 deletions(-) diff --git a/cron.fc b/cron.fc index c542ac1..a7bfe6d 100644 --- a/cron.fc +++ b/cron.fc @@ -27,6 +27,7 @@ /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) +/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0) /var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) diff --git a/cron.if b/cron.if index 760180c..99c9503 100644 --- a/cron.if +++ b/cron.if @@ -307,8 +307,11 @@ interface(`cron_admin_role',` interface(`cron_system_entry',` gen_require(` type crond_t, system_cronjob_t; + type user_cron_spool_log_t; ') + rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t) + domtrans_pattern(system_cronjob_t, $2, $1) domtrans_pattern(crond_t, $2, $1) diff --git a/cron.te b/cron.te index fb3adc6..3a3d0f6 100644 --- a/cron.te +++ b/cron.te @@ -121,6 +121,11 @@ files_type(user_cron_spool_t) ubac_constrained(user_cron_spool_t) mta_system_content(user_cron_spool_t) +type user_cron_spool_log_t; +logging_log_file(user_cron_spool_log_t) +ubac_constrained(user_cron_spool_log_t) +mta_system_content(user_cron_spool_log_t) + ifdef(`enable_mcs',` init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) ') @@ -188,6 +193,7 @@ tunable_policy(`fcron_crond',` # Admin local policy # +allow admin_crontab_t self:capability fsetid; allow admin_crontab_t crond_t:process signal; selinux_get_fs_mount(admin_crontab_t) @@ -237,9 +243,11 @@ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) -read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t) + allow crond_t system_cronjob_t:process transition; allow crond_t system_cronjob_t:fd use; allow crond_t system_cronjob_t:key manage_key_perms; -- 1.7.8.6