From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sat, 17 Nov 2012 21:58:51 +0100 Subject: [refpolicy] [PATCH v1 5/9] Support at service In-Reply-To: <1353185935-17421-1-git-send-email-sven.vermeulen@siphos.be> References: <1353185935-17421-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1353185935-17421-6-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The at daemon allows users and system administrators to define tasks to be executed once on a particular time. The at service captures the current session's environment and stores it as part of the task to be executed. When ran, at "locks" the job (in the /var/spool/at/atjobs location) and executes it, capturing its output in the /var/spool/at/atspool location. Because of this log output capturing, it doesn't make sense to keep the atspool location as user_cron_spool_t as any service ran through at needs to be able to write to this location, and we don't want such services to have write access to the user_cron_spool_t type. Hence we introduce the user_cron_spool_log_t type for the logging output, allow it to be read by the system mailer (as it is invoked to send the resulting output) and written by any service that is allowed to be called by cron (through cron_system_entry). The cron daemon requires manage privileges on the /var/spool/at/atjobs location (labeled user_cron_spool_t) as it uses locking techniques on the at job scripts themselves (lock files) and removes the scripts once executed. The capability for the admin_crontab_t only seems to be needed for the admin_crontab_t domain, using the regular crontab_t domain for users does not exhibit this behavior. Signed-off-by: Sven Vermeulen --- cron.fc | 1 + cron.if | 3 +++ cron.te | 10 +++++++++- 3 files changed, 13 insertions(+), 1 deletions(-) diff --git a/cron.fc b/cron.fc index c542ac1..a7bfe6d 100644 --- a/cron.fc +++ b/cron.fc @@ -27,6 +27,7 @@ /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) +/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0) /var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) diff --git a/cron.if b/cron.if index 51f372d..01ba3ce 100644 --- a/cron.if +++ b/cron.if @@ -307,8 +307,11 @@ interface(`cron_admin_role',` interface(`cron_system_entry',` gen_require(` type crond_t, system_cronjob_t; + type user_cron_spool_log_t; ') + rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t) + domtrans_pattern(system_cronjob_t, $2, $1) domtrans_pattern(crond_t, $2, $1) diff --git a/cron.te b/cron.te index 1e29735..64f2165 100644 --- a/cron.te +++ b/cron.te @@ -121,6 +121,11 @@ files_type(user_cron_spool_t) ubac_constrained(user_cron_spool_t) mta_system_content(user_cron_spool_t) +type user_cron_spool_log_t; +logging_log_file(user_cron_spool_log_t) +ubac_constrained(user_cron_spool_log_t) +mta_system_content(user_cron_spool_log_t) + ifdef(`enable_mcs',` init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) ') @@ -188,6 +193,7 @@ tunable_policy(`fcron_crond',` # Admin local policy # +allow admin_crontab_t self:capability fsetid; allow admin_crontab_t crond_t:process signal; selinux_get_fs_mount(admin_crontab_t) @@ -237,9 +243,11 @@ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) -read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t) + allow crond_t system_cronjob_t:process transition; allow crond_t system_cronjob_t:fd use; allow crond_t system_cronjob_t:key manage_key_perms; -- 1.7.8.6