From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 21 Apr 2014 17:08:23 +0200 Subject: [refpolicy] [PATCH 2/2] fcron socket support In-Reply-To: <1398092903-6994-1-git-send-email-sven.vermeulen@siphos.be> References: <1398092903-6994-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1398092903-6994-3-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The fcron daemon creates a socket file in /var/run (called fcron.fifo) which is used by the fcrondyn application to interact with the fcron daemon. This application allows admins to list the defined jobs, run jobs immediately, remove jobs, etc. Without this, fcrondyn cannot connect to the cron daemon; fcron also logs this at start-up: fcron[23724]: Cannot bind socket to '/var/run/fcron.fifo': Permission denied Through this patch, we allow the crond daemon to create this socket and update the admin role to allow the admin domain to stream_connect through this socket to the crond_t domain. Changes since v1: - Moved named file transition outside tunable_policy - Use user domain instead of role in cron_admin's stream_connect_pattern Signed-off-by: Sven Vermeulen --- cron.if | 5 +++++ cron.te | 2 ++ 2 files changed, 7 insertions(+) diff --git a/cron.if b/cron.if index 1303b30..7496a64 100644 --- a/cron.if +++ b/cron.if @@ -277,6 +277,11 @@ interface(`cron_admin_role',` dontaudit $2 cronjob_t:process { ptrace signal_perms }; ') + tunable_policy(`crond_fcron',` + # Support for fcrondyn + stream_connect_pattern($2, crond_var_run_t, crond_var_run_t, crond_t) + ') + optional_policy(` gen_require(` class dbus send_msg; diff --git a/cron.te b/cron.te index bd8a5cc..89a6620 100644 --- a/cron.te +++ b/cron.te @@ -232,6 +232,7 @@ logging_log_filetrans(crond_t, cron_log_t, file) manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) files_pid_filetrans(crond_t, crond_var_run_t, file) +files_pid_filetrans(crond_t, crond_var_run_t, sock_file, "fcron.fifo") manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) @@ -347,6 +348,7 @@ tunable_policy(`allow_polyinstantiation',` tunable_policy(`fcron_crond',` allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms; + allow crond_t crond_var_run_t:sock_file manage_sock_file_perms; ') optional_policy(` -- 1.8.3.2