From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 24 Apr 2014 12:58:43 -0400 Subject: [refpolicy] [PATCH 2/2] fcron socket support In-Reply-To: <1398092903-6994-3-git-send-email-sven.vermeulen@siphos.be> References: <1398092903-6994-1-git-send-email-sven.vermeulen@siphos.be> <1398092903-6994-3-git-send-email-sven.vermeulen@siphos.be> Message-ID: <535942C3.2050501@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/21/2014 11:08 AM, Sven Vermeulen wrote: > The fcron daemon creates a socket file in /var/run (called fcron.fifo) > which is used by the fcrondyn application to interact with the fcron > daemon. This application allows admins to list the defined jobs, run > jobs immediately, remove jobs, etc. > > Without this, fcrondyn cannot connect to the cron daemon; fcron also > logs this at start-up: > > fcron[23724]: Cannot bind socket to '/var/run/fcron.fifo': Permission > denied > > Through this patch, we allow the crond daemon to create this socket and > update the admin role to allow the admin domain to stream_connect > through this socket to the crond_t domain. > > Changes since v1: > - Moved named file transition outside tunable_policy > - Use user domain instead of role in cron_admin's stream_connect_pattern Merged. I moved the file transition back into the tunable, but dropped the name. I don't think the name is necessary in this case. I also added a missing type require for the interface change. > Signed-off-by: Sven Vermeulen > --- > cron.if | 5 +++++ > cron.te | 2 ++ > 2 files changed, 7 insertions(+) > > diff --git a/cron.if b/cron.if > index 1303b30..7496a64 100644 > --- a/cron.if > +++ b/cron.if > @@ -277,6 +277,11 @@ interface(`cron_admin_role',` > dontaudit $2 cronjob_t:process { ptrace signal_perms }; > ') > > + tunable_policy(`crond_fcron',` > + # Support for fcrondyn > + stream_connect_pattern($2, crond_var_run_t, crond_var_run_t, crond_t) > + ') > + > optional_policy(` > gen_require(` > class dbus send_msg; > diff --git a/cron.te b/cron.te > index bd8a5cc..89a6620 100644 > --- a/cron.te > +++ b/cron.te > @@ -232,6 +232,7 @@ logging_log_filetrans(crond_t, cron_log_t, file) > > manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) > files_pid_filetrans(crond_t, crond_var_run_t, file) > +files_pid_filetrans(crond_t, crond_var_run_t, sock_file, "fcron.fifo") > > manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) > > @@ -347,6 +348,7 @@ tunable_policy(`allow_polyinstantiation',` > > tunable_policy(`fcron_crond',` > allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms; > + allow crond_t crond_var_run_t:sock_file manage_sock_file_perms; > ') > > optional_policy(` > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com