From: dac.override@gmail.com (Dominick Grift)
Date: Sun, 12 Jul 2015 19:05:24 +0200
Subject: [refpolicy] [PATCH 2/2] Introduce cron_admin interface
In-Reply-To: <1436606203-7027-2-git-send-email-jason@perfinion.com>
References: <1436606203-7027-1-git-send-email-jason@perfinion.com>
<1436606203-7027-2-git-send-email-jason@perfinion.com>
Message-ID: <20150712170524.GB8841@x250>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On Sat, Jul 11, 2015 at 01:16:43PM +0400, Jason Zaman wrote:
> ---
I would probably take into account the cronjob_t domain, since that is probably a child of the process associated with the crond_t type
Problem is that if the job run with the user contexts then you have a problem. But yes on the other hand, in my humble view if you want to be able to effectively manage a service then you should also be able to manage the services' children.
That would probably also apply to apache_admin() and the various cgi scripts that it forks. I haven't verified that apache_admin can manage cgi script processes but i think it probably should.
> cron.if | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 53 insertions(+)
>
> diff --git a/cron.if b/cron.if
> index cc225d1..60574e5 100644
> --- a/cron.if
> +++ b/cron.if
> @@ -838,3 +838,56 @@ interface(`cron_dontaudit_write_system_job_tmp_files',`
>
> dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
> ')
> +
> +########################################
> +##
> +## All of the rules required to
> +## administrate a cron environment.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +##
> +##
> +## Role allowed access.
> +##
> +##
> +##
> +#
> +interface(`cron_admin',`
> + gen_require(`
> + type crond_t, crond_initrc_exec_t;
> + type cron_var_lib_t, system_cronjob_var_lib_t;
> + type crond_tmp_t, admin_crontab_tmp_t;
> + type crontab_tmp_t, system_cronjob_tmp_t;
> + type cron_var_run_t, system_cronjob_var_run_t, crond_var_run_t;
> + type cron_log_t, system_cronjob_lock_t, user_cron_spool_log_t;
> + attribute cron_spool_type;
> + ')
> +
> + allow $1 crond_t:process { ptrace signal_perms };
> + ps_process_pattern($1, crond_t)
> +
> + init_startstop_service($1, $2, crond_t, crond_initrc_exec_t)
> +
> + files_search_var_lib($1)
> + admin_pattern($1, { cron_var_lib_t system_cronjob_var_lib_t })
> +
> + files_search_tmp($1)
> + admin_pattern($1, { crond_tmp_t admin_crontab_tmp_t })
> + admin_pattern($1, { crontab_tmp_t system_cronjob_tmp_t })
> +
> + files_search_pids($1)
> + admin_pattern($1, { cron_var_run_t crond_var_run_t system_cronjob_var_run_t })
> +
> + files_search_locks($1)
> + admin_pattern($1, system_cronjob_lock_t)
> +
> + logging_search_logs($1)
> + admin_pattern($1, { cron_log_t user_cron_spool_log_t })
> +
> + files_search_spool($1)
> + admin_pattern($1, cron_spool_type)
> +')
> --
> 2.3.6
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150712/0be3cfe3/attachment.bin