From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 14 Jul 2015 11:17:40 -0400
Subject: [refpolicy] [PATCH 2/2] Introduce cron_admin interface
In-Reply-To: <20150712170524.GB8841@x250>
References: <1436606203-7027-1-git-send-email-jason@perfinion.com>
	<1436606203-7027-2-git-send-email-jason@perfinion.com>
	<20150712170524.GB8841@x250>
Message-ID: <55A52814.6040806@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 7/12/2015 1:05 PM, Dominick Grift wrote:
> On Sat, Jul 11, 2015 at 01:16:43PM +0400, Jason Zaman wrote:
>> ---
> 
> I would probably take into account the cronjob_t domain, since that is probably a child of the process associated with the crond_t type
> 
> Problem is that if the job run with the user contexts then you have a problem. But yes on the other hand, in my humble view if you want to be able to effectively manage a service then you should also be able to manage the services' children.
> 
> That would probably also apply to apache_admin() and the various cgi scripts that it forks. I haven't verified that apache_admin can manage cgi script processes but i think it probably should.

I agree.  The built-in domains like cronjob_t should be manageable via
the admin interfaces, but I wouldn't go beyond that (e.g. cron jobs
running in user domains).  Something like ps_process_pattern, ptrace,
and signal perms seems reasonable for cronjob_t (i.e. similar to the
ones provided for crond_t).


>>  cron.if | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
>>  1 file changed, 53 insertions(+)
>>
>> diff --git a/cron.if b/cron.if
>> index cc225d1..60574e5 100644
>> --- a/cron.if
>> +++ b/cron.if
>> @@ -838,3 +838,56 @@ interface(`cron_dontaudit_write_system_job_tmp_files',`
>>  
>>  	dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
>>  ')
>> +
>> +########################################
>> +## <summary>
>> +##	All of the rules required to
>> +##	administrate a cron environment.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +## <param name="role">
>> +##	<summary>
>> +##	Role allowed access.
>> +##	</summary>
>> +## </param>
>> +## <rolecap/>
>> +#
>> +interface(`cron_admin',`
>> +	gen_require(`
>> +		type crond_t, crond_initrc_exec_t;
>> +		type cron_var_lib_t, system_cronjob_var_lib_t;
>> +		type crond_tmp_t, admin_crontab_tmp_t;
>> +		type crontab_tmp_t, system_cronjob_tmp_t;
>> +		type cron_var_run_t, system_cronjob_var_run_t, crond_var_run_t;
>> +		type cron_log_t, system_cronjob_lock_t, user_cron_spool_log_t;
>> +		attribute cron_spool_type;
>> +	')
>> +
>> +	allow $1 crond_t:process { ptrace signal_perms };
>> +	ps_process_pattern($1, crond_t)
>> +
>> +	init_startstop_service($1, $2, crond_t, crond_initrc_exec_t)
>> +
>> +	files_search_var_lib($1)
>> +	admin_pattern($1, { cron_var_lib_t system_cronjob_var_lib_t })
>> +
>> +	files_search_tmp($1)
>> +	admin_pattern($1, { crond_tmp_t admin_crontab_tmp_t })
>> +	admin_pattern($1, { crontab_tmp_t system_cronjob_tmp_t })
>> +
>> +	files_search_pids($1)
>> +	admin_pattern($1, { cron_var_run_t crond_var_run_t system_cronjob_var_run_t })
>> +
>> +	files_search_locks($1)
>> +	admin_pattern($1, system_cronjob_lock_t)
>> +
>> +	logging_search_logs($1)
>> +	admin_pattern($1, { cron_log_t user_cron_spool_log_t })
>> +
>> +	files_search_spool($1)
>> +	admin_pattern($1, cron_spool_type)
>> +')
>> -- 
>> 2.3.6


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com