From: russell@coker.com.au (Russell Coker)
Date: Mon, 20 Feb 2017 20:19:44 +1100
Subject: [refpolicy] [PATCH] first draft of cron patch
Message-ID: <20170220091944.5s4blmij3alyjiqz@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
This is the cron patch from Debian/Stretch forward ported to the latest git
version of policy.
I don't expect it to be accepted just yet so I didn't test building it without
all the other systemd patches installed and it may be missing dependencies.
Please check it out and give me any suggestions. I'll send another patch for
merging later.
Index: refpolicy-2.20170220/policy/modules/contrib/cron.if
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/contrib/cron.if
+++ refpolicy-2.20170220/policy/modules/contrib/cron.if
@@ -13,7 +13,7 @@
template(`cron_common_crontab_template',`
gen_require(`
attribute crontab_domain;
- type crontab_exec_t;
+ type crontab_exec_t, crond_t;
')
##############################
@@ -21,23 +21,33 @@ template(`cron_common_crontab_template',
# Declarations
#
- type $1_t, crontab_domain;
- userdom_user_application_domain($1_t, crontab_exec_t)
+ type $1_crontab_t, crontab_domain;
+ userdom_user_application_domain($1_crontab_t, crontab_exec_t)
- type $1_tmp_t;
- userdom_user_tmp_file($1_tmp_t)
+ type $1_crontab_tmp_t;
+ userdom_user_tmp_file($1_crontab_tmp_t)
+
+ type $1_cron_spool_t, cron_spool_type;
##############################
#
# Local policy
#
- manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
- manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
- files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
+ manage_dirs_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t)
+ manage_files_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t)
+ files_tmp_filetrans($1_crontab_t, $1_crontab_tmp_t, { dir file })
+
+ auth_domtrans_chk_passwd($1_crontab_t)
+ auth_use_nsswitch($1_crontab_t)
+ allow $1_crontab_t self:capability fsetid;
+
+ files_type($1_cron_spool_t)
+ ubac_constrained($1_cron_spool_t)
+ mta_system_content($1_cron_spool_t)
- auth_domtrans_chk_passwd($1_t)
- auth_use_nsswitch($1_t)
+ manage_files_pattern($1_crontab_t, { cron_spool_t user_cron_spool_t }, $1_cron_spool_t)
+ filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t, file)
')
########################################
@@ -51,15 +61,15 @@ template(`cron_common_crontab_template',
##
##
##
@@ -86,15 +86,16 @@ mta_system_content(crond_var_run_t) type crontab_exec_t; application_executable_file(crontab_exec_t) -cron_common_crontab_template(admin_crontab) -typealias admin_crontab_t alias sysadm_crontab_t; -typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t; - -cron_common_crontab_template(crontab) -typealias crontab_t alias { user_crontab_t staff_crontab_t }; -typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; -typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; -typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; +cron_common_crontab_template(sysadm) +typealias sysadm_crontab_t alias admin_crontab_t; +typealias sysadm_crontab_tmp_t alias admin_crontab_tmp_t; + +cron_common_crontab_template(user) +cron_common_crontab_template(staff) +cron_common_crontab_template(unconfined) +typealias user_crontab_t alias { crontab_t }; +typealias sysadm_crontab_t alias { auditadm_crontab_t secadm_crontab_t }; +typealias sysadm_crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; type system_cron_spool_t, cron_spool_type; files_type(system_cron_spool_t) @@ -117,12 +118,7 @@ files_type(system_cronjob_var_lib_t) type system_cronjob_var_run_t; files_pid_file(system_cronjob_var_run_t) -type user_cron_spool_t, cron_spool_type; -typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; -typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; -files_type(user_cron_spool_t) -ubac_constrained(user_cron_spool_t) -mta_system_content(user_cron_spool_t) +typealias sysadm_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; type user_cron_spool_log_t; logging_log_file(user_cron_spool_log_t) @@ -142,9 +138,6 @@ allow crontab_domain self:capability { c allow crontab_domain self:process { getcap setsched signal_perms }; allow crontab_domain self:fifo_file rw_fifo_file_perms; -manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) -filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file) - allow crontab_domain cron_spool_t:dir setattr_dir_perms; allow crontab_domain crond_t:process signal; @@ -215,8 +208,8 @@ tunable_policy(`fcron_crond',` # Daemon local policy # -allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice }; -dontaudit crond_t self:capability { sys_resource sys_tty_config }; +allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice sys_resource }; +dontaudit crond_t self:capability { sys_tty_config }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; allow crond_t self:fd use; @@ -230,6 +223,7 @@ allow crond_t self:msg { send receive }; allow crond_t self:key { search write link }; dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit; +allow crond_t cron_spool_type:file read_file_perms; allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; logging_log_filetrans(crond_t, cron_log_t, file) @@ -340,6 +334,22 @@ ifdef(`distro_debian',` optional_policy(` logwatch_search_cache_dir(crond_t) ') + optional_policy(` + apt_manage_cache(system_cronjob_t) + apt_read_db(system_cronjob_t) + ') +') + +optional_policy(` + acct_manage_data(system_cronjob_t) +') + +optional_policy(` + ntp_admin(system_cronjob_t, system_r) +') + +optional_policy(` + apache_unlink_var_lib(system_cronjob_t) ') ifdef(`distro_redhat',` @@ -429,6 +439,7 @@ optional_policy(` systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) # so cron jobs can restart daemons init_stream_connect(system_cronjob_t) + init_manage_script_service(system_cronjob_t) ') optional_policy(` @@ -440,14 +451,15 @@ optional_policy(` # System local policy # -allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice }; +allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice }; allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fd use; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; -allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +allow system_cronjob_t cron_log_t:file manage_file_perms; logging_log_filetrans(system_cronjob_t, cron_log_t, file) +logging_manage_generic_logs(system_cronjob_t) allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms }; files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) @@ -464,7 +476,7 @@ files_lock_filetrans(system_cronjob_t, s manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) -files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) +files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir }) manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) @@ -475,7 +487,8 @@ allow system_cronjob_t crond_t:process s allow system_cronjob_t cron_spool_t:dir list_dir_perms; allow system_cronjob_t cron_spool_t:file rw_file_perms; -allow system_cronjob_t crond_tmp_t:file { read write }; +allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms; +allow cronjob_t crond_tmp_t:file rw_inherited_file_perms; kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_network_state(system_cronjob_t) @@ -567,6 +580,10 @@ optional_policy(` ') optional_policy(` + read_mrtg_etc(system_cronjob_t) +') + +optional_policy(` cyrus_manage_data(system_cronjob_t) ') @@ -719,27 +736,3 @@ optional_policy(` nis_use_ypbind(cronjob_t) ') -######################################## -# -# Unconfined local policy -# - -type unconfined_cronjob_t; -domain_type(unconfined_cronjob_t) -domain_cron_exemption_target(unconfined_cronjob_t) - -dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh }; - -tunable_policy(`cron_userdomain_transition',` - dontaudit crond_t unconfined_cronjob_t:process transition; - dontaudit crond_t unconfined_cronjob_t:fd use; - dontaudit crond_t unconfined_cronjob_t:key manage_key_perms; -',` - allow crond_t unconfined_cronjob_t:process transition; - allow crond_t unconfined_cronjob_t:fd use; - allow crond_t unconfined_cronjob_t:key manage_key_perms; -') - -optional_policy(` - unconfined_domain(unconfined_cronjob_t) -')