From: russell@coker.com.au (Russell Coker) Date: Mon, 20 Feb 2017 20:19:44 +1100 Subject: [refpolicy] [PATCH] first draft of cron patch Message-ID: <20170220091944.5s4blmij3alyjiqz@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This is the cron patch from Debian/Stretch forward ported to the latest git version of policy. I don't expect it to be accepted just yet so I didn't test building it without all the other systemd patches installed and it may be missing dependencies. Please check it out and give me any suggestions. I'll send another patch for merging later. Index: refpolicy-2.20170220/policy/modules/contrib/cron.if =================================================================== --- refpolicy-2.20170220.orig/policy/modules/contrib/cron.if +++ refpolicy-2.20170220/policy/modules/contrib/cron.if @@ -13,7 +13,7 @@ template(`cron_common_crontab_template',` gen_require(` attribute crontab_domain; - type crontab_exec_t; + type crontab_exec_t, crond_t; ') ############################## @@ -21,23 +21,33 @@ template(`cron_common_crontab_template', # Declarations # - type $1_t, crontab_domain; - userdom_user_application_domain($1_t, crontab_exec_t) + type $1_crontab_t, crontab_domain; + userdom_user_application_domain($1_crontab_t, crontab_exec_t) - type $1_tmp_t; - userdom_user_tmp_file($1_tmp_t) + type $1_crontab_tmp_t; + userdom_user_tmp_file($1_crontab_tmp_t) + + type $1_cron_spool_t, cron_spool_type; ############################## # # Local policy # - manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - files_tmp_filetrans($1_t, $1_tmp_t, { dir file }) + manage_dirs_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t) + manage_files_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t) + files_tmp_filetrans($1_crontab_t, $1_crontab_tmp_t, { dir file }) + + auth_domtrans_chk_passwd($1_crontab_t) + auth_use_nsswitch($1_crontab_t) + allow $1_crontab_t self:capability fsetid; + + files_type($1_cron_spool_t) + ubac_constrained($1_cron_spool_t) + mta_system_content($1_cron_spool_t) - auth_domtrans_chk_passwd($1_t) - auth_use_nsswitch($1_t) + manage_files_pattern($1_crontab_t, { cron_spool_t user_cron_spool_t }, $1_cron_spool_t) + filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t, file) ') ######################################## @@ -51,15 +61,15 @@ template(`cron_common_crontab_template', ## ## ## -## User domain for the role. +## stem of domain for the role. ## ## ## # interface(`cron_role',` gen_require(` - type cronjob_t, crontab_t, crontab_exec_t; - type user_cron_spool_t, crond_t; + type $2_crontab_t, crontab_exec_t; + type $2_cron_spool_t, crond_t; bool cron_userdomain_transition; ') @@ -68,138 +78,42 @@ interface(`cron_role',` # Declarations # - role $1 types { cronjob_t crontab_t }; + role $1 types { $2_crontab_t }; ############################## # # Local policy # - domtrans_pattern($2, crontab_exec_t, crontab_t) + domtrans_pattern($2_t, crontab_exec_t, $2_crontab_t) - dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; - allow $2 crond_t:process sigchld; + dontaudit crond_t $2_t:process { noatsecure siginh rlimitinh }; + allow $2_t crond_t:process sigchld; - allow $2 user_cron_spool_t:file { getattr read write ioctl }; + allow $2_t $2_cron_spool_t:file { getattr read write ioctl }; - allow $2 crontab_t:process { ptrace signal_perms }; - ps_process_pattern($2, crontab_t) + allow $2_t $2_crontab_t:process { ptrace signal_perms }; + ps_process_pattern($2_t, $2_crontab_t) - corecmd_exec_bin(crontab_t) - corecmd_exec_shell(crontab_t) + corecmd_exec_bin($2_crontab_t) + corecmd_exec_shell($2_crontab_t) tunable_policy(`cron_userdomain_transition',` - allow crond_t $2:process transition; - allow crond_t $2:fd use; - allow crond_t $2:key manage_key_perms; - - allow $2 user_cron_spool_t:file entrypoint; + allow crond_t $2_t:process transition; + allow crond_t $2_t:fd use; + allow crond_t $2_t:key manage_key_perms; - allow $2 crond_t:fifo_file rw_fifo_file_perms; + allow $2_t $2_cron_spool_t:file entrypoint; - allow $2 cronjob_t:process { ptrace signal_perms }; - ps_process_pattern($2, cronjob_t) + allow $2_t crond_t:fifo_file rw_fifo_file_perms; ',` - dontaudit crond_t $2:process transition; - dontaudit crond_t $2:fd use; - dontaudit crond_t $2:key manage_key_perms; + dontaudit crond_t $2_t:process transition; + dontaudit crond_t $2_t:fd use; + dontaudit crond_t $2_t:key manage_key_perms; - dontaudit $2 user_cron_spool_t:file entrypoint; + dontaudit $2_t $2_cron_spool_t:file entrypoint; - dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; - - dontaudit $2 cronjob_t:process { ptrace signal_perms }; - ') - - optional_policy(` - gen_require(` - class dbus send_msg; - ') - - dbus_stub(cronjob_t) - - allow cronjob_t $2:dbus send_msg; - ') -') - -######################################## -## -## Role access for unconfined cron. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# -interface(`cron_unconfined_role',` - gen_require(` - type unconfined_cronjob_t, crontab_t, crontab_exec_t; - type crond_t, user_cron_spool_t; - bool cron_userdomain_transition; - ') - - ############################## - # - # Declarations - # - - role $1 types { unconfined_cronjob_t crontab_t }; - - ############################## - # - # Local policy - # - - domtrans_pattern($2, crontab_exec_t, crontab_t) - - dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; - allow $2 crond_t:process sigchld; - - allow $2 user_cron_spool_t:file { getattr read write ioctl }; - - allow $2 crontab_t:process { ptrace signal_perms }; - ps_process_pattern($2, crontab_t) - - corecmd_exec_bin(crontab_t) - corecmd_exec_shell(crontab_t) - - tunable_policy(`cron_userdomain_transition',` - allow crond_t $2:process transition; - allow crond_t $2:fd use; - allow crond_t $2:key manage_key_perms; - - allow $2 user_cron_spool_t:file entrypoint; - - allow $2 crond_t:fifo_file rw_fifo_file_perms; - - allow $2 unconfined_cronjob_t:process { ptrace signal_perms }; - ps_process_pattern($2, unconfined_cronjob_t) - ',` - dontaudit crond_t $2:process transition; - dontaudit crond_t $2:fd use; - dontaudit crond_t $2:key manage_key_perms; - - dontaudit $2 user_cron_spool_t:file entrypoint; - - dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; - - dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms }; -') - - optional_policy(` - gen_require(` - class dbus send_msg; - ') - - dbus_stub(unconfined_cronjob_t) - - allow unconfined_cronjob_t $2:dbus send_msg; + dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms; ') ') @@ -910,3 +824,21 @@ interface(`cron_manage_system_spool',` files_search_spool($1) manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t) ') + +######################################## +## +## Access temporary files crond creates for script output +## +## +## +## Domain allowed access. +## +## +# +interface(`read_write_crond_tmp',` + gen_require(` + type crond_tmp_t; + ') + + allow $1 crond_tmp_t:file rw_file_perms; +') Index: refpolicy-2.20170220/policy/modules/contrib/cron.te =================================================================== --- refpolicy-2.20170220.orig/policy/modules/contrib/cron.te +++ refpolicy-2.20170220/policy/modules/contrib/cron.te @@ -25,7 +25,7 @@ gen_tunable(cron_can_relabel, false) ## the generic cronjob domain. ##

## -gen_tunable(cron_userdomain_transition, false) +gen_tunable(cron_userdomain_transition, true) ## ##

@@ -86,15 +86,16 @@ mta_system_content(crond_var_run_t) type crontab_exec_t; application_executable_file(crontab_exec_t) -cron_common_crontab_template(admin_crontab) -typealias admin_crontab_t alias sysadm_crontab_t; -typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t; - -cron_common_crontab_template(crontab) -typealias crontab_t alias { user_crontab_t staff_crontab_t }; -typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; -typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; -typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; +cron_common_crontab_template(sysadm) +typealias sysadm_crontab_t alias admin_crontab_t; +typealias sysadm_crontab_tmp_t alias admin_crontab_tmp_t; + +cron_common_crontab_template(user) +cron_common_crontab_template(staff) +cron_common_crontab_template(unconfined) +typealias user_crontab_t alias { crontab_t }; +typealias sysadm_crontab_t alias { auditadm_crontab_t secadm_crontab_t }; +typealias sysadm_crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; type system_cron_spool_t, cron_spool_type; files_type(system_cron_spool_t) @@ -117,12 +118,7 @@ files_type(system_cronjob_var_lib_t) type system_cronjob_var_run_t; files_pid_file(system_cronjob_var_run_t) -type user_cron_spool_t, cron_spool_type; -typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; -typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; -files_type(user_cron_spool_t) -ubac_constrained(user_cron_spool_t) -mta_system_content(user_cron_spool_t) +typealias sysadm_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; type user_cron_spool_log_t; logging_log_file(user_cron_spool_log_t) @@ -142,9 +138,6 @@ allow crontab_domain self:capability { c allow crontab_domain self:process { getcap setsched signal_perms }; allow crontab_domain self:fifo_file rw_fifo_file_perms; -manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) -filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file) - allow crontab_domain cron_spool_t:dir setattr_dir_perms; allow crontab_domain crond_t:process signal; @@ -215,8 +208,8 @@ tunable_policy(`fcron_crond',` # Daemon local policy # -allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice }; -dontaudit crond_t self:capability { sys_resource sys_tty_config }; +allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice sys_resource }; +dontaudit crond_t self:capability { sys_tty_config }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; allow crond_t self:fd use; @@ -230,6 +223,7 @@ allow crond_t self:msg { send receive }; allow crond_t self:key { search write link }; dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit; +allow crond_t cron_spool_type:file read_file_perms; allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; logging_log_filetrans(crond_t, cron_log_t, file) @@ -340,6 +334,22 @@ ifdef(`distro_debian',` optional_policy(` logwatch_search_cache_dir(crond_t) ') + optional_policy(` + apt_manage_cache(system_cronjob_t) + apt_read_db(system_cronjob_t) + ') +') + +optional_policy(` + acct_manage_data(system_cronjob_t) +') + +optional_policy(` + ntp_admin(system_cronjob_t, system_r) +') + +optional_policy(` + apache_unlink_var_lib(system_cronjob_t) ') ifdef(`distro_redhat',` @@ -429,6 +439,7 @@ optional_policy(` systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) # so cron jobs can restart daemons init_stream_connect(system_cronjob_t) + init_manage_script_service(system_cronjob_t) ') optional_policy(` @@ -440,14 +451,15 @@ optional_policy(` # System local policy # -allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice }; +allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice }; allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fd use; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; -allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +allow system_cronjob_t cron_log_t:file manage_file_perms; logging_log_filetrans(system_cronjob_t, cron_log_t, file) +logging_manage_generic_logs(system_cronjob_t) allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms }; files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) @@ -464,7 +476,7 @@ files_lock_filetrans(system_cronjob_t, s manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) -files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) +files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir }) manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) @@ -475,7 +487,8 @@ allow system_cronjob_t crond_t:process s allow system_cronjob_t cron_spool_t:dir list_dir_perms; allow system_cronjob_t cron_spool_t:file rw_file_perms; -allow system_cronjob_t crond_tmp_t:file { read write }; +allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms; +allow cronjob_t crond_tmp_t:file rw_inherited_file_perms; kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_network_state(system_cronjob_t) @@ -567,6 +580,10 @@ optional_policy(` ') optional_policy(` + read_mrtg_etc(system_cronjob_t) +') + +optional_policy(` cyrus_manage_data(system_cronjob_t) ') @@ -719,27 +736,3 @@ optional_policy(` nis_use_ypbind(cronjob_t) ') -######################################## -# -# Unconfined local policy -# - -type unconfined_cronjob_t; -domain_type(unconfined_cronjob_t) -domain_cron_exemption_target(unconfined_cronjob_t) - -dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh }; - -tunable_policy(`cron_userdomain_transition',` - dontaudit crond_t unconfined_cronjob_t:process transition; - dontaudit crond_t unconfined_cronjob_t:fd use; - dontaudit crond_t unconfined_cronjob_t:key manage_key_perms; -',` - allow crond_t unconfined_cronjob_t:process transition; - allow crond_t unconfined_cronjob_t:fd use; - allow crond_t unconfined_cronjob_t:key manage_key_perms; -') - -optional_policy(` - unconfined_domain(unconfined_cronjob_t) -')