From: pebenito@ieee.org (Chris PeBenito)
Date: Thu, 23 Feb 2017 21:07:12 -0500
Subject: [refpolicy] [PATCH] first draft of cron patch
In-Reply-To: <20170220091944.5s4blmij3alyjiqz@athena.coker.com.au>
References: <20170220091944.5s4blmij3alyjiqz@athena.coker.com.au>
Message-ID:
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On 02/20/17 04:19, Russell Coker via refpolicy wrote:
> This is the cron patch from Debian/Stretch forward ported to the latest git
> version of policy.
>
> I don't expect it to be accepted just yet so I didn't test building it without
> all the other systemd patches installed and it may be missing dependencies.
I don't follow why the interfaces and templates are being revised this
way. I'm also not clear why some of the file types need to be derived
types, whereas cronjob_t is still fine.
> Please check it out and give me any suggestions. I'll send another patch for
> merging later.
>
> Index: refpolicy-2.20170220/policy/modules/contrib/cron.if
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/contrib/cron.if
> +++ refpolicy-2.20170220/policy/modules/contrib/cron.if
> @@ -13,7 +13,7 @@
> template(`cron_common_crontab_template',`
> gen_require(`
> attribute crontab_domain;
> - type crontab_exec_t;
> + type crontab_exec_t, crond_t;
> ')
>
> ##############################
> @@ -21,23 +21,33 @@ template(`cron_common_crontab_template',
> # Declarations
> #
>
> - type $1_t, crontab_domain;
> - userdom_user_application_domain($1_t, crontab_exec_t)
> + type $1_crontab_t, crontab_domain;
> + userdom_user_application_domain($1_crontab_t, crontab_exec_t)
>
> - type $1_tmp_t;
> - userdom_user_tmp_file($1_tmp_t)
> + type $1_crontab_tmp_t;
> + userdom_user_tmp_file($1_crontab_tmp_t)
> +
> + type $1_cron_spool_t, cron_spool_type;
>
> ##############################
> #
> # Local policy
> #
>
> - manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
> - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
> - files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
> + manage_dirs_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t)
> + manage_files_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t)
> + files_tmp_filetrans($1_crontab_t, $1_crontab_tmp_t, { dir file })
> +
> + auth_domtrans_chk_passwd($1_crontab_t)
> + auth_use_nsswitch($1_crontab_t)
> + allow $1_crontab_t self:capability fsetid;
> +
> + files_type($1_cron_spool_t)
> + ubac_constrained($1_cron_spool_t)
> + mta_system_content($1_cron_spool_t)
>
> - auth_domtrans_chk_passwd($1_t)
> - auth_use_nsswitch($1_t)
> + manage_files_pattern($1_crontab_t, { cron_spool_t user_cron_spool_t }, $1_cron_spool_t)
> + filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t, file)
> ')
>
> ########################################
> @@ -51,15 +61,15 @@ template(`cron_common_crontab_template',
> ##
> ##
> ##
> -## User domain for the role.
> +## stem of domain for the role.
> ##
> ##
> ##
> #
> interface(`cron_role',`
> gen_require(`
> - type cronjob_t, crontab_t, crontab_exec_t;
> - type user_cron_spool_t, crond_t;
> + type $2_crontab_t, crontab_exec_t;
> + type $2_cron_spool_t, crond_t;
> bool cron_userdomain_transition;
> ')
>
> @@ -68,138 +78,42 @@ interface(`cron_role',`
> # Declarations
> #
>
> - role $1 types { cronjob_t crontab_t };
> + role $1 types { $2_crontab_t };
>
> ##############################
> #
> # Local policy
> #
>
> - domtrans_pattern($2, crontab_exec_t, crontab_t)
> + domtrans_pattern($2_t, crontab_exec_t, $2_crontab_t)
>
> - dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
> - allow $2 crond_t:process sigchld;
> + dontaudit crond_t $2_t:process { noatsecure siginh rlimitinh };
> + allow $2_t crond_t:process sigchld;
>
> - allow $2 user_cron_spool_t:file { getattr read write ioctl };
> + allow $2_t $2_cron_spool_t:file { getattr read write ioctl };
>
> - allow $2 crontab_t:process { ptrace signal_perms };
> - ps_process_pattern($2, crontab_t)
> + allow $2_t $2_crontab_t:process { ptrace signal_perms };
> + ps_process_pattern($2_t, $2_crontab_t)
>
> - corecmd_exec_bin(crontab_t)
> - corecmd_exec_shell(crontab_t)
> + corecmd_exec_bin($2_crontab_t)
> + corecmd_exec_shell($2_crontab_t)
>
> tunable_policy(`cron_userdomain_transition',`
> - allow crond_t $2:process transition;
> - allow crond_t $2:fd use;
> - allow crond_t $2:key manage_key_perms;
> -
> - allow $2 user_cron_spool_t:file entrypoint;
> + allow crond_t $2_t:process transition;
> + allow crond_t $2_t:fd use;
> + allow crond_t $2_t:key manage_key_perms;
>
> - allow $2 crond_t:fifo_file rw_fifo_file_perms;
> + allow $2_t $2_cron_spool_t:file entrypoint;
>
> - allow $2 cronjob_t:process { ptrace signal_perms };
> - ps_process_pattern($2, cronjob_t)
> + allow $2_t crond_t:fifo_file rw_fifo_file_perms;
> ',`
> - dontaudit crond_t $2:process transition;
> - dontaudit crond_t $2:fd use;
> - dontaudit crond_t $2:key manage_key_perms;
> + dontaudit crond_t $2_t:process transition;
> + dontaudit crond_t $2_t:fd use;
> + dontaudit crond_t $2_t:key manage_key_perms;
>
> - dontaudit $2 user_cron_spool_t:file entrypoint;
> + dontaudit $2_t $2_cron_spool_t:file entrypoint;
>
> - dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
> -
> - dontaudit $2 cronjob_t:process { ptrace signal_perms };
> - ')
> -
> - optional_policy(`
> - gen_require(`
> - class dbus send_msg;
> - ')
> -
> - dbus_stub(cronjob_t)
> -
> - allow cronjob_t $2:dbus send_msg;
> - ')
> -')
> -
> -########################################
> -##
> -## Role access for unconfined cron.
> -##
> -##
> -##
> -## Role allowed access.
> -##
> -##
> -##
> -##
> -## User domain for the role.
> -##
> -##
> -#
> -interface(`cron_unconfined_role',`
> - gen_require(`
> - type unconfined_cronjob_t, crontab_t, crontab_exec_t;
> - type crond_t, user_cron_spool_t;
> - bool cron_userdomain_transition;
> - ')
> -
> - ##############################
> - #
> - # Declarations
> - #
> -
> - role $1 types { unconfined_cronjob_t crontab_t };
> -
> - ##############################
> - #
> - # Local policy
> - #
> -
> - domtrans_pattern($2, crontab_exec_t, crontab_t)
> -
> - dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
> - allow $2 crond_t:process sigchld;
> -
> - allow $2 user_cron_spool_t:file { getattr read write ioctl };
> -
> - allow $2 crontab_t:process { ptrace signal_perms };
> - ps_process_pattern($2, crontab_t)
> -
> - corecmd_exec_bin(crontab_t)
> - corecmd_exec_shell(crontab_t)
> -
> - tunable_policy(`cron_userdomain_transition',`
> - allow crond_t $2:process transition;
> - allow crond_t $2:fd use;
> - allow crond_t $2:key manage_key_perms;
> -
> - allow $2 user_cron_spool_t:file entrypoint;
> -
> - allow $2 crond_t:fifo_file rw_fifo_file_perms;
> -
> - allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
> - ps_process_pattern($2, unconfined_cronjob_t)
> - ',`
> - dontaudit crond_t $2:process transition;
> - dontaudit crond_t $2:fd use;
> - dontaudit crond_t $2:key manage_key_perms;
> -
> - dontaudit $2 user_cron_spool_t:file entrypoint;
> -
> - dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
> -
> - dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms };
> -')
> -
> - optional_policy(`
> - gen_require(`
> - class dbus send_msg;
> - ')
> -
> - dbus_stub(unconfined_cronjob_t)
> -
> - allow unconfined_cronjob_t $2:dbus send_msg;
> + dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms;
> ')
> ')
>
> @@ -910,3 +824,21 @@ interface(`cron_manage_system_spool',`
> files_search_spool($1)
> manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
> ')
> +
> +########################################
> +##
> +## Access temporary files crond creates for script output
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`read_write_crond_tmp',`
> + gen_require(`
> + type crond_tmp_t;
> + ')
> +
> + allow $1 crond_tmp_t:file rw_file_perms;
> +')
> Index: refpolicy-2.20170220/policy/modules/contrib/cron.te
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/contrib/cron.te
> +++ refpolicy-2.20170220/policy/modules/contrib/cron.te
> @@ -25,7 +25,7 @@ gen_tunable(cron_can_relabel, false)
> ## the generic cronjob domain.
> ##
> ##
> -gen_tunable(cron_userdomain_transition, false)
> +gen_tunable(cron_userdomain_transition, true)
>
> ##
> ##
> @@ -86,15 +86,16 @@ mta_system_content(crond_var_run_t)
> type crontab_exec_t;
> application_executable_file(crontab_exec_t)
>
> -cron_common_crontab_template(admin_crontab)
> -typealias admin_crontab_t alias sysadm_crontab_t;
> -typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t;
> -
> -cron_common_crontab_template(crontab)
> -typealias crontab_t alias { user_crontab_t staff_crontab_t };
> -typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
> -typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
> -typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
> +cron_common_crontab_template(sysadm)
> +typealias sysadm_crontab_t alias admin_crontab_t;
> +typealias sysadm_crontab_tmp_t alias admin_crontab_tmp_t;
> +
> +cron_common_crontab_template(user)
> +cron_common_crontab_template(staff)
> +cron_common_crontab_template(unconfined)
These shouldn't be here.
> +typealias user_crontab_t alias { crontab_t };
> +typealias sysadm_crontab_t alias { auditadm_crontab_t secadm_crontab_t };
> +typealias sysadm_crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
>
> type system_cron_spool_t, cron_spool_type;
> files_type(system_cron_spool_t)
> @@ -117,12 +118,7 @@ files_type(system_cronjob_var_lib_t)
> type system_cronjob_var_run_t;
> files_pid_file(system_cronjob_var_run_t)
>
> -type user_cron_spool_t, cron_spool_type;
> -typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
> -typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
> -files_type(user_cron_spool_t)
> -ubac_constrained(user_cron_spool_t)
> -mta_system_content(user_cron_spool_t)
> +typealias sysadm_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
>
> type user_cron_spool_log_t;
> logging_log_file(user_cron_spool_log_t)
> @@ -142,9 +138,6 @@ allow crontab_domain self:capability { c
> allow crontab_domain self:process { getcap setsched signal_perms };
> allow crontab_domain self:fifo_file rw_fifo_file_perms;
>
> -manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
> -filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
> -
> allow crontab_domain cron_spool_t:dir setattr_dir_perms;
>
> allow crontab_domain crond_t:process signal;
> @@ -215,8 +208,8 @@ tunable_policy(`fcron_crond',`
> # Daemon local policy
> #
>
> -allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice };
> -dontaudit crond_t self:capability { sys_resource sys_tty_config };
> +allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice sys_resource };
> +dontaudit crond_t self:capability { sys_tty_config };
> allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
> allow crond_t self:process { setexec setfscreate };
> allow crond_t self:fd use;
> @@ -230,6 +223,7 @@ allow crond_t self:msg { send receive };
> allow crond_t self:key { search write link };
> dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
>
> +allow crond_t cron_spool_type:file read_file_perms;
> allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
> logging_log_filetrans(crond_t, cron_log_t, file)
>
> @@ -340,6 +334,22 @@ ifdef(`distro_debian',`
> optional_policy(`
> logwatch_search_cache_dir(crond_t)
> ')
> + optional_policy(`
> + apt_manage_cache(system_cronjob_t)
> + apt_read_db(system_cronjob_t)
> + ')
> +')
> +
> +optional_policy(`
> + acct_manage_data(system_cronjob_t)
> +')
> +
> +optional_policy(`
> + ntp_admin(system_cronjob_t, system_r)
> +')
> +
> +optional_policy(`
> + apache_unlink_var_lib(system_cronjob_t)
> ')
>
> ifdef(`distro_redhat',`
> @@ -429,6 +439,7 @@ optional_policy(`
> systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
> # so cron jobs can restart daemons
> init_stream_connect(system_cronjob_t)
> + init_manage_script_service(system_cronjob_t)
> ')
>
> optional_policy(`
> @@ -440,14 +451,15 @@ optional_policy(`
> # System local policy
> #
>
> -allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice };
> +allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
> allow system_cronjob_t self:process { signal_perms getsched setsched };
> allow system_cronjob_t self:fd use;
> allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
> allow system_cronjob_t self:passwd rootok;
>
> -allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
> +allow system_cronjob_t cron_log_t:file manage_file_perms;
> logging_log_filetrans(system_cronjob_t, cron_log_t, file)
> +logging_manage_generic_logs(system_cronjob_t)
>
> allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
> files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
> @@ -464,7 +476,7 @@ files_lock_filetrans(system_cronjob_t, s
> manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
> manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
> filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
> -files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
> +files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })
>
> manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
>
> @@ -475,7 +487,8 @@ allow system_cronjob_t crond_t:process s
> allow system_cronjob_t cron_spool_t:dir list_dir_perms;
> allow system_cronjob_t cron_spool_t:file rw_file_perms;
>
> -allow system_cronjob_t crond_tmp_t:file { read write };
> +allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
> +allow cronjob_t crond_tmp_t:file rw_inherited_file_perms;
>
> kernel_read_kernel_sysctls(system_cronjob_t)
> kernel_read_network_state(system_cronjob_t)
> @@ -567,6 +580,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + read_mrtg_etc(system_cronjob_t)
> +')
> +
> +optional_policy(`
> cyrus_manage_data(system_cronjob_t)
> ')
>
> @@ -719,27 +736,3 @@ optional_policy(`
> nis_use_ypbind(cronjob_t)
> ')
>
> -########################################
> -#
> -# Unconfined local policy
> -#
> -
> -type unconfined_cronjob_t;
> -domain_type(unconfined_cronjob_t)
> -domain_cron_exemption_target(unconfined_cronjob_t)
> -
> -dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
> -
> -tunable_policy(`cron_userdomain_transition',`
> - dontaudit crond_t unconfined_cronjob_t:process transition;
> - dontaudit crond_t unconfined_cronjob_t:fd use;
> - dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
> -',`
> - allow crond_t unconfined_cronjob_t:process transition;
> - allow crond_t unconfined_cronjob_t:fd use;
> - allow crond_t unconfined_cronjob_t:key manage_key_perms;
> -')
> -
> -optional_policy(`
> - unconfined_domain(unconfined_cronjob_t)
> -')
--
Chris PeBenito