From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 23 Feb 2017 21:07:12 -0500 Subject: [refpolicy] [PATCH] first draft of cron patch In-Reply-To: <20170220091944.5s4blmij3alyjiqz@athena.coker.com.au> References: <20170220091944.5s4blmij3alyjiqz@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/20/17 04:19, Russell Coker via refpolicy wrote: > This is the cron patch from Debian/Stretch forward ported to the latest git > version of policy. > > I don't expect it to be accepted just yet so I didn't test building it without > all the other systemd patches installed and it may be missing dependencies. I don't follow why the interfaces and templates are being revised this way. I'm also not clear why some of the file types need to be derived types, whereas cronjob_t is still fine. > Please check it out and give me any suggestions. I'll send another patch for > merging later. > > Index: refpolicy-2.20170220/policy/modules/contrib/cron.if > =================================================================== > --- refpolicy-2.20170220.orig/policy/modules/contrib/cron.if > +++ refpolicy-2.20170220/policy/modules/contrib/cron.if > @@ -13,7 +13,7 @@ > template(`cron_common_crontab_template',` > gen_require(` > attribute crontab_domain; > - type crontab_exec_t; > + type crontab_exec_t, crond_t; > ') > > ############################## > @@ -21,23 +21,33 @@ template(`cron_common_crontab_template', > # Declarations > # > > - type $1_t, crontab_domain; > - userdom_user_application_domain($1_t, crontab_exec_t) > + type $1_crontab_t, crontab_domain; > + userdom_user_application_domain($1_crontab_t, crontab_exec_t) > > - type $1_tmp_t; > - userdom_user_tmp_file($1_tmp_t) > + type $1_crontab_tmp_t; > + userdom_user_tmp_file($1_crontab_tmp_t) > + > + type $1_cron_spool_t, cron_spool_type; > > ############################## > # > # Local policy > # > > - manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) > - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) > - files_tmp_filetrans($1_t, $1_tmp_t, { dir file }) > + manage_dirs_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t) > + manage_files_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t) > + files_tmp_filetrans($1_crontab_t, $1_crontab_tmp_t, { dir file }) > + > + auth_domtrans_chk_passwd($1_crontab_t) > + auth_use_nsswitch($1_crontab_t) > + allow $1_crontab_t self:capability fsetid; > + > + files_type($1_cron_spool_t) > + ubac_constrained($1_cron_spool_t) > + mta_system_content($1_cron_spool_t) > > - auth_domtrans_chk_passwd($1_t) > - auth_use_nsswitch($1_t) > + manage_files_pattern($1_crontab_t, { cron_spool_t user_cron_spool_t }, $1_cron_spool_t) > + filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t, file) > ') > > ######################################## > @@ -51,15 +61,15 @@ template(`cron_common_crontab_template', > ## > ## > ## > -## User domain for the role. > +## stem of domain for the role. > ## > ## > ## > # > interface(`cron_role',` > gen_require(` > - type cronjob_t, crontab_t, crontab_exec_t; > - type user_cron_spool_t, crond_t; > + type $2_crontab_t, crontab_exec_t; > + type $2_cron_spool_t, crond_t; > bool cron_userdomain_transition; > ') > > @@ -68,138 +78,42 @@ interface(`cron_role',` > # Declarations > # > > - role $1 types { cronjob_t crontab_t }; > + role $1 types { $2_crontab_t }; > > ############################## > # > # Local policy > # > > - domtrans_pattern($2, crontab_exec_t, crontab_t) > + domtrans_pattern($2_t, crontab_exec_t, $2_crontab_t) > > - dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; > - allow $2 crond_t:process sigchld; > + dontaudit crond_t $2_t:process { noatsecure siginh rlimitinh }; > + allow $2_t crond_t:process sigchld; > > - allow $2 user_cron_spool_t:file { getattr read write ioctl }; > + allow $2_t $2_cron_spool_t:file { getattr read write ioctl }; > > - allow $2 crontab_t:process { ptrace signal_perms }; > - ps_process_pattern($2, crontab_t) > + allow $2_t $2_crontab_t:process { ptrace signal_perms }; > + ps_process_pattern($2_t, $2_crontab_t) > > - corecmd_exec_bin(crontab_t) > - corecmd_exec_shell(crontab_t) > + corecmd_exec_bin($2_crontab_t) > + corecmd_exec_shell($2_crontab_t) > > tunable_policy(`cron_userdomain_transition',` > - allow crond_t $2:process transition; > - allow crond_t $2:fd use; > - allow crond_t $2:key manage_key_perms; > - > - allow $2 user_cron_spool_t:file entrypoint; > + allow crond_t $2_t:process transition; > + allow crond_t $2_t:fd use; > + allow crond_t $2_t:key manage_key_perms; > > - allow $2 crond_t:fifo_file rw_fifo_file_perms; > + allow $2_t $2_cron_spool_t:file entrypoint; > > - allow $2 cronjob_t:process { ptrace signal_perms }; > - ps_process_pattern($2, cronjob_t) > + allow $2_t crond_t:fifo_file rw_fifo_file_perms; > ',` > - dontaudit crond_t $2:process transition; > - dontaudit crond_t $2:fd use; > - dontaudit crond_t $2:key manage_key_perms; > + dontaudit crond_t $2_t:process transition; > + dontaudit crond_t $2_t:fd use; > + dontaudit crond_t $2_t:key manage_key_perms; > > - dontaudit $2 user_cron_spool_t:file entrypoint; > + dontaudit $2_t $2_cron_spool_t:file entrypoint; > > - dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; > - > - dontaudit $2 cronjob_t:process { ptrace signal_perms }; > - ') > - > - optional_policy(` > - gen_require(` > - class dbus send_msg; > - ') > - > - dbus_stub(cronjob_t) > - > - allow cronjob_t $2:dbus send_msg; > - ') > -') > - > -######################################## > -## > -## Role access for unconfined cron. > -## > -## > -## > -## Role allowed access. > -## > -## > -## > -## > -## User domain for the role. > -## > -## > -# > -interface(`cron_unconfined_role',` > - gen_require(` > - type unconfined_cronjob_t, crontab_t, crontab_exec_t; > - type crond_t, user_cron_spool_t; > - bool cron_userdomain_transition; > - ') > - > - ############################## > - # > - # Declarations > - # > - > - role $1 types { unconfined_cronjob_t crontab_t }; > - > - ############################## > - # > - # Local policy > - # > - > - domtrans_pattern($2, crontab_exec_t, crontab_t) > - > - dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; > - allow $2 crond_t:process sigchld; > - > - allow $2 user_cron_spool_t:file { getattr read write ioctl }; > - > - allow $2 crontab_t:process { ptrace signal_perms }; > - ps_process_pattern($2, crontab_t) > - > - corecmd_exec_bin(crontab_t) > - corecmd_exec_shell(crontab_t) > - > - tunable_policy(`cron_userdomain_transition',` > - allow crond_t $2:process transition; > - allow crond_t $2:fd use; > - allow crond_t $2:key manage_key_perms; > - > - allow $2 user_cron_spool_t:file entrypoint; > - > - allow $2 crond_t:fifo_file rw_fifo_file_perms; > - > - allow $2 unconfined_cronjob_t:process { ptrace signal_perms }; > - ps_process_pattern($2, unconfined_cronjob_t) > - ',` > - dontaudit crond_t $2:process transition; > - dontaudit crond_t $2:fd use; > - dontaudit crond_t $2:key manage_key_perms; > - > - dontaudit $2 user_cron_spool_t:file entrypoint; > - > - dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; > - > - dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms }; > -') > - > - optional_policy(` > - gen_require(` > - class dbus send_msg; > - ') > - > - dbus_stub(unconfined_cronjob_t) > - > - allow unconfined_cronjob_t $2:dbus send_msg; > + dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms; > ') > ') > > @@ -910,3 +824,21 @@ interface(`cron_manage_system_spool',` > files_search_spool($1) > manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t) > ') > + > +######################################## > +## > +## Access temporary files crond creates for script output > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`read_write_crond_tmp',` > + gen_require(` > + type crond_tmp_t; > + ') > + > + allow $1 crond_tmp_t:file rw_file_perms; > +') > Index: refpolicy-2.20170220/policy/modules/contrib/cron.te > =================================================================== > --- refpolicy-2.20170220.orig/policy/modules/contrib/cron.te > +++ refpolicy-2.20170220/policy/modules/contrib/cron.te > @@ -25,7 +25,7 @@ gen_tunable(cron_can_relabel, false) > ## the generic cronjob domain. > ##

> ## > -gen_tunable(cron_userdomain_transition, false) > +gen_tunable(cron_userdomain_transition, true) > > ## > ##

> @@ -86,15 +86,16 @@ mta_system_content(crond_var_run_t) > type crontab_exec_t; > application_executable_file(crontab_exec_t) > > -cron_common_crontab_template(admin_crontab) > -typealias admin_crontab_t alias sysadm_crontab_t; > -typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t; > - > -cron_common_crontab_template(crontab) > -typealias crontab_t alias { user_crontab_t staff_crontab_t }; > -typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; > -typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; > -typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; > +cron_common_crontab_template(sysadm) > +typealias sysadm_crontab_t alias admin_crontab_t; > +typealias sysadm_crontab_tmp_t alias admin_crontab_tmp_t; > + > +cron_common_crontab_template(user) > +cron_common_crontab_template(staff) > +cron_common_crontab_template(unconfined) These shouldn't be here. > +typealias user_crontab_t alias { crontab_t }; > +typealias sysadm_crontab_t alias { auditadm_crontab_t secadm_crontab_t }; > +typealias sysadm_crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; > > type system_cron_spool_t, cron_spool_type; > files_type(system_cron_spool_t) > @@ -117,12 +118,7 @@ files_type(system_cronjob_var_lib_t) > type system_cronjob_var_run_t; > files_pid_file(system_cronjob_var_run_t) > > -type user_cron_spool_t, cron_spool_type; > -typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; > -typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; > -files_type(user_cron_spool_t) > -ubac_constrained(user_cron_spool_t) > -mta_system_content(user_cron_spool_t) > +typealias sysadm_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; > > type user_cron_spool_log_t; > logging_log_file(user_cron_spool_log_t) > @@ -142,9 +138,6 @@ allow crontab_domain self:capability { c > allow crontab_domain self:process { getcap setsched signal_perms }; > allow crontab_domain self:fifo_file rw_fifo_file_perms; > > -manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) > -filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file) > - > allow crontab_domain cron_spool_t:dir setattr_dir_perms; > > allow crontab_domain crond_t:process signal; > @@ -215,8 +208,8 @@ tunable_policy(`fcron_crond',` > # Daemon local policy > # > > -allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice }; > -dontaudit crond_t self:capability { sys_resource sys_tty_config }; > +allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice sys_resource }; > +dontaudit crond_t self:capability { sys_tty_config }; > allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; > allow crond_t self:process { setexec setfscreate }; > allow crond_t self:fd use; > @@ -230,6 +223,7 @@ allow crond_t self:msg { send receive }; > allow crond_t self:key { search write link }; > dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit; > > +allow crond_t cron_spool_type:file read_file_perms; > allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; > logging_log_filetrans(crond_t, cron_log_t, file) > > @@ -340,6 +334,22 @@ ifdef(`distro_debian',` > optional_policy(` > logwatch_search_cache_dir(crond_t) > ') > + optional_policy(` > + apt_manage_cache(system_cronjob_t) > + apt_read_db(system_cronjob_t) > + ') > +') > + > +optional_policy(` > + acct_manage_data(system_cronjob_t) > +') > + > +optional_policy(` > + ntp_admin(system_cronjob_t, system_r) > +') > + > +optional_policy(` > + apache_unlink_var_lib(system_cronjob_t) > ') > > ifdef(`distro_redhat',` > @@ -429,6 +439,7 @@ optional_policy(` > systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) > # so cron jobs can restart daemons > init_stream_connect(system_cronjob_t) > + init_manage_script_service(system_cronjob_t) > ') > > optional_policy(` > @@ -440,14 +451,15 @@ optional_policy(` > # System local policy > # > > -allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice }; > +allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice }; > allow system_cronjob_t self:process { signal_perms getsched setsched }; > allow system_cronjob_t self:fd use; > allow system_cronjob_t self:fifo_file rw_fifo_file_perms; > allow system_cronjob_t self:passwd rootok; > > -allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; > +allow system_cronjob_t cron_log_t:file manage_file_perms; > logging_log_filetrans(system_cronjob_t, cron_log_t, file) > +logging_manage_generic_logs(system_cronjob_t) > > allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms }; > files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) > @@ -464,7 +476,7 @@ files_lock_filetrans(system_cronjob_t, s > manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) > manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) > filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) > -files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) > +files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir }) > > manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) > > @@ -475,7 +487,8 @@ allow system_cronjob_t crond_t:process s > allow system_cronjob_t cron_spool_t:dir list_dir_perms; > allow system_cronjob_t cron_spool_t:file rw_file_perms; > > -allow system_cronjob_t crond_tmp_t:file { read write }; > +allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms; > +allow cronjob_t crond_tmp_t:file rw_inherited_file_perms; > > kernel_read_kernel_sysctls(system_cronjob_t) > kernel_read_network_state(system_cronjob_t) > @@ -567,6 +580,10 @@ optional_policy(` > ') > > optional_policy(` > + read_mrtg_etc(system_cronjob_t) > +') > + > +optional_policy(` > cyrus_manage_data(system_cronjob_t) > ') > > @@ -719,27 +736,3 @@ optional_policy(` > nis_use_ypbind(cronjob_t) > ') > > -######################################## > -# > -# Unconfined local policy > -# > - > -type unconfined_cronjob_t; > -domain_type(unconfined_cronjob_t) > -domain_cron_exemption_target(unconfined_cronjob_t) > - > -dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh }; > - > -tunable_policy(`cron_userdomain_transition',` > - dontaudit crond_t unconfined_cronjob_t:process transition; > - dontaudit crond_t unconfined_cronjob_t:fd use; > - dontaudit crond_t unconfined_cronjob_t:key manage_key_perms; > -',` > - allow crond_t unconfined_cronjob_t:process transition; > - allow crond_t unconfined_cronjob_t:fd use; > - allow crond_t unconfined_cronjob_t:key manage_key_perms; > -') > - > -optional_policy(` > - unconfined_domain(unconfined_cronjob_t) > -') -- Chris PeBenito