From: pebenito@ieee.org (Chris PeBenito)
Date: Thu, 23 Feb 2017 21:07:12 -0500
Subject: [refpolicy] [PATCH] first draft of cron patch
In-Reply-To: <20170220091944.5s4blmij3alyjiqz@athena.coker.com.au>
References: <20170220091944.5s4blmij3alyjiqz@athena.coker.com.au>
Message-ID: <a2e38dcb-18e2-e630-d0e6-497457406f1d@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/20/17 04:19, Russell Coker via refpolicy wrote:
> This is the cron patch from Debian/Stretch forward ported to the latest git
> version of policy.
>
> I don't expect it to be accepted just yet so I didn't test building it without
> all the other systemd patches installed and it may be missing dependencies.

I don't follow why the interfaces and templates are being revised this 
way.  I'm also not clear why some of the file types need to be derived 
types, whereas cronjob_t is still fine.


> Please check it out and give me any suggestions.  I'll send another patch for
> merging later.
>
> Index: refpolicy-2.20170220/policy/modules/contrib/cron.if
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/contrib/cron.if
> +++ refpolicy-2.20170220/policy/modules/contrib/cron.if
> @@ -13,7 +13,7 @@
>  template(`cron_common_crontab_template',`
>  	gen_require(`
>  		attribute crontab_domain;
> -		type crontab_exec_t;
> +		type crontab_exec_t, crond_t;
>  	')
>
>  	##############################
> @@ -21,23 +21,33 @@ template(`cron_common_crontab_template',
>  	# Declarations
>  	#
>
> -	type $1_t, crontab_domain;
> -	userdom_user_application_domain($1_t, crontab_exec_t)
> +	type $1_crontab_t, crontab_domain;
> +	userdom_user_application_domain($1_crontab_t, crontab_exec_t)
>
> -	type $1_tmp_t;
> -	userdom_user_tmp_file($1_tmp_t)
> +	type $1_crontab_tmp_t;
> +	userdom_user_tmp_file($1_crontab_tmp_t)
> +
> +	type $1_cron_spool_t, cron_spool_type;
>
>  	##############################
>  	#
>  	# Local policy
>  	#
>
> -	manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
> -	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
> -	files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
> +	manage_dirs_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t)
> +	manage_files_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t)
> +	files_tmp_filetrans($1_crontab_t, $1_crontab_tmp_t, { dir file })
> +
> +	auth_domtrans_chk_passwd($1_crontab_t)
> +	auth_use_nsswitch($1_crontab_t)
> +	allow $1_crontab_t self:capability fsetid;
> +
> +	files_type($1_cron_spool_t)
> +	ubac_constrained($1_cron_spool_t)
> +	mta_system_content($1_cron_spool_t)
>
> -	auth_domtrans_chk_passwd($1_t)
> -	auth_use_nsswitch($1_t)
> +	manage_files_pattern($1_crontab_t, { cron_spool_t user_cron_spool_t }, $1_cron_spool_t)
> +	filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t, file)
>  ')
>
>  ########################################
> @@ -51,15 +61,15 @@ template(`cron_common_crontab_template',
>  ## </param>
>  ## <param name="domain">
>  ##	<summary>
> -##	User domain for the role.
> +##	stem of domain for the role.
>  ##	</summary>
>  ## </param>
>  ## <rolecap/>
>  #
>  interface(`cron_role',`
>  	gen_require(`
> -		type cronjob_t, crontab_t, crontab_exec_t;
> -		type user_cron_spool_t, crond_t;
> +		type $2_crontab_t, crontab_exec_t;
> +		type $2_cron_spool_t, crond_t;
>  		bool cron_userdomain_transition;
>  	')
>
> @@ -68,138 +78,42 @@ interface(`cron_role',`
>  	# Declarations
>  	#
>
> -	role $1 types { cronjob_t crontab_t };
> +	role $1 types { $2_crontab_t };
>
>  	##############################
>  	#
>  	# Local policy
>  	#
>
> -	domtrans_pattern($2, crontab_exec_t, crontab_t)
> +	domtrans_pattern($2_t, crontab_exec_t, $2_crontab_t)
>
> -	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
> -	allow $2 crond_t:process sigchld;
> +	dontaudit crond_t $2_t:process { noatsecure siginh rlimitinh };
> +	allow $2_t crond_t:process sigchld;
>
> -	allow $2 user_cron_spool_t:file { getattr read write ioctl };
> +	allow $2_t $2_cron_spool_t:file { getattr read write ioctl };
>
> -	allow $2 crontab_t:process { ptrace signal_perms };
> -	ps_process_pattern($2, crontab_t)
> +	allow $2_t $2_crontab_t:process { ptrace signal_perms };
> +	ps_process_pattern($2_t, $2_crontab_t)
>
> -	corecmd_exec_bin(crontab_t)
> -	corecmd_exec_shell(crontab_t)
> +	corecmd_exec_bin($2_crontab_t)
> +	corecmd_exec_shell($2_crontab_t)
>
>  	tunable_policy(`cron_userdomain_transition',`
> -		allow crond_t $2:process transition;
> -		allow crond_t $2:fd use;
> -		allow crond_t $2:key manage_key_perms;
> -
> -		allow $2 user_cron_spool_t:file entrypoint;
> +		allow crond_t $2_t:process transition;
> +		allow crond_t $2_t:fd use;
> +		allow crond_t $2_t:key manage_key_perms;
>
> -		allow $2 crond_t:fifo_file rw_fifo_file_perms;
> +		allow $2_t $2_cron_spool_t:file entrypoint;
>
> -		allow $2 cronjob_t:process { ptrace signal_perms };
> -		ps_process_pattern($2, cronjob_t)
> +		allow $2_t crond_t:fifo_file rw_fifo_file_perms;
>  	',`
> -		dontaudit crond_t $2:process transition;
> -		dontaudit crond_t $2:fd use;
> -		dontaudit crond_t $2:key manage_key_perms;
> +		dontaudit crond_t $2_t:process transition;
> +		dontaudit crond_t $2_t:fd use;
> +		dontaudit crond_t $2_t:key manage_key_perms;
>
> -		dontaudit $2 user_cron_spool_t:file entrypoint;
> +		dontaudit $2_t $2_cron_spool_t:file entrypoint;
>
> -		dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
> -
> -		dontaudit $2 cronjob_t:process { ptrace signal_perms };
> -	')
> -
> -	optional_policy(`
> -		gen_require(`
> -			class dbus send_msg;
> -		')
> -
> -		dbus_stub(cronjob_t)
> -
> -		allow cronjob_t $2:dbus send_msg;
> -	')
> -')
> -
> -########################################
> -## <summary>
> -##	Role access for unconfined cron.
> -## </summary>
> -## <param name="role">
> -##	<summary>
> -##	Role allowed access.
> -##	</summary>
> -## </param>
> -## <param name="domain">
> -##	<summary>
> -##	User domain for the role.
> -##	</summary>
> -## </param>
> -#
> -interface(`cron_unconfined_role',`
> -	gen_require(`
> -		type unconfined_cronjob_t, crontab_t, crontab_exec_t;
> -		type crond_t, user_cron_spool_t;
> -		bool cron_userdomain_transition;
> -	')
> -
> -	##############################
> -	#
> -	# Declarations
> -	#
> -
> -	role $1 types { unconfined_cronjob_t crontab_t };
> -
> -	##############################
> -	#
> -	# Local policy
> -	#
> -
> -	domtrans_pattern($2, crontab_exec_t, crontab_t)
> -
> -	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
> -	allow $2 crond_t:process sigchld;
> -
> -	allow $2 user_cron_spool_t:file { getattr read write ioctl };
> -
> -	allow $2 crontab_t:process { ptrace signal_perms };
> -	ps_process_pattern($2, crontab_t)
> -
> -	corecmd_exec_bin(crontab_t)
> -	corecmd_exec_shell(crontab_t)
> -
> -	tunable_policy(`cron_userdomain_transition',`
> -		allow crond_t $2:process transition;
> -		allow crond_t $2:fd use;
> -		allow crond_t $2:key manage_key_perms;
> -
> -		allow $2 user_cron_spool_t:file entrypoint;
> -
> -		allow $2 crond_t:fifo_file rw_fifo_file_perms;
> -
> -		allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
> -		ps_process_pattern($2, unconfined_cronjob_t)
> -	',`
> -		dontaudit crond_t $2:process transition;
> -		dontaudit crond_t $2:fd use;
> -		dontaudit crond_t $2:key manage_key_perms;
> -
> -		dontaudit $2 user_cron_spool_t:file entrypoint;
> -
> -		dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
> -
> -		dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms };
> -')
> -
> -	optional_policy(`
> -		gen_require(`
> -			class dbus send_msg;
> -		')
> -
> -		dbus_stub(unconfined_cronjob_t)
> -
> -		allow unconfined_cronjob_t $2:dbus send_msg;
> +		dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms;
>  	')
>  ')
>
> @@ -910,3 +824,21 @@ interface(`cron_manage_system_spool',`
>  	files_search_spool($1)
>  	manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
>  ')
> +
> +########################################
> +## <summary>
> +##      Access temporary files crond creates for script output
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`read_write_crond_tmp',`
> +	gen_require(`
> +		type crond_tmp_t;
> +	')
> +
> +	allow $1 crond_tmp_t:file rw_file_perms;
> +')
> Index: refpolicy-2.20170220/policy/modules/contrib/cron.te
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/contrib/cron.te
> +++ refpolicy-2.20170220/policy/modules/contrib/cron.te
> @@ -25,7 +25,7 @@ gen_tunable(cron_can_relabel, false)
>  ##	the generic cronjob domain.
>  ##	</p>
>  ## </desc>
> -gen_tunable(cron_userdomain_transition, false)
> +gen_tunable(cron_userdomain_transition, true)
>
>  ## <desc>
>  ##	<p>
> @@ -86,15 +86,16 @@ mta_system_content(crond_var_run_t)
>  type crontab_exec_t;
>  application_executable_file(crontab_exec_t)
>
> -cron_common_crontab_template(admin_crontab)
> -typealias admin_crontab_t alias sysadm_crontab_t;
> -typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t;
> -
> -cron_common_crontab_template(crontab)
> -typealias crontab_t alias { user_crontab_t staff_crontab_t };
> -typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
> -typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
> -typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
> +cron_common_crontab_template(sysadm)
> +typealias sysadm_crontab_t alias admin_crontab_t;
> +typealias sysadm_crontab_tmp_t alias admin_crontab_tmp_t;
> +
> +cron_common_crontab_template(user)
> +cron_common_crontab_template(staff)
> +cron_common_crontab_template(unconfined)

These shouldn't be here.


> +typealias user_crontab_t alias { crontab_t };
> +typealias sysadm_crontab_t alias { auditadm_crontab_t secadm_crontab_t };
> +typealias sysadm_crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
>
>  type system_cron_spool_t, cron_spool_type;
>  files_type(system_cron_spool_t)
> @@ -117,12 +118,7 @@ files_type(system_cronjob_var_lib_t)
>  type system_cronjob_var_run_t;
>  files_pid_file(system_cronjob_var_run_t)
>
> -type user_cron_spool_t, cron_spool_type;
> -typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
> -typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
> -files_type(user_cron_spool_t)
> -ubac_constrained(user_cron_spool_t)
> -mta_system_content(user_cron_spool_t)
> +typealias sysadm_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
>
>  type user_cron_spool_log_t;
>  logging_log_file(user_cron_spool_log_t)
> @@ -142,9 +138,6 @@ allow crontab_domain self:capability { c
>  allow crontab_domain self:process { getcap setsched signal_perms };
>  allow crontab_domain self:fifo_file rw_fifo_file_perms;
>
> -manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
> -filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
> -
>  allow crontab_domain cron_spool_t:dir setattr_dir_perms;
>
>  allow crontab_domain crond_t:process signal;
> @@ -215,8 +208,8 @@ tunable_policy(`fcron_crond',`
>  # Daemon local policy
>  #
>
> -allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice };
> -dontaudit crond_t self:capability { sys_resource sys_tty_config };
> +allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice sys_resource };
> +dontaudit crond_t self:capability { sys_tty_config };
>  allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
>  allow crond_t self:process { setexec setfscreate };
>  allow crond_t self:fd use;
> @@ -230,6 +223,7 @@ allow crond_t self:msg { send receive };
>  allow crond_t self:key { search write link };
>  dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
>
> +allow crond_t cron_spool_type:file read_file_perms;
>  allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
>  logging_log_filetrans(crond_t, cron_log_t, file)
>
> @@ -340,6 +334,22 @@ ifdef(`distro_debian',`
>  	optional_policy(`
>  		logwatch_search_cache_dir(crond_t)
>  	')
> +	optional_policy(`
> +		apt_manage_cache(system_cronjob_t)
> +		apt_read_db(system_cronjob_t)
> +	')
> +')
> +
> +optional_policy(`
> +	acct_manage_data(system_cronjob_t)
> +')
> +
> +optional_policy(`
> +	ntp_admin(system_cronjob_t, system_r)
> +')
> +
> +optional_policy(`
> +	apache_unlink_var_lib(system_cronjob_t)
>  ')
>
>  ifdef(`distro_redhat',`
> @@ -429,6 +439,7 @@ optional_policy(`
>  	systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
>  	# so cron jobs can restart daemons
>  	init_stream_connect(system_cronjob_t)
> +	init_manage_script_service(system_cronjob_t)
>  ')
>
>  optional_policy(`
> @@ -440,14 +451,15 @@ optional_policy(`
>  # System local policy
>  #
>
> -allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice };
> +allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
>  allow system_cronjob_t self:process { signal_perms getsched setsched };
>  allow system_cronjob_t self:fd use;
>  allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
>  allow system_cronjob_t self:passwd rootok;
>
> -allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
> +allow system_cronjob_t cron_log_t:file manage_file_perms;
>  logging_log_filetrans(system_cronjob_t, cron_log_t, file)
> +logging_manage_generic_logs(system_cronjob_t)
>
>  allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
>  files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
> @@ -464,7 +476,7 @@ files_lock_filetrans(system_cronjob_t, s
>  manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
>  manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
>  filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
> -files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
> +files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })
>
>  manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
>
> @@ -475,7 +487,8 @@ allow system_cronjob_t crond_t:process s
>  allow system_cronjob_t cron_spool_t:dir list_dir_perms;
>  allow system_cronjob_t cron_spool_t:file rw_file_perms;
>
> -allow system_cronjob_t crond_tmp_t:file { read write };
> +allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
> +allow cronjob_t crond_tmp_t:file rw_inherited_file_perms;
>
>  kernel_read_kernel_sysctls(system_cronjob_t)
>  kernel_read_network_state(system_cronjob_t)
> @@ -567,6 +580,10 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	read_mrtg_etc(system_cronjob_t)
> +')
> +
> +optional_policy(`
>  	cyrus_manage_data(system_cronjob_t)
>  ')
>
> @@ -719,27 +736,3 @@ optional_policy(`
>  	nis_use_ypbind(cronjob_t)
>  ')
>
> -########################################
> -#
> -# Unconfined local policy
> -#
> -
> -type unconfined_cronjob_t;
> -domain_type(unconfined_cronjob_t)
> -domain_cron_exemption_target(unconfined_cronjob_t)
> -
> -dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
> -
> -tunable_policy(`cron_userdomain_transition',`
> -	dontaudit crond_t unconfined_cronjob_t:process transition;
> -	dontaudit crond_t unconfined_cronjob_t:fd use;
> -	dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
> -',`
> -	allow crond_t unconfined_cronjob_t:process transition;
> -	allow crond_t unconfined_cronjob_t:fd use;
> -	allow crond_t unconfined_cronjob_t:key manage_key_perms;
> -')
> -
> -optional_policy(`
> -	unconfined_domain(unconfined_cronjob_t)
> -')



-- 
Chris PeBenito