From: russell@coker.com.au (Russell Coker)
Date: Wed, 19 Apr 2017 20:22:35 +1000
Subject: [refpolicy] [PATCH] user_crontab_t etc
Message-ID: <20170419102235.2e5egmcyvz4binkz@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Firstly this patch applies to today's Git tree and is not dependent on the
login patch which is still being debated.

This patch uses user_crontab_t, sysadm_crontab_t etc domains, as we used to do
but which was removed some time in the past.

Chris, are you willing to consider restoring this functionality?  If not what
do you think would be the best way of catering for different needs in this
regard?  Should I try to make a patch with ifdef role_crontab_domain or
something?

Index: refpolicy-2.20170417/policy/modules/contrib/cron.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/cron.if
+++ refpolicy-2.20170417/policy/modules/contrib/cron.if
@@ -13,7 +13,7 @@
 template(`cron_common_crontab_template',`
 	gen_require(`
 		attribute crontab_domain;
-		type crontab_exec_t;
+		type crontab_exec_t, crond_t;
 	')
 
 	##############################
@@ -21,23 +21,33 @@ template(`cron_common_crontab_template',
 	# Declarations
 	#
 
-	type $1_t, crontab_domain;
-	userdom_user_application_domain($1_t, crontab_exec_t)
+	type $1_crontab_t, crontab_domain;
+	userdom_user_application_domain($1_crontab_t, crontab_exec_t)
 
-	type $1_tmp_t;
-	userdom_user_tmp_file($1_tmp_t)
+	type $1_crontab_tmp_t;
+	userdom_user_tmp_file($1_crontab_tmp_t)
+
+	type $1_cron_spool_t, cron_spool_type;
 
 	##############################
 	#
 	# Local policy
 	#
 
-	manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
-	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-	files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
+	manage_dirs_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t)
+	manage_files_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t)
+	files_tmp_filetrans($1_crontab_t, $1_crontab_tmp_t, { dir file })
+
+	auth_domtrans_chk_passwd($1_crontab_t)
+	auth_use_nsswitch($1_crontab_t)
+	allow $1_crontab_t self:capability fsetid;
+
+	files_type($1_cron_spool_t)
+	ubac_constrained($1_cron_spool_t)
+	mta_system_content($1_cron_spool_t)
 
-	auth_domtrans_chk_passwd($1_t)
-	auth_use_nsswitch($1_t)
+	manage_files_pattern($1_crontab_t, { cron_spool_t user_cron_spool_t }, $1_cron_spool_t)
+	filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t, file)
 ')
 
 ########################################
@@ -51,15 +61,15 @@ template(`cron_common_crontab_template',
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role.
+##	stem of domain for the role.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`cron_role',`
 	gen_require(`
-		type cronjob_t, crontab_t, crontab_exec_t;
-		type user_cron_spool_t, crond_t;
+		type $2_crontab_t, crontab_exec_t;
+		type $2_cron_spool_t, crond_t;
 		bool cron_userdomain_transition;
 	')
 
@@ -68,138 +78,42 @@ interface(`cron_role',`
 	# Declarations
 	#
 
-	role $1 types { cronjob_t crontab_t };
+	role $1 types { $2_crontab_t };
 
 	##############################
 	#
 	# Local policy
 	#
 
-	domtrans_pattern($2, crontab_exec_t, crontab_t)
+	domtrans_pattern($2_t, crontab_exec_t, $2_crontab_t)
 
-	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-	allow $2 crond_t:process sigchld;
+	dontaudit crond_t $2_t:process { noatsecure siginh rlimitinh };
+	allow $2_t crond_t:process sigchld;
 
-	allow $2 user_cron_spool_t:file { getattr read write ioctl };
+	allow $2_t $2_cron_spool_t:file { getattr read write ioctl };
 
-	allow $2 crontab_t:process { ptrace signal_perms };
-	ps_process_pattern($2, crontab_t)
+	allow $2_t $2_crontab_t:process { ptrace signal_perms };
+	ps_process_pattern($2_t, $2_crontab_t)
 
-	corecmd_exec_bin(crontab_t)
-	corecmd_exec_shell(crontab_t)
+	corecmd_exec_bin($2_crontab_t)
+	corecmd_exec_shell($2_crontab_t)
 
 	tunable_policy(`cron_userdomain_transition',`
-		allow crond_t $2:process transition;
-		allow crond_t $2:fd use;
-		allow crond_t $2:key manage_key_perms;
-
-		allow $2 user_cron_spool_t:file entrypoint;
+		allow crond_t $2_t:process transition;
+		allow crond_t $2_t:fd use;
+		allow crond_t $2_t:key manage_key_perms;
 
-		allow $2 crond_t:fifo_file rw_fifo_file_perms;
+		allow $2_t $2_cron_spool_t:file entrypoint;
 
-		allow $2 cronjob_t:process { ptrace signal_perms };
-		ps_process_pattern($2, cronjob_t)
+		allow $2_t crond_t:fifo_file rw_fifo_file_perms;
 	',`
-		dontaudit crond_t $2:process transition;
-		dontaudit crond_t $2:fd use;
-		dontaudit crond_t $2:key manage_key_perms;
-
-		dontaudit $2 user_cron_spool_t:file entrypoint;
-
-		dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
-
-		dontaudit $2 cronjob_t:process { ptrace signal_perms };
-	')
-
-	optional_policy(`
-		gen_require(`
-			class dbus send_msg;
-		')
-
-		dbus_stub(cronjob_t)
-
-		allow cronjob_t $2:dbus send_msg;
-	')
-')
-
-########################################
-## <summary>
-##	Role access for unconfined cron.
-## </summary>
-## <param name="role">
-##	<summary>
-##	Role allowed access.
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	User domain for the role.
-##	</summary>
-## </param>
-#
-interface(`cron_unconfined_role',`
-	gen_require(`
-		type unconfined_cronjob_t, crontab_t, crontab_exec_t;
-		type crond_t, user_cron_spool_t;
-		bool cron_userdomain_transition;
-	')
-
-	##############################
-	#
-	# Declarations
-	#
-
-	role $1 types { unconfined_cronjob_t crontab_t };
-
-	##############################
-	#
-	# Local policy
-	#
-
-	domtrans_pattern($2, crontab_exec_t, crontab_t)
-
-	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-	allow $2 crond_t:process sigchld;
-
-	allow $2 user_cron_spool_t:file { getattr read write ioctl };
-
-	allow $2 crontab_t:process { ptrace signal_perms };
-	ps_process_pattern($2, crontab_t)
-
-	corecmd_exec_bin(crontab_t)
-	corecmd_exec_shell(crontab_t)
-
-	tunable_policy(`cron_userdomain_transition',`
-		allow crond_t $2:process transition;
-		allow crond_t $2:fd use;
-		allow crond_t $2:key manage_key_perms;
-
-		allow $2 user_cron_spool_t:file entrypoint;
-
-		allow $2 crond_t:fifo_file rw_fifo_file_perms;
-
-		allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
-		ps_process_pattern($2, unconfined_cronjob_t)
-	',`
-		dontaudit crond_t $2:process transition;
-		dontaudit crond_t $2:fd use;
-		dontaudit crond_t $2:key manage_key_perms;
-
-		dontaudit $2 user_cron_spool_t:file entrypoint;
-
-		dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
-
-		dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms };
-')
-
-	optional_policy(`
-		gen_require(`
-			class dbus send_msg;
-		')
+		dontaudit crond_t $2_t:process transition;
+		dontaudit crond_t $2_t:fd use;
+		dontaudit crond_t $2_t:key manage_key_perms;
 
-		dbus_stub(unconfined_cronjob_t)
+		dontaudit $2_t $2_cron_spool_t:file entrypoint;
 
-		allow unconfined_cronjob_t $2:dbus send_msg;
+		dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms;
 	')
 ')
 
Index: refpolicy-2.20170417/policy/modules/contrib/cron.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/cron.te
+++ refpolicy-2.20170417/policy/modules/contrib/cron.te
@@ -25,7 +25,7 @@ gen_tunable(cron_can_relabel, false)
 ##	the generic cronjob domain.
 ##	</p>
 ## </desc>
-gen_tunable(cron_userdomain_transition, false)
+gen_tunable(cron_userdomain_transition, true)
 
 ## <desc>
 ##	<p>
@@ -86,15 +86,16 @@ mta_system_content(crond_var_run_t)
 type crontab_exec_t;
 application_executable_file(crontab_exec_t)
 
-cron_common_crontab_template(admin_crontab)
-typealias admin_crontab_t alias sysadm_crontab_t;
-typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t;
-
-cron_common_crontab_template(crontab)
-typealias crontab_t alias { user_crontab_t staff_crontab_t };
-typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
-typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
-typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+cron_common_crontab_template(sysadm)
+typealias sysadm_crontab_t alias admin_crontab_t;
+typealias sysadm_crontab_tmp_t alias admin_crontab_tmp_t;
+
+cron_common_crontab_template(user)
+cron_common_crontab_template(staff)
+cron_common_crontab_template(unconfined)
+typealias user_crontab_t alias { crontab_t };
+typealias sysadm_crontab_t alias { auditadm_crontab_t secadm_crontab_t };
+typealias sysadm_crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
 
 type system_cron_spool_t, cron_spool_type;
 files_type(system_cron_spool_t)
@@ -117,12 +118,7 @@ files_type(system_cronjob_var_lib_t)
 type system_cronjob_var_run_t;
 files_pid_file(system_cronjob_var_run_t)
 
-type user_cron_spool_t, cron_spool_type;
-typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
-typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
-files_type(user_cron_spool_t)
-ubac_constrained(user_cron_spool_t)
-mta_system_content(user_cron_spool_t)
+typealias sysadm_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
 
 type user_cron_spool_log_t;
 logging_log_file(user_cron_spool_log_t)
@@ -142,9 +138,6 @@ allow crontab_domain self:capability { c
 allow crontab_domain self:process { getcap setsched signal_perms };
 allow crontab_domain self:fifo_file rw_fifo_file_perms;
 
-manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
-filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
-
 allow crontab_domain cron_spool_t:dir setattr_dir_perms;
 
 allow crontab_domain crond_t:process signal;
@@ -215,8 +208,8 @@ tunable_policy(`fcron_crond',`
 # Daemon local policy
 #
 
-allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice };
-dontaudit crond_t self:capability { sys_resource sys_tty_config };
+allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice sys_resource };
+dontaudit crond_t self:capability { sys_tty_config };
 allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
 allow crond_t self:process { setexec setfscreate };
 allow crond_t self:fd use;
@@ -230,6 +223,7 @@ allow crond_t self:msg { send receive };
 allow crond_t self:key { search write link };
 dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
 
+allow crond_t cron_spool_type:file read_file_perms;
 allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
 logging_log_filetrans(crond_t, cron_log_t, file)
 
@@ -340,6 +334,23 @@ ifdef(`distro_debian',`
 	optional_policy(`
 		logwatch_search_cache_dir(crond_t)
 	')
+	optional_policy(`
+		apt_manage_cache(system_cronjob_t)
+		apt_read_db(system_cronjob_t)
+		dpkg_manage_db(system_cronjob_t)
+	')
+')
+
+optional_policy(`
+	acct_manage_data(system_cronjob_t)
+')
+
+optional_policy(`
+	ntp_admin(system_cronjob_t, system_r)
+')
+
+optional_policy(`
+	apache_delete_lib_files(system_cronjob_t)
 ')
 
 ifdef(`distro_redhat',`
@@ -429,6 +440,7 @@ optional_policy(`
 	systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
 	# so cron jobs can restart daemons
 	init_stream_connect(system_cronjob_t)
+	init_manage_script_service(system_cronjob_t)
 ')
 
 optional_policy(`
@@ -440,14 +452,15 @@ optional_policy(`
 # System local policy
 #
 
-allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice };
+allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
 allow system_cronjob_t self:process { signal_perms getsched setsched };
 allow system_cronjob_t self:fd use;
 allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
 allow system_cronjob_t self:passwd rootok;
 
-allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow system_cronjob_t cron_log_t:file manage_file_perms;
 logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+logging_manage_generic_logs(system_cronjob_t)
 
 allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
 files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
@@ -464,7 +477,8 @@ files_lock_filetrans(system_cronjob_t, s
 manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
 manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
 filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })
+allow system_cronjob_t system_cronjob_tmp_t:dir manage_dir_perms;
 
 manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
 
@@ -475,7 +489,8 @@ allow system_cronjob_t crond_t:process s
 allow system_cronjob_t cron_spool_t:dir list_dir_perms;
 allow system_cronjob_t cron_spool_t:file rw_file_perms;
 
-allow system_cronjob_t crond_tmp_t:file { read write };
+allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
+allow cronjob_t crond_tmp_t:file rw_inherited_file_perms;
 
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_network_state(system_cronjob_t)
@@ -567,6 +582,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	read_mrtg_etc(system_cronjob_t)
+')
+
+optional_policy(`
 	cyrus_manage_data(system_cronjob_t)
 ')
 
@@ -719,27 +738,3 @@ optional_policy(`
 	nis_use_ypbind(cronjob_t)
 ')
 
-########################################
-#
-# Unconfined local policy
-#
-
-type unconfined_cronjob_t;
-domain_type(unconfined_cronjob_t)
-domain_cron_exemption_target(unconfined_cronjob_t)
-
-dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
-
-tunable_policy(`cron_userdomain_transition',`
-	dontaudit crond_t unconfined_cronjob_t:process transition;
-	dontaudit crond_t unconfined_cronjob_t:fd use;
-	dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
-',`
-	allow crond_t unconfined_cronjob_t:process transition;
-	allow crond_t unconfined_cronjob_t:fd use;
-	allow crond_t unconfined_cronjob_t:key manage_key_perms;
-')
-
-optional_policy(`
-	unconfined_domain(unconfined_cronjob_t)
-')
Index: refpolicy-2.20170417/policy/modules/contrib/apt.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/apt.if
+++ refpolicy-2.20170417/policy/modules/contrib/apt.if
@@ -164,6 +164,26 @@ interface(`apt_use_ptys',`
 ##	</summary>
 ## </param>
 #
+interface(`apt_manage_cache',`
+	gen_require(`
+		type apt_var_cache_t;
+	')
+
+	files_search_var($1)
+	allow $1 apt_var_cache_t:dir manage_dir_perms;
+	allow $1 apt_var_cache_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Read apt package cache content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
 interface(`apt_read_cache',`
 	gen_require(`
 		type apt_var_cache_t;
Index: refpolicy-2.20170417/policy/modules/contrib/mrtg.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/mrtg.if
+++ refpolicy-2.20170417/policy/modules/contrib/mrtg.if
@@ -2,6 +2,24 @@
 
 ########################################
 ## <summary>
+##	Read mrtg configuration
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`read_mrtg_etc',`
+	gen_require(`
+		type mrtg_etc_t;
+	')
+
+	allow $1 mrtg_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Create and append mrtg log files.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20170417/policy/modules/roles/staff.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/roles/staff.te
+++ refpolicy-2.20170417/policy/modules/roles/staff.te
@@ -81,7 +81,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		cron_role(staff_r, staff_t)
+		cron_role(staff_r, staff)
 	')
 
 	optional_policy(`
Index: refpolicy-2.20170417/policy/modules/roles/unprivuser.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/roles/unprivuser.te
+++ refpolicy-2.20170417/policy/modules/roles/unprivuser.te
@@ -50,7 +50,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		cron_role(user_r, user_t)
+		cron_role(user_r, user)
 	')
 
 	optional_policy(`
Index: refpolicy-2.20170417/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20170417/policy/modules/system/unconfined.te
@@ -76,7 +76,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	cron_unconfined_role(unconfined_r, unconfined_t)
+	cron_role(unconfined_r, unconfined)
 ')
 
 optional_policy(`