From: cgzones@googlemail.com (=?UTF-8?Q?Christian_G=C3=B6ttsche?=) Date: Wed, 19 Apr 2017 12:48:01 +0200 Subject: [refpolicy] [PATCH] user_crontab_t etc In-Reply-To: <20170419102235.2e5egmcyvz4binkz@athena.coker.com.au> References: <20170419102235.2e5egmcyvz4binkz@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com fwiw, I am using a complete rewritten version of cron, where all user cronjobs run in the user domain itself. I think it is more secure and manageable as running all user crontabs in a generic crontab_t domain or use sperate $1_cronjob_t ones. Another point I dislike about the upstream cron policy is the power of system_cronjob_t: I prefer cronjobs to transition into appropriate domains for the specific task. https://github.com/cgzones/debian-package-refpolicy/blob/management/debian/patches/0403-cron-check-module.patch 2017-04-19 12:22 GMT+02:00 Russell Coker via refpolicy : > Firstly this patch applies to today's Git tree and is not dependent on the > login patch which is still being debated. > > This patch uses user_crontab_t, sysadm_crontab_t etc domains, as we used to do > but which was removed some time in the past. > > Chris, are you willing to consider restoring this functionality? If not what > do you think would be the best way of catering for different needs in this > regard? Should I try to make a patch with ifdef role_crontab_domain or > something? > > Index: refpolicy-2.20170417/policy/modules/contrib/cron.if > =================================================================== > --- refpolicy-2.20170417.orig/policy/modules/contrib/cron.if > +++ refpolicy-2.20170417/policy/modules/contrib/cron.if > @@ -13,7 +13,7 @@ > template(`cron_common_crontab_template',` > gen_require(` > attribute crontab_domain; > - type crontab_exec_t; > + type crontab_exec_t, crond_t; > ') > > ############################## > @@ -21,23 +21,33 @@ template(`cron_common_crontab_template', > # Declarations > # > > - type $1_t, crontab_domain; > - userdom_user_application_domain($1_t, crontab_exec_t) > + type $1_crontab_t, crontab_domain; > + userdom_user_application_domain($1_crontab_t, crontab_exec_t) > > - type $1_tmp_t; > - userdom_user_tmp_file($1_tmp_t) > + type $1_crontab_tmp_t; > + userdom_user_tmp_file($1_crontab_tmp_t) > + > + type $1_cron_spool_t, cron_spool_type; > > ############################## > # > # Local policy > # > > - manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) > - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) > - files_tmp_filetrans($1_t, $1_tmp_t, { dir file }) > + manage_dirs_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t) > + manage_files_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t) > + files_tmp_filetrans($1_crontab_t, $1_crontab_tmp_t, { dir file }) > + > + auth_domtrans_chk_passwd($1_crontab_t) > + auth_use_nsswitch($1_crontab_t) > + allow $1_crontab_t self:capability fsetid; > + > + files_type($1_cron_spool_t) > + ubac_constrained($1_cron_spool_t) > + mta_system_content($1_cron_spool_t) > > - auth_domtrans_chk_passwd($1_t) > - auth_use_nsswitch($1_t) > + manage_files_pattern($1_crontab_t, { cron_spool_t user_cron_spool_t }, $1_cron_spool_t) > + filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t, file) > ') > > ######################################## > @@ -51,15 +61,15 @@ template(`cron_common_crontab_template', > ## > ## > ## > -## User domain for the role. > +## stem of domain for the role. > ## > ## > ## > # > interface(`cron_role',` > gen_require(` > - type cronjob_t, crontab_t, crontab_exec_t; > - type user_cron_spool_t, crond_t; > + type $2_crontab_t, crontab_exec_t; > + type $2_cron_spool_t, crond_t; > bool cron_userdomain_transition; > ') > > @@ -68,138 +78,42 @@ interface(`cron_role',` > # Declarations > # > > - role $1 types { cronjob_t crontab_t }; > + role $1 types { $2_crontab_t }; > > ############################## > # > # Local policy > # > > - domtrans_pattern($2, crontab_exec_t, crontab_t) > + domtrans_pattern($2_t, crontab_exec_t, $2_crontab_t) > > - dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; > - allow $2 crond_t:process sigchld; > + dontaudit crond_t $2_t:process { noatsecure siginh rlimitinh }; > + allow $2_t crond_t:process sigchld; > > - allow $2 user_cron_spool_t:file { getattr read write ioctl }; > + allow $2_t $2_cron_spool_t:file { getattr read write ioctl }; > > - allow $2 crontab_t:process { ptrace signal_perms }; > - ps_process_pattern($2, crontab_t) > + allow $2_t $2_crontab_t:process { ptrace signal_perms }; > + ps_process_pattern($2_t, $2_crontab_t) > > - corecmd_exec_bin(crontab_t) > - corecmd_exec_shell(crontab_t) > + corecmd_exec_bin($2_crontab_t) > + corecmd_exec_shell($2_crontab_t) > > tunable_policy(`cron_userdomain_transition',` > - allow crond_t $2:process transition; > - allow crond_t $2:fd use; > - allow crond_t $2:key manage_key_perms; > - > - allow $2 user_cron_spool_t:file entrypoint; > + allow crond_t $2_t:process transition; > + allow crond_t $2_t:fd use; > + allow crond_t $2_t:key manage_key_perms; > > - allow $2 crond_t:fifo_file rw_fifo_file_perms; > + allow $2_t $2_cron_spool_t:file entrypoint; > > - allow $2 cronjob_t:process { ptrace signal_perms }; > - ps_process_pattern($2, cronjob_t) > + allow $2_t crond_t:fifo_file rw_fifo_file_perms; > ',` > - dontaudit crond_t $2:process transition; > - dontaudit crond_t $2:fd use; > - dontaudit crond_t $2:key manage_key_perms; > - > - dontaudit $2 user_cron_spool_t:file entrypoint; > - > - dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; > - > - dontaudit $2 cronjob_t:process { ptrace signal_perms }; > - ') > - > - optional_policy(` > - gen_require(` > - class dbus send_msg; > - ') > - > - dbus_stub(cronjob_t) > - > - allow cronjob_t $2:dbus send_msg; > - ') > -') > - > -######################################## > -## > -## Role access for unconfined cron. > -## > -## > -## > -## Role allowed access. > -## > -## > -## > -## > -## User domain for the role. > -## > -## > -# > -interface(`cron_unconfined_role',` > - gen_require(` > - type unconfined_cronjob_t, crontab_t, crontab_exec_t; > - type crond_t, user_cron_spool_t; > - bool cron_userdomain_transition; > - ') > - > - ############################## > - # > - # Declarations > - # > - > - role $1 types { unconfined_cronjob_t crontab_t }; > - > - ############################## > - # > - # Local policy > - # > - > - domtrans_pattern($2, crontab_exec_t, crontab_t) > - > - dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; > - allow $2 crond_t:process sigchld; > - > - allow $2 user_cron_spool_t:file { getattr read write ioctl }; > - > - allow $2 crontab_t:process { ptrace signal_perms }; > - ps_process_pattern($2, crontab_t) > - > - corecmd_exec_bin(crontab_t) > - corecmd_exec_shell(crontab_t) > - > - tunable_policy(`cron_userdomain_transition',` > - allow crond_t $2:process transition; > - allow crond_t $2:fd use; > - allow crond_t $2:key manage_key_perms; > - > - allow $2 user_cron_spool_t:file entrypoint; > - > - allow $2 crond_t:fifo_file rw_fifo_file_perms; > - > - allow $2 unconfined_cronjob_t:process { ptrace signal_perms }; > - ps_process_pattern($2, unconfined_cronjob_t) > - ',` > - dontaudit crond_t $2:process transition; > - dontaudit crond_t $2:fd use; > - dontaudit crond_t $2:key manage_key_perms; > - > - dontaudit $2 user_cron_spool_t:file entrypoint; > - > - dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; > - > - dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms }; > -') > - > - optional_policy(` > - gen_require(` > - class dbus send_msg; > - ') > + dontaudit crond_t $2_t:process transition; > + dontaudit crond_t $2_t:fd use; > + dontaudit crond_t $2_t:key manage_key_perms; > > - dbus_stub(unconfined_cronjob_t) > + dontaudit $2_t $2_cron_spool_t:file entrypoint; > > - allow unconfined_cronjob_t $2:dbus send_msg; > + dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms; > ') > ') > > Index: refpolicy-2.20170417/policy/modules/contrib/cron.te > =================================================================== > --- refpolicy-2.20170417.orig/policy/modules/contrib/cron.te > +++ refpolicy-2.20170417/policy/modules/contrib/cron.te > @@ -25,7 +25,7 @@ gen_tunable(cron_can_relabel, false) > ## the generic cronjob domain. > ##

> ## > -gen_tunable(cron_userdomain_transition, false) > +gen_tunable(cron_userdomain_transition, true) > > ## > ##

> @@ -86,15 +86,16 @@ mta_system_content(crond_var_run_t) > type crontab_exec_t; > application_executable_file(crontab_exec_t) > > -cron_common_crontab_template(admin_crontab) > -typealias admin_crontab_t alias sysadm_crontab_t; > -typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t; > - > -cron_common_crontab_template(crontab) > -typealias crontab_t alias { user_crontab_t staff_crontab_t }; > -typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; > -typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; > -typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; > +cron_common_crontab_template(sysadm) > +typealias sysadm_crontab_t alias admin_crontab_t; > +typealias sysadm_crontab_tmp_t alias admin_crontab_tmp_t; > + > +cron_common_crontab_template(user) > +cron_common_crontab_template(staff) > +cron_common_crontab_template(unconfined) > +typealias user_crontab_t alias { crontab_t }; > +typealias sysadm_crontab_t alias { auditadm_crontab_t secadm_crontab_t }; > +typealias sysadm_crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; > > type system_cron_spool_t, cron_spool_type; > files_type(system_cron_spool_t) > @@ -117,12 +118,7 @@ files_type(system_cronjob_var_lib_t) > type system_cronjob_var_run_t; > files_pid_file(system_cronjob_var_run_t) > > -type user_cron_spool_t, cron_spool_type; > -typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; > -typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; > -files_type(user_cron_spool_t) > -ubac_constrained(user_cron_spool_t) > -mta_system_content(user_cron_spool_t) > +typealias sysadm_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; > > type user_cron_spool_log_t; > logging_log_file(user_cron_spool_log_t) > @@ -142,9 +138,6 @@ allow crontab_domain self:capability { c > allow crontab_domain self:process { getcap setsched signal_perms }; > allow crontab_domain self:fifo_file rw_fifo_file_perms; > > -manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) > -filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file) > - > allow crontab_domain cron_spool_t:dir setattr_dir_perms; > > allow crontab_domain crond_t:process signal; > @@ -215,8 +208,8 @@ tunable_policy(`fcron_crond',` > # Daemon local policy > # > > -allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice }; > -dontaudit crond_t self:capability { sys_resource sys_tty_config }; > +allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice sys_resource }; > +dontaudit crond_t self:capability { sys_tty_config }; > allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; > allow crond_t self:process { setexec setfscreate }; > allow crond_t self:fd use; > @@ -230,6 +223,7 @@ allow crond_t self:msg { send receive }; > allow crond_t self:key { search write link }; > dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit; > > +allow crond_t cron_spool_type:file read_file_perms; > allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; > logging_log_filetrans(crond_t, cron_log_t, file) > > @@ -340,6 +334,23 @@ ifdef(`distro_debian',` > optional_policy(` > logwatch_search_cache_dir(crond_t) > ') > + optional_policy(` > + apt_manage_cache(system_cronjob_t) > + apt_read_db(system_cronjob_t) > + dpkg_manage_db(system_cronjob_t) > + ') > +') > + > +optional_policy(` > + acct_manage_data(system_cronjob_t) > +') > + > +optional_policy(` > + ntp_admin(system_cronjob_t, system_r) > +') > + > +optional_policy(` > + apache_delete_lib_files(system_cronjob_t) > ') > > ifdef(`distro_redhat',` > @@ -429,6 +440,7 @@ optional_policy(` > systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) > # so cron jobs can restart daemons > init_stream_connect(system_cronjob_t) > + init_manage_script_service(system_cronjob_t) > ') > > optional_policy(` > @@ -440,14 +452,15 @@ optional_policy(` > # System local policy > # > > -allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice }; > +allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice }; > allow system_cronjob_t self:process { signal_perms getsched setsched }; > allow system_cronjob_t self:fd use; > allow system_cronjob_t self:fifo_file rw_fifo_file_perms; > allow system_cronjob_t self:passwd rootok; > > -allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; > +allow system_cronjob_t cron_log_t:file manage_file_perms; > logging_log_filetrans(system_cronjob_t, cron_log_t, file) > +logging_manage_generic_logs(system_cronjob_t) > > allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms }; > files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) > @@ -464,7 +477,8 @@ files_lock_filetrans(system_cronjob_t, s > manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) > manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) > filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) > -files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) > +files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir }) > +allow system_cronjob_t system_cronjob_tmp_t:dir manage_dir_perms; > > manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) > > @@ -475,7 +489,8 @@ allow system_cronjob_t crond_t:process s > allow system_cronjob_t cron_spool_t:dir list_dir_perms; > allow system_cronjob_t cron_spool_t:file rw_file_perms; > > -allow system_cronjob_t crond_tmp_t:file { read write }; > +allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms; > +allow cronjob_t crond_tmp_t:file rw_inherited_file_perms; > > kernel_read_kernel_sysctls(system_cronjob_t) > kernel_read_network_state(system_cronjob_t) > @@ -567,6 +582,10 @@ optional_policy(` > ') > > optional_policy(` > + read_mrtg_etc(system_cronjob_t) > +') > + > +optional_policy(` > cyrus_manage_data(system_cronjob_t) > ') > > @@ -719,27 +738,3 @@ optional_policy(` > nis_use_ypbind(cronjob_t) > ') > > -######################################## > -# > -# Unconfined local policy > -# > - > -type unconfined_cronjob_t; > -domain_type(unconfined_cronjob_t) > -domain_cron_exemption_target(unconfined_cronjob_t) > - > -dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh }; > - > -tunable_policy(`cron_userdomain_transition',` > - dontaudit crond_t unconfined_cronjob_t:process transition; > - dontaudit crond_t unconfined_cronjob_t:fd use; > - dontaudit crond_t unconfined_cronjob_t:key manage_key_perms; > -',` > - allow crond_t unconfined_cronjob_t:process transition; > - allow crond_t unconfined_cronjob_t:fd use; > - allow crond_t unconfined_cronjob_t:key manage_key_perms; > -') > - > -optional_policy(` > - unconfined_domain(unconfined_cronjob_t) > -') > Index: refpolicy-2.20170417/policy/modules/contrib/apt.if > =================================================================== > --- refpolicy-2.20170417.orig/policy/modules/contrib/apt.if > +++ refpolicy-2.20170417/policy/modules/contrib/apt.if > @@ -164,6 +164,26 @@ interface(`apt_use_ptys',` > ## > ## > # > +interface(`apt_manage_cache',` > + gen_require(` > + type apt_var_cache_t; > + ') > + > + files_search_var($1) > + allow $1 apt_var_cache_t:dir manage_dir_perms; > + allow $1 apt_var_cache_t:file manage_file_perms; > +') > + > +######################################## > +##

> +## Read apt package cache content. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > interface(`apt_read_cache',` > gen_require(` > type apt_var_cache_t; > Index: refpolicy-2.20170417/policy/modules/contrib/mrtg.if > =================================================================== > --- refpolicy-2.20170417.orig/policy/modules/contrib/mrtg.if > +++ refpolicy-2.20170417/policy/modules/contrib/mrtg.if > @@ -2,6 +2,24 @@ > > ######################################## > ## > +## Read mrtg configuration > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`read_mrtg_etc',` > + gen_require(` > + type mrtg_etc_t; > + ') > + > + allow $1 mrtg_etc_t:file read_file_perms; > +') > + > +######################################## > +## > ## Create and append mrtg log files. > ## > ## > Index: refpolicy-2.20170417/policy/modules/roles/staff.te > =================================================================== > --- refpolicy-2.20170417.orig/policy/modules/roles/staff.te > +++ refpolicy-2.20170417/policy/modules/roles/staff.te > @@ -81,7 +81,7 @@ ifndef(`distro_redhat',` > ') > > optional_policy(` > - cron_role(staff_r, staff_t) > + cron_role(staff_r, staff) > ') > > optional_policy(` > Index: refpolicy-2.20170417/policy/modules/roles/unprivuser.te > =================================================================== > --- refpolicy-2.20170417.orig/policy/modules/roles/unprivuser.te > +++ refpolicy-2.20170417/policy/modules/roles/unprivuser.te > @@ -50,7 +50,7 @@ ifndef(`distro_redhat',` > ') > > optional_policy(` > - cron_role(user_r, user_t) > + cron_role(user_r, user) > ') > > optional_policy(` > Index: refpolicy-2.20170417/policy/modules/system/unconfined.te > =================================================================== > --- refpolicy-2.20170417.orig/policy/modules/system/unconfined.te > +++ refpolicy-2.20170417/policy/modules/system/unconfined.te > @@ -76,7 +76,7 @@ optional_policy(` > ') > > optional_policy(` > - cron_unconfined_role(unconfined_r, unconfined_t) > + cron_role(unconfined_r, unconfined) > ') > > optional_policy(` > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy