From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 03:00:30 +0200 Subject: [refpolicy] [PATCH 5/33] cron: curb on userdom permissions Message-ID: <1492650030.14733.75.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch curbs on userdomain file read and/or write permissions for the cron daemon module. It aims to ensure user data confidentiality. A boolean has been introduced to revert the previous read/write behavior. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/cron.te | 55 ++++++++++++++++++++++++++++++++--------- 1 file changed, 43 insertions(+), 12 deletions(-) --- refpolicy-2.20170204-orig/policy/modules/contrib/cron.te 2017-02-04 19:30:41.000000000 +0100 +++ refpolicy-2.20170204/policy/modules/contrib/cron.te 2017-04-20 00:36:45.796443885 +0200 @@ -19,6 +19,15 @@ gen_require(` gen_tunable(cron_can_relabel, false) ## +##

+## Determine whether cron can +## manage the user home directories +## and files. +##

+##
+gen_tunable(cron_enable_home_dirs, false) + +## ##

## Determine whether crond can execute jobs ## in the user domain as opposed to the @@ -184,8 +193,14 @@ seutil_read_config(crontab_domain) userdom_manage_user_tmp_dirs(crontab_domain) userdom_manage_user_tmp_files(crontab_domain) userdom_use_user_terminals(crontab_domain) -userdom_read_user_home_content_files(crontab_domain) -userdom_read_user_home_content_symlinks(crontab_domain) + +tunable_policy(`cron_enable_home_dirs',` + userdom_read_user_home_content_files(crontab_domain) + userdom_read_user_home_content_symlinks(crontab_domain) +',` + userdom_dontaudit_read_user_home_content_files(crontab_domain) + # FIXME: add dontaudit user_home_content symlinks +') tunable_policy(`fcron_crond',` dontaudit crontab_domain crond_t:process signal; @@ -318,7 +333,9 @@ seutil_read_default_contexts(crond_t) miscfiles_read_localization(crond_t) -userdom_list_user_home_dirs(crond_t) +tunable_policy(`cron_enable_home_dirs',` + userdom_list_user_home_dirs(crond_t) +') tunable_policy(`cron_userdomain_transition',` dontaudit crond_t cronjob_t:process transition; @@ -544,6 +561,10 @@ tunable_policy(`cron_can_relabel',` seutil_read_file_contexts(system_cronjob_t) ') +tunable_policy(`cron_enable_home_dirs',` + userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) +') + optional_policy(` apache_exec_modules(system_cronjob_t) apache_read_config(system_cronjob_t) @@ -620,10 +641,6 @@ optional_policy(` sysstat_manage_log(system_cronjob_t) ') -optional_policy(` - userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) -') - ######################################## # # Cronjob local policy @@ -680,11 +697,25 @@ userdom_manage_user_tmp_files(cronjob_t) userdom_manage_user_tmp_symlinks(cronjob_t) userdom_manage_user_tmp_pipes(cronjob_t) userdom_manage_user_tmp_sockets(cronjob_t) -userdom_exec_user_home_content_files(cronjob_t) -userdom_manage_user_home_content_files(cronjob_t) -userdom_manage_user_home_content_symlinks(cronjob_t) -userdom_manage_user_home_content_pipes(cronjob_t) -userdom_manage_user_home_content_sockets(cronjob_t) + +tunable_policy(`cron_enable_home_dirs',` + userdom_exec_user_home_content_files(cronjob_t) + userdom_manage_user_home_content_files(cronjob_t) + userdom_manage_user_home_content_pipes(cronjob_t) + userdom_manage_user_home_content_sockets(cronjob_t) + userdom_manage_user_home_content_symlinks(cronjob_t) +',` + userdom_dontaudit_exec_user_home_content_files(cronjob_t) + userdom_dontaudit_manage_user_home_content_files(cronjob_t) +') + +tunable_policy(`cron_enable_home_dirs && use_nfs_home_dirs',` + fs_exec_nfs_files(cronjob_t) +') + +tunable_policy(`cron_enable_home_dirs && use_samba_home_dirs',` + fs_exec_cifs_files(cronjob_t) +') tunable_policy(`cron_userdomain_transition',` dontaudit cronjob_t crond_t:fd use;