From: russell@coker.com.au (Russell Coker) Date: Sun, 30 Apr 2017 15:53:35 +1000 Subject: [refpolicy] [PATCH] cron trivial patch Message-ID: <20170430055335.ednfmcu6as2zwjdj@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch has trivial changes that don't affect the end result. The purpose of this is to make the next patch smaller and easer to understand without formatting issues and s/user/user_t stuff confusing it. Chris, even if you reject the second patch at the current time, please apply this now so we have a clear base to work with for discussions of future cron changes. Index: refpolicy-2.20170421/policy/modules/contrib/cron.if =================================================================== --- refpolicy-2.20170421.orig/policy/modules/contrib/cron.if +++ refpolicy-2.20170421/policy/modules/contrib/cron.if @@ -51,15 +51,16 @@ template(`cron_common_crontab_template', ## ## ## -## User domain for the role. +## stem of domain for the role. ## ## ## # interface(`cron_role',` gen_require(` - type cronjob_t, crontab_t, crontab_exec_t; - type user_cron_spool_t, crond_t; + type cronjob_t; + type crontab_exec_t, crond_t; + type crontab_t, user_cron_spool_t; bool cron_userdomain_transition; ') @@ -68,47 +69,48 @@ interface(`cron_role',` # Declarations # - role $1 types { cronjob_t crontab_t }; + role $1 types { cronjob_t }; + role $1 types { crontab_t }; ############################## # # Local policy # - domtrans_pattern($2, crontab_exec_t, crontab_t) + domtrans_pattern($2_t, crontab_exec_t, crontab_t) - dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; - allow $2 crond_t:process sigchld; + dontaudit crond_t $2_t:process { noatsecure siginh rlimitinh }; + allow $2_t crond_t:process sigchld; - allow $2 user_cron_spool_t:file { getattr read write ioctl }; + allow $2_t user_cron_spool_t:file { getattr read write ioctl }; - allow $2 crontab_t:process { ptrace signal_perms }; - ps_process_pattern($2, crontab_t) + allow $2_t crontab_t:process { ptrace signal_perms }; + ps_process_pattern($2_t, crontab_t) corecmd_exec_bin(crontab_t) corecmd_exec_shell(crontab_t) tunable_policy(`cron_userdomain_transition',` - allow crond_t $2:process transition; - allow crond_t $2:fd use; - allow crond_t $2:key manage_key_perms; + allow crond_t $2_t:process transition; + allow crond_t $2_t:fd use; + allow crond_t $2_t:key manage_key_perms; - allow $2 user_cron_spool_t:file entrypoint; + allow $2_t user_cron_spool_t:file entrypoint; - allow $2 crond_t:fifo_file rw_fifo_file_perms; + allow $2_t crond_t:fifo_file rw_fifo_file_perms; - allow $2 cronjob_t:process { ptrace signal_perms }; - ps_process_pattern($2, cronjob_t) + allow $2_t cronjob_t:process { ptrace signal_perms }; + ps_process_pattern($2_t, cronjob_t) ',` - dontaudit crond_t $2:process transition; - dontaudit crond_t $2:fd use; - dontaudit crond_t $2:key manage_key_perms; + dontaudit crond_t $2_t:process transition; + dontaudit crond_t $2_t:fd use; + dontaudit crond_t $2_t:key manage_key_perms; - dontaudit $2 user_cron_spool_t:file entrypoint; + dontaudit $2_t user_cron_spool_t:file entrypoint; - dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; + dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms; - dontaudit $2 cronjob_t:process { ptrace signal_perms }; + dontaudit $2_t cronjob_t:process { ptrace signal_perms }; ') optional_policy(` @@ -118,7 +120,7 @@ interface(`cron_role',` dbus_stub(cronjob_t) - allow cronjob_t $2:dbus send_msg; + allow cronjob_t $2_t:dbus send_msg; ') ') Index: refpolicy-2.20170421/policy/modules/roles/staff.te =================================================================== --- refpolicy-2.20170421.orig/policy/modules/roles/staff.te +++ refpolicy-2.20170421/policy/modules/roles/staff.te @@ -81,7 +81,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - cron_role(staff_r, staff_t) + cron_role(staff_r, staff) ') optional_policy(` Index: refpolicy-2.20170421/policy/modules/roles/unprivuser.te =================================================================== --- refpolicy-2.20170421.orig/policy/modules/roles/unprivuser.te +++ refpolicy-2.20170421/policy/modules/roles/unprivuser.te @@ -50,7 +50,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - cron_role(user_r, user_t) + cron_role(user_r, user) ') optional_policy(`