From: russell@coker.com.au (Russell Coker) Date: Sun, 30 Apr 2017 15:56:39 +1000 Subject: [refpolicy] [PATCH] user_crontab_t and ifdef cronjob_domain Message-ID: <20170430055639.ltd55tccpwd5b6ji@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch applies after the other cron patch I just sent. It adds user_crontab_t, staff_crontab_t, etc domains and a new condifional compilation for cronjob_domain. Chris, I anticipate that there's a good chance you won't take this patch at this stage. In any case please apply the previous patch now so I don't have to send 2 patches around for every iteration of this discussion. Index: refpolicy-2.20170430/policy/modules/contrib/cron.if =================================================================== --- refpolicy-2.20170430.orig/policy/modules/contrib/cron.if +++ refpolicy-2.20170430/policy/modules/contrib/cron.if @@ -21,23 +21,33 @@ template(`cron_common_crontab_template', # Declarations # - type $1_t, crontab_domain; - userdom_user_application_domain($1_t, crontab_exec_t) + type $1_crontab_t, crontab_domain; + userdom_user_application_domain($1_crontab_t, crontab_exec_t) + + type $1_crontab_tmp_t; + userdom_user_tmp_file($1_crontab_tmp_t) - type $1_tmp_t; - userdom_user_tmp_file($1_tmp_t) + type $1_cron_spool_t, cron_spool_type; ############################## # # Local policy # - manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - files_tmp_filetrans($1_t, $1_tmp_t, { dir file }) + manage_dirs_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t) + manage_files_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t) + files_tmp_filetrans($1_crontab_t, $1_crontab_tmp_t, { dir file }) + + auth_domtrans_chk_passwd($1_crontab_t) + auth_use_nsswitch($1_crontab_t) + allow $1_crontab_t self:capability fsetid; + + files_type($1_cron_spool_t) + ubac_constrained($1_cron_spool_t) + mta_system_content($1_cron_spool_t) - auth_domtrans_chk_passwd($1_t) - auth_use_nsswitch($1_t) + manage_files_pattern($1_crontab_t, { cron_spool_t user_cron_spool_t }, $1_cron_spool_t) + filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t, file) ') ######################################## @@ -58,9 +68,11 @@ template(`cron_common_crontab_template', # interface(`cron_role',` gen_require(` +ifdef(`cronjob_domain', ` type cronjob_t; +') type crontab_exec_t, crond_t; - type crontab_t, user_cron_spool_t; + type $2_crontab_t, $2_cron_spool_t; bool cron_userdomain_transition; ') @@ -69,60 +81,51 @@ interface(`cron_role',` # Declarations # +ifdef(`cronjob_domain', ` role $1 types { cronjob_t }; - role $1 types { crontab_t }; +') + role $1 types { $2_crontab_t }; ############################## # # Local policy # - domtrans_pattern($2_t, crontab_exec_t, crontab_t) + domtrans_pattern($2_t, crontab_exec_t, $2_crontab_t) dontaudit crond_t $2_t:process { noatsecure siginh rlimitinh }; allow $2_t crond_t:process sigchld; - allow $2_t user_cron_spool_t:file { getattr read write ioctl }; + allow $2_t $2_cron_spool_t:file { getattr read write ioctl }; - allow $2_t crontab_t:process { ptrace signal_perms }; - ps_process_pattern($2_t, crontab_t) + allow $2_t $2_crontab_t:process { ptrace signal_perms }; + ps_process_pattern($2_t, $2_crontab_t) - corecmd_exec_bin(crontab_t) - corecmd_exec_shell(crontab_t) + corecmd_exec_bin($2_crontab_t) + corecmd_exec_shell($2_crontab_t) +ifndef(`cronjob_domain', ` tunable_policy(`cron_userdomain_transition',` +') allow crond_t $2_t:process transition; allow crond_t $2_t:fd use; allow crond_t $2_t:key manage_key_perms; - allow $2_t user_cron_spool_t:file entrypoint; + allow $2_t $2_cron_spool_t:file entrypoint; allow $2_t crond_t:fifo_file rw_fifo_file_perms; - - allow $2_t cronjob_t:process { ptrace signal_perms }; - ps_process_pattern($2_t, cronjob_t) +ifndef(`cronjob_domain', ` ',` dontaudit crond_t $2_t:process transition; dontaudit crond_t $2_t:fd use; dontaudit crond_t $2_t:key manage_key_perms; - dontaudit $2_t user_cron_spool_t:file entrypoint; + dontaudit $2_t $2_cron_spool_t:file entrypoint; dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms; - - dontaudit $2_t cronjob_t:process { ptrace signal_perms }; - ') - - optional_policy(` - gen_require(` - class dbus send_msg; - ') - - dbus_stub(cronjob_t) - - allow cronjob_t $2_t:dbus send_msg; ') ') +') ######################################## ## @@ -139,6 +142,7 @@ interface(`cron_role',` ## ## # +ifdef(`cronjob_domain', ` interface(`cron_unconfined_role',` gen_require(` type unconfined_cronjob_t, crontab_t, crontab_exec_t; @@ -204,6 +208,7 @@ interface(`cron_unconfined_role',` allow unconfined_cronjob_t $2:dbus send_msg; ') ') +') ######################################## ## Index: refpolicy-2.20170430/policy/modules/contrib/cron.te =================================================================== --- refpolicy-2.20170430.orig/policy/modules/contrib/cron.te +++ refpolicy-2.20170430/policy/modules/contrib/cron.te @@ -25,7 +25,9 @@ gen_tunable(cron_can_relabel, false) ## the generic cronjob domain. ##

## -gen_tunable(cron_userdomain_transition, false) +ifndef(`cronjob_domain', ` +gen_tunable(cron_userdomain_transition, true) +') ## ##

@@ -86,15 +88,16 @@ mta_system_content(crond_var_run_t) type crontab_exec_t; application_executable_file(crontab_exec_t) -cron_common_crontab_template(admin_crontab) -typealias admin_crontab_t alias sysadm_crontab_t; -typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t; - -cron_common_crontab_template(crontab) -typealias crontab_t alias { user_crontab_t staff_crontab_t }; -typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; -typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; -typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; +cron_common_crontab_template(sysadm) +typealias sysadm_crontab_t alias admin_crontab_t; +typealias sysadm_crontab_tmp_t alias admin_crontab_tmp_t; + +cron_common_crontab_template(user) +cron_common_crontab_template(staff) +cron_common_crontab_template(unconfined) +typealias user_crontab_t alias { crontab_t }; +typealias sysadm_crontab_t alias { auditadm_crontab_t secadm_crontab_t }; +typealias sysadm_crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; type system_cron_spool_t, cron_spool_type; files_type(system_cron_spool_t) @@ -117,12 +120,7 @@ files_type(system_cronjob_var_lib_t) type system_cronjob_var_run_t; files_pid_file(system_cronjob_var_run_t) -type user_cron_spool_t, cron_spool_type; -typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; -typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; -files_type(user_cron_spool_t) -ubac_constrained(user_cron_spool_t) -mta_system_content(user_cron_spool_t) +typealias sysadm_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; type user_cron_spool_log_t; logging_log_file(user_cron_spool_log_t) @@ -142,9 +140,6 @@ allow crontab_domain self:capability { c allow crontab_domain self:process { getcap setsched signal_perms }; allow crontab_domain self:fifo_file rw_fifo_file_perms; -manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) -filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file) - allow crontab_domain cron_spool_t:dir setattr_dir_perms; allow crontab_domain crond_t:process signal; @@ -215,8 +210,8 @@ tunable_policy(`fcron_crond',` # Daemon local policy # -allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice }; -dontaudit crond_t self:capability { sys_resource sys_tty_config }; +allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice sys_resource }; +dontaudit crond_t self:capability { sys_tty_config }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; allow crond_t self:fd use; @@ -230,6 +225,7 @@ allow crond_t self:msg { send receive }; allow crond_t self:key { search write link }; dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit; +allow crond_t cron_spool_type:file read_file_perms; allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; logging_log_filetrans(crond_t, cron_log_t, file)