From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 1 May 2017 18:55:27 -0400 Subject: [refpolicy] [PATCH] user_crontab_t and ifdef cronjob_domain In-Reply-To: <20170430055639.ltd55tccpwd5b6ji@athena.coker.com.au> References: <20170430055639.ltd55tccpwd5b6ji@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/30/2017 01:56 AM, Russell Coker via refpolicy wrote: > This patch applies after the other cron patch I just sent. > > It adds user_crontab_t, staff_crontab_t, etc domains and a new condifional > compilation for cronjob_domain. > > Chris, I anticipate that there's a good chance you won't take this patch at > this stage. In any case please apply the previous patch now so I don't have > to send 2 patches around for every iteration of this discussion. I went back and read the thread from a couple weeks ago, and I realized I misunderstood what you were asking. Would you restate what is the end state you envision along with why the current implementation is deficient? > Index: refpolicy-2.20170430/policy/modules/contrib/cron.if > =================================================================== > --- refpolicy-2.20170430.orig/policy/modules/contrib/cron.if > +++ refpolicy-2.20170430/policy/modules/contrib/cron.if > @@ -21,23 +21,33 @@ template(`cron_common_crontab_template', > # Declarations > # > > - type $1_t, crontab_domain; > - userdom_user_application_domain($1_t, crontab_exec_t) > + type $1_crontab_t, crontab_domain; > + userdom_user_application_domain($1_crontab_t, crontab_exec_t) > + > + type $1_crontab_tmp_t; > + userdom_user_tmp_file($1_crontab_tmp_t) > > - type $1_tmp_t; > - userdom_user_tmp_file($1_tmp_t) > + type $1_cron_spool_t, cron_spool_type; > > ############################## > # > # Local policy > # > > - manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) > - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) > - files_tmp_filetrans($1_t, $1_tmp_t, { dir file }) > + manage_dirs_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t) > + manage_files_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t) > + files_tmp_filetrans($1_crontab_t, $1_crontab_tmp_t, { dir file }) > + > + auth_domtrans_chk_passwd($1_crontab_t) > + auth_use_nsswitch($1_crontab_t) > + allow $1_crontab_t self:capability fsetid; > + > + files_type($1_cron_spool_t) > + ubac_constrained($1_cron_spool_t) > + mta_system_content($1_cron_spool_t) > > - auth_domtrans_chk_passwd($1_t) > - auth_use_nsswitch($1_t) > + manage_files_pattern($1_crontab_t, { cron_spool_t user_cron_spool_t }, $1_cron_spool_t) > + filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t, file) > ') > > ######################################## > @@ -58,9 +68,11 @@ template(`cron_common_crontab_template', > # > interface(`cron_role',` > gen_require(` > +ifdef(`cronjob_domain', ` > type cronjob_t; > +') > type crontab_exec_t, crond_t; > - type crontab_t, user_cron_spool_t; > + type $2_crontab_t, $2_cron_spool_t; > bool cron_userdomain_transition; > ') > > @@ -69,60 +81,51 @@ interface(`cron_role',` > # Declarations > # > > +ifdef(`cronjob_domain', ` > role $1 types { cronjob_t }; > - role $1 types { crontab_t }; > +') > + role $1 types { $2_crontab_t }; > > ############################## > # > # Local policy > # > > - domtrans_pattern($2_t, crontab_exec_t, crontab_t) > + domtrans_pattern($2_t, crontab_exec_t, $2_crontab_t) > > dontaudit crond_t $2_t:process { noatsecure siginh rlimitinh }; > allow $2_t crond_t:process sigchld; > > - allow $2_t user_cron_spool_t:file { getattr read write ioctl }; > + allow $2_t $2_cron_spool_t:file { getattr read write ioctl }; > > - allow $2_t crontab_t:process { ptrace signal_perms }; > - ps_process_pattern($2_t, crontab_t) > + allow $2_t $2_crontab_t:process { ptrace signal_perms }; > + ps_process_pattern($2_t, $2_crontab_t) > > - corecmd_exec_bin(crontab_t) > - corecmd_exec_shell(crontab_t) > + corecmd_exec_bin($2_crontab_t) > + corecmd_exec_shell($2_crontab_t) > > +ifndef(`cronjob_domain', ` > tunable_policy(`cron_userdomain_transition',` > +') > allow crond_t $2_t:process transition; > allow crond_t $2_t:fd use; > allow crond_t $2_t:key manage_key_perms; > > - allow $2_t user_cron_spool_t:file entrypoint; > + allow $2_t $2_cron_spool_t:file entrypoint; > > allow $2_t crond_t:fifo_file rw_fifo_file_perms; > - > - allow $2_t cronjob_t:process { ptrace signal_perms }; > - ps_process_pattern($2_t, cronjob_t) > +ifndef(`cronjob_domain', ` > ',` > dontaudit crond_t $2_t:process transition; > dontaudit crond_t $2_t:fd use; > dontaudit crond_t $2_t:key manage_key_perms; > > - dontaudit $2_t user_cron_spool_t:file entrypoint; > + dontaudit $2_t $2_cron_spool_t:file entrypoint; > > dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms; > - > - dontaudit $2_t cronjob_t:process { ptrace signal_perms }; > - ') > - > - optional_policy(` > - gen_require(` > - class dbus send_msg; > - ') > - > - dbus_stub(cronjob_t) > - > - allow cronjob_t $2_t:dbus send_msg; > ') > ') > +') > > ######################################## > ## > @@ -139,6 +142,7 @@ interface(`cron_role',` > ## > ## > # > +ifdef(`cronjob_domain', ` > interface(`cron_unconfined_role',` > gen_require(` > type unconfined_cronjob_t, crontab_t, crontab_exec_t; > @@ -204,6 +208,7 @@ interface(`cron_unconfined_role',` > allow unconfined_cronjob_t $2:dbus send_msg; > ') > ') > +') > > ######################################## > ## > Index: refpolicy-2.20170430/policy/modules/contrib/cron.te > =================================================================== > --- refpolicy-2.20170430.orig/policy/modules/contrib/cron.te > +++ refpolicy-2.20170430/policy/modules/contrib/cron.te > @@ -25,7 +25,9 @@ gen_tunable(cron_can_relabel, false) > ## the generic cronjob domain. > ##

> ## > -gen_tunable(cron_userdomain_transition, false) > +ifndef(`cronjob_domain', ` > +gen_tunable(cron_userdomain_transition, true) > +') > > ## > ##

> @@ -86,15 +88,16 @@ mta_system_content(crond_var_run_t) > type crontab_exec_t; > application_executable_file(crontab_exec_t) > > -cron_common_crontab_template(admin_crontab) > -typealias admin_crontab_t alias sysadm_crontab_t; > -typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t; > - > -cron_common_crontab_template(crontab) > -typealias crontab_t alias { user_crontab_t staff_crontab_t }; > -typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; > -typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; > -typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; > +cron_common_crontab_template(sysadm) > +typealias sysadm_crontab_t alias admin_crontab_t; > +typealias sysadm_crontab_tmp_t alias admin_crontab_tmp_t; > + > +cron_common_crontab_template(user) > +cron_common_crontab_template(staff) > +cron_common_crontab_template(unconfined) > +typealias user_crontab_t alias { crontab_t }; > +typealias sysadm_crontab_t alias { auditadm_crontab_t secadm_crontab_t }; > +typealias sysadm_crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; > > type system_cron_spool_t, cron_spool_type; > files_type(system_cron_spool_t) > @@ -117,12 +120,7 @@ files_type(system_cronjob_var_lib_t) > type system_cronjob_var_run_t; > files_pid_file(system_cronjob_var_run_t) > > -type user_cron_spool_t, cron_spool_type; > -typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; > -typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; > -files_type(user_cron_spool_t) > -ubac_constrained(user_cron_spool_t) > -mta_system_content(user_cron_spool_t) > +typealias sysadm_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; > > type user_cron_spool_log_t; > logging_log_file(user_cron_spool_log_t) > @@ -142,9 +140,6 @@ allow crontab_domain self:capability { c > allow crontab_domain self:process { getcap setsched signal_perms }; > allow crontab_domain self:fifo_file rw_fifo_file_perms; > > -manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) > -filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file) > - > allow crontab_domain cron_spool_t:dir setattr_dir_perms; > > allow crontab_domain crond_t:process signal; > @@ -215,8 +210,8 @@ tunable_policy(`fcron_crond',` > # Daemon local policy > # > > -allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice }; > -dontaudit crond_t self:capability { sys_resource sys_tty_config }; > +allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice sys_resource }; > +dontaudit crond_t self:capability { sys_tty_config }; > allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; > allow crond_t self:process { setexec setfscreate }; > allow crond_t self:fd use; > @@ -230,6 +225,7 @@ allow crond_t self:msg { send receive }; > allow crond_t self:key { search write link }; > dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit; > > +allow crond_t cron_spool_type:file read_file_perms; > allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; > logging_log_filetrans(crond_t, cron_log_t, file) > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito