From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 22 May 2017 18:11:45 +0200 Subject: [refpolicy] [PATCH 09/19] Make cron user content access optional In-Reply-To: <20170522161155.9648-1-sven.vermeulen@siphos.be> References: <20170522161155.9648-1-sven.vermeulen@siphos.be> Message-ID: <20170522161155.9648-10-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Cron has two modus operandi for handling cron jobs: either the cron jobs run in the generic cronjob_t domain, or they run in the users' main domain. The generic cronjob_t domain had manage rights on the user content. With this change, this is made optional under support of the necessary booleans (cron_{read,manage}_{generic,all}_user_content). Signed-off-by: Sven Vermeulen --- cron.te | 49 ++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 38 insertions(+), 11 deletions(-) diff --git a/cron.te b/cron.te index c9cc3f4..57c3f3e 100644 --- a/cron.te +++ b/cron.te @@ -35,6 +35,35 @@ gen_tunable(cron_userdomain_transition, false) ## gen_tunable(fcron_crond, false) +## +##

+## Grant the cronjob domains read access to generic user content +##

+## +gen_tunable(`cron_read_generic_user_content', true) + +## +##

+## Grant the cronjob domains read access to all user content +##

+## +gen_tunable(`cron_read_all_user_content', false) + +## +##

+## Grant the cronjob domains manage rights on generic user content +##

+## +gen_tunable(`cron_manage_generic_user_content', false) + +## +##

+## Grant the cronjob domains manage rights on all user content +##

+## +gen_tunable(`cron_manage_all_user_content', false) + + attribute cron_spool_type; attribute crontab_domain; @@ -184,8 +213,6 @@ seutil_read_config(crontab_domain) userdom_manage_user_tmp_dirs(crontab_domain) userdom_manage_user_tmp_files(crontab_domain) userdom_use_user_terminals(crontab_domain) -userdom_read_user_home_content_files(crontab_domain) -userdom_read_user_home_content_symlinks(crontab_domain) tunable_policy(`fcron_crond',` dontaudit crontab_domain crond_t:process signal; @@ -708,15 +735,15 @@ seutil_read_config(cronjob_t) miscfiles_read_localization(cronjob_t) -userdom_manage_user_tmp_files(cronjob_t) -userdom_manage_user_tmp_symlinks(cronjob_t) -userdom_manage_user_tmp_pipes(cronjob_t) -userdom_manage_user_tmp_sockets(cronjob_t) -userdom_exec_user_home_content_files(cronjob_t) -userdom_manage_user_home_content_files(cronjob_t) -userdom_manage_user_home_content_symlinks(cronjob_t) -userdom_manage_user_home_content_pipes(cronjob_t) -userdom_manage_user_home_content_sockets(cronjob_t) +userdom_user_content_access_template(cron, { cronjob_t crontab_domain }) + +tunable_policy(`cron_manage_generic_user_content',` + userdom_manage_user_tmp_pipes(cronjob_t) + userdom_manage_user_tmp_sockets(cronjob_t) + userdom_exec_user_home_content_files(cronjob_t) + userdom_manage_user_home_content_pipes(cronjob_t) + userdom_manage_user_home_content_sockets(cronjob_t) +') tunable_policy(`cron_userdomain_transition',` dontaudit cronjob_t crond_t:fd use; -- 2.13.0