From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 20 Nov 2017 14:29:51 +0100
Subject: [refpolicy] [PATCH v2 09/19] Make cron user content access optional
In-Reply-To: <20171120133001.25744-1-sven.vermeulen@siphos.be>
References: <20171120133001.25744-1-sven.vermeulen@siphos.be>
Message-ID: <20171120133001.25744-10-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Cron has two modus operandi for handling cron jobs: either the cron jobs
run in the generic cronjob_t domain, or they run in the users' main
domain.

The generic cronjob_t domain had manage rights on the user content. With
this change, this is made optional under support of the necessary
booleans (cron_{read,manage}_{generic,all}_user_content).

Changes since v1:
 - Move tunable definitions inside template

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 cron.te | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/cron.te b/cron.te
index 13c9ada..7fbc4d6 100644
--- a/cron.te
+++ b/cron.te
@@ -187,8 +187,6 @@ seutil_read_config(crontab_domain)
 userdom_manage_user_tmp_dirs(crontab_domain)
 userdom_manage_user_tmp_files(crontab_domain)
 userdom_use_user_terminals(crontab_domain)
-userdom_read_user_home_content_files(crontab_domain)
-userdom_read_user_home_content_symlinks(crontab_domain)
 
 tunable_policy(`fcron_crond',`
 	dontaudit crontab_domain crond_t:process signal;
@@ -711,15 +709,15 @@ seutil_read_config(cronjob_t)
 
 miscfiles_read_localization(cronjob_t)
 
-userdom_manage_user_tmp_files(cronjob_t)
-userdom_manage_user_tmp_symlinks(cronjob_t)
-userdom_manage_user_tmp_pipes(cronjob_t)
-userdom_manage_user_tmp_sockets(cronjob_t)
-userdom_exec_user_home_content_files(cronjob_t)
-userdom_manage_user_home_content_files(cronjob_t)
-userdom_manage_user_home_content_symlinks(cronjob_t)
-userdom_manage_user_home_content_pipes(cronjob_t)
-userdom_manage_user_home_content_sockets(cronjob_t)
+userdom_user_content_access_template(cron, { cronjob_t crontab_domain })
+
+tunable_policy(`cron_manage_generic_user_content',`
+	userdom_manage_user_tmp_pipes(cronjob_t)
+	userdom_manage_user_tmp_sockets(cronjob_t)
+	userdom_exec_user_home_content_files(cronjob_t)
+	userdom_manage_user_home_content_pipes(cronjob_t)
+	userdom_manage_user_home_content_sockets(cronjob_t)
+')
 
 tunable_policy(`cron_userdomain_transition',`
 	dontaudit cronjob_t crond_t:fd use;
-- 
2.13.6