From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sun, 25 Mar 2018 13:57:04 +0200 Subject: [refpolicy] [PATCH v3 09/19] Make cron user content access optional In-Reply-To: <20180325115714.5610-1-sven.vermeulen@siphos.be> References: <20180325115714.5610-1-sven.vermeulen@siphos.be> Message-ID: <20180325115714.5610-10-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Cron has two modus operandi for handling cron jobs: either the cron jobs run in the generic cronjob_t domain, or they run in the users' main domain. The generic cronjob_t domain had manage rights on the user content. With this change, this is made optional under support of the necessary booleans (cron_{read,manage}_{generic,all}_user_content). Changes since v2: - Keep userdom_exec_user_home_content_files in main block as it contains a tunable definition so cannot be nested within another tunable block Changes since v1: - Move tunable definitions inside template Signed-off-by: Sven Vermeulen --- cron.te | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/cron.te b/cron.te index 1192563..8d2d72e 100644 --- a/cron.te +++ b/cron.te @@ -187,8 +187,6 @@ seutil_read_config(crontab_domain) userdom_manage_user_tmp_dirs(crontab_domain) userdom_manage_user_tmp_files(crontab_domain) userdom_use_user_terminals(crontab_domain) -userdom_read_user_home_content_files(crontab_domain) -userdom_read_user_home_content_symlinks(crontab_domain) tunable_policy(`fcron_crond',` dontaudit crontab_domain crond_t:process signal; @@ -711,15 +709,15 @@ seutil_read_config(cronjob_t) miscfiles_read_localization(cronjob_t) -userdom_manage_user_tmp_files(cronjob_t) -userdom_manage_user_tmp_symlinks(cronjob_t) -userdom_manage_user_tmp_pipes(cronjob_t) -userdom_manage_user_tmp_sockets(cronjob_t) userdom_exec_user_home_content_files(cronjob_t) -userdom_manage_user_home_content_files(cronjob_t) -userdom_manage_user_home_content_symlinks(cronjob_t) -userdom_manage_user_home_content_pipes(cronjob_t) -userdom_manage_user_home_content_sockets(cronjob_t) +userdom_user_content_access_template(cron, { cronjob_t crontab_domain }) + +tunable_policy(`cron_manage_generic_user_content',` + userdom_manage_user_tmp_pipes(cronjob_t) + userdom_manage_user_tmp_sockets(cronjob_t) + userdom_manage_user_home_content_pipes(cronjob_t) + userdom_manage_user_home_content_sockets(cronjob_t) +') tunable_policy(`cron_userdomain_transition',` dontaudit cronjob_t crond_t:fd use; -- 2.16.1