2015-07-16 13:09:44

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] Introduce cron_admin interface

---
Changes from v1:
allow admin of cronjob_t domain.
user cronjob domains are unchanged and not allowed
cron.if | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 53 insertions(+)

diff --git a/cron.if b/cron.if
index cc225d1..a76e902 100644
--- a/cron.if
+++ b/cron.if
@@ -838,3 +838,56 @@ interface(`cron_dontaudit_write_system_job_tmp_files',`

dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate a cron environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cron_admin',`
+ gen_require(`
+ type crond_t, cronjob_t, crond_initrc_exec_t;
+ type cron_var_lib_t, system_cronjob_var_lib_t;
+ type crond_tmp_t, admin_crontab_tmp_t;
+ type crontab_tmp_t, system_cronjob_tmp_t;
+ type cron_var_run_t, system_cronjob_var_run_t, crond_var_run_t;
+ type cron_log_t, system_cronjob_lock_t, user_cron_spool_log_t;
+ attribute cron_spool_type;
+ ')
+
+ allow $1 { crond_t cronjob_t }:process { ptrace signal_perms };
+ ps_process_pattern($1, { crond_t cronjob_t })
+
+ init_startstop_service($1, $2, crond_t, crond_initrc_exec_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, { cron_var_lib_t system_cronjob_var_lib_t })
+
+ files_search_tmp($1)
+ admin_pattern($1, { crond_tmp_t admin_crontab_tmp_t })
+ admin_pattern($1, { crontab_tmp_t system_cronjob_tmp_t })
+
+ files_search_pids($1)
+ admin_pattern($1, { cron_var_run_t crond_var_run_t system_cronjob_var_run_t })
+
+ files_search_locks($1)
+ admin_pattern($1, system_cronjob_lock_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, { cron_log_t user_cron_spool_log_t })
+
+ files_search_spool($1)
+ admin_pattern($1, cron_spool_type)
+')
--
2.3.6


2015-07-17 13:30:41

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] Introduce cron_admin interface

On 7/16/2015 9:09 AM, Jason Zaman wrote:
> ---
> Changes from v1:
> allow admin of cronjob_t domain.
> user cronjob domains are unchanged and not allowed
> cron.if | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 53 insertions(+)

Merged.


> diff --git a/cron.if b/cron.if
> index cc225d1..a76e902 100644
> --- a/cron.if
> +++ b/cron.if
> @@ -838,3 +838,56 @@ interface(`cron_dontaudit_write_system_job_tmp_files',`
>
> dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
> ')
> +
> +########################################
> +## <summary>
> +## All of the rules required to
> +## administrate a cron environment.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`cron_admin',`
> + gen_require(`
> + type crond_t, cronjob_t, crond_initrc_exec_t;
> + type cron_var_lib_t, system_cronjob_var_lib_t;
> + type crond_tmp_t, admin_crontab_tmp_t;
> + type crontab_tmp_t, system_cronjob_tmp_t;
> + type cron_var_run_t, system_cronjob_var_run_t, crond_var_run_t;
> + type cron_log_t, system_cronjob_lock_t, user_cron_spool_log_t;
> + attribute cron_spool_type;
> + ')
> +
> + allow $1 { crond_t cronjob_t }:process { ptrace signal_perms };
> + ps_process_pattern($1, { crond_t cronjob_t })
> +
> + init_startstop_service($1, $2, crond_t, crond_initrc_exec_t)
> +
> + files_search_var_lib($1)
> + admin_pattern($1, { cron_var_lib_t system_cronjob_var_lib_t })
> +
> + files_search_tmp($1)
> + admin_pattern($1, { crond_tmp_t admin_crontab_tmp_t })
> + admin_pattern($1, { crontab_tmp_t system_cronjob_tmp_t })
> +
> + files_search_pids($1)
> + admin_pattern($1, { cron_var_run_t crond_var_run_t system_cronjob_var_run_t })
> +
> + files_search_locks($1)
> + admin_pattern($1, system_cronjob_lock_t)
> +
> + logging_search_logs($1)
> + admin_pattern($1, { cron_log_t user_cron_spool_log_t })
> +
> + files_search_spool($1)
> + admin_pattern($1, cron_spool_type)
> +')
>


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com