2017-04-19 10:22:35

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] user_crontab_t etc

Firstly this patch applies to today's Git tree and is not dependent on the
login patch which is still being debated.

This patch uses user_crontab_t, sysadm_crontab_t etc domains, as we used to do
but which was removed some time in the past.

Chris, are you willing to consider restoring this functionality? If not what
do you think would be the best way of catering for different needs in this
regard? Should I try to make a patch with ifdef role_crontab_domain or
something?

Index: refpolicy-2.20170417/policy/modules/contrib/cron.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/cron.if
+++ refpolicy-2.20170417/policy/modules/contrib/cron.if
@@ -13,7 +13,7 @@
template(`cron_common_crontab_template',`
gen_require(`
attribute crontab_domain;
- type crontab_exec_t;
+ type crontab_exec_t, crond_t;
')

##############################
@@ -21,23 +21,33 @@ template(`cron_common_crontab_template',
# Declarations
#

- type $1_t, crontab_domain;
- userdom_user_application_domain($1_t, crontab_exec_t)
+ type $1_crontab_t, crontab_domain;
+ userdom_user_application_domain($1_crontab_t, crontab_exec_t)

- type $1_tmp_t;
- userdom_user_tmp_file($1_tmp_t)
+ type $1_crontab_tmp_t;
+ userdom_user_tmp_file($1_crontab_tmp_t)
+
+ type $1_cron_spool_t, cron_spool_type;

##############################
#
# Local policy
#

- manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
- manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
- files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
+ manage_dirs_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t)
+ manage_files_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t)
+ files_tmp_filetrans($1_crontab_t, $1_crontab_tmp_t, { dir file })
+
+ auth_domtrans_chk_passwd($1_crontab_t)
+ auth_use_nsswitch($1_crontab_t)
+ allow $1_crontab_t self:capability fsetid;
+
+ files_type($1_cron_spool_t)
+ ubac_constrained($1_cron_spool_t)
+ mta_system_content($1_cron_spool_t)

- auth_domtrans_chk_passwd($1_t)
- auth_use_nsswitch($1_t)
+ manage_files_pattern($1_crontab_t, { cron_spool_t user_cron_spool_t }, $1_cron_spool_t)
+ filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t, file)
')

########################################
@@ -51,15 +61,15 @@ template(`cron_common_crontab_template',
## </param>
## <param name="domain">
## <summary>
-## User domain for the role.
+## stem of domain for the role.
## </summary>
## </param>
## <rolecap/>
#
interface(`cron_role',`
gen_require(`
- type cronjob_t, crontab_t, crontab_exec_t;
- type user_cron_spool_t, crond_t;
+ type $2_crontab_t, crontab_exec_t;
+ type $2_cron_spool_t, crond_t;
bool cron_userdomain_transition;
')

@@ -68,138 +78,42 @@ interface(`cron_role',`
# Declarations
#

- role $1 types { cronjob_t crontab_t };
+ role $1 types { $2_crontab_t };

##############################
#
# Local policy
#

- domtrans_pattern($2, crontab_exec_t, crontab_t)
+ domtrans_pattern($2_t, crontab_exec_t, $2_crontab_t)

- dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
- allow $2 crond_t:process sigchld;
+ dontaudit crond_t $2_t:process { noatsecure siginh rlimitinh };
+ allow $2_t crond_t:process sigchld;

- allow $2 user_cron_spool_t:file { getattr read write ioctl };
+ allow $2_t $2_cron_spool_t:file { getattr read write ioctl };

- allow $2 crontab_t:process { ptrace signal_perms };
- ps_process_pattern($2, crontab_t)
+ allow $2_t $2_crontab_t:process { ptrace signal_perms };
+ ps_process_pattern($2_t, $2_crontab_t)

- corecmd_exec_bin(crontab_t)
- corecmd_exec_shell(crontab_t)
+ corecmd_exec_bin($2_crontab_t)
+ corecmd_exec_shell($2_crontab_t)

tunable_policy(`cron_userdomain_transition',`
- allow crond_t $2:process transition;
- allow crond_t $2:fd use;
- allow crond_t $2:key manage_key_perms;
-
- allow $2 user_cron_spool_t:file entrypoint;
+ allow crond_t $2_t:process transition;
+ allow crond_t $2_t:fd use;
+ allow crond_t $2_t:key manage_key_perms;

- allow $2 crond_t:fifo_file rw_fifo_file_perms;
+ allow $2_t $2_cron_spool_t:file entrypoint;

- allow $2 cronjob_t:process { ptrace signal_perms };
- ps_process_pattern($2, cronjob_t)
+ allow $2_t crond_t:fifo_file rw_fifo_file_perms;
',`
- dontaudit crond_t $2:process transition;
- dontaudit crond_t $2:fd use;
- dontaudit crond_t $2:key manage_key_perms;
-
- dontaudit $2 user_cron_spool_t:file entrypoint;
-
- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
-
- dontaudit $2 cronjob_t:process { ptrace signal_perms };
- ')
-
- optional_policy(`
- gen_require(`
- class dbus send_msg;
- ')
-
- dbus_stub(cronjob_t)
-
- allow cronjob_t $2:dbus send_msg;
- ')
-')
-
-########################################
-## <summary>
-## Role access for unconfined cron.
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## User domain for the role.
-## </summary>
-## </param>
-#
-interface(`cron_unconfined_role',`
- gen_require(`
- type unconfined_cronjob_t, crontab_t, crontab_exec_t;
- type crond_t, user_cron_spool_t;
- bool cron_userdomain_transition;
- ')
-
- ##############################
- #
- # Declarations
- #
-
- role $1 types { unconfined_cronjob_t crontab_t };
-
- ##############################
- #
- # Local policy
- #
-
- domtrans_pattern($2, crontab_exec_t, crontab_t)
-
- dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
- allow $2 crond_t:process sigchld;
-
- allow $2 user_cron_spool_t:file { getattr read write ioctl };
-
- allow $2 crontab_t:process { ptrace signal_perms };
- ps_process_pattern($2, crontab_t)
-
- corecmd_exec_bin(crontab_t)
- corecmd_exec_shell(crontab_t)
-
- tunable_policy(`cron_userdomain_transition',`
- allow crond_t $2:process transition;
- allow crond_t $2:fd use;
- allow crond_t $2:key manage_key_perms;
-
- allow $2 user_cron_spool_t:file entrypoint;
-
- allow $2 crond_t:fifo_file rw_fifo_file_perms;
-
- allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
- ps_process_pattern($2, unconfined_cronjob_t)
- ',`
- dontaudit crond_t $2:process transition;
- dontaudit crond_t $2:fd use;
- dontaudit crond_t $2:key manage_key_perms;
-
- dontaudit $2 user_cron_spool_t:file entrypoint;
-
- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
-
- dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms };
-')
-
- optional_policy(`
- gen_require(`
- class dbus send_msg;
- ')
+ dontaudit crond_t $2_t:process transition;
+ dontaudit crond_t $2_t:fd use;
+ dontaudit crond_t $2_t:key manage_key_perms;

- dbus_stub(unconfined_cronjob_t)
+ dontaudit $2_t $2_cron_spool_t:file entrypoint;

- allow unconfined_cronjob_t $2:dbus send_msg;
+ dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms;
')
')

Index: refpolicy-2.20170417/policy/modules/contrib/cron.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/cron.te
+++ refpolicy-2.20170417/policy/modules/contrib/cron.te
@@ -25,7 +25,7 @@ gen_tunable(cron_can_relabel, false)
## the generic cronjob domain.
## </p>
## </desc>
-gen_tunable(cron_userdomain_transition, false)
+gen_tunable(cron_userdomain_transition, true)

## <desc>
## <p>
@@ -86,15 +86,16 @@ mta_system_content(crond_var_run_t)
type crontab_exec_t;
application_executable_file(crontab_exec_t)

-cron_common_crontab_template(admin_crontab)
-typealias admin_crontab_t alias sysadm_crontab_t;
-typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t;
-
-cron_common_crontab_template(crontab)
-typealias crontab_t alias { user_crontab_t staff_crontab_t };
-typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
-typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
-typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+cron_common_crontab_template(sysadm)
+typealias sysadm_crontab_t alias admin_crontab_t;
+typealias sysadm_crontab_tmp_t alias admin_crontab_tmp_t;
+
+cron_common_crontab_template(user)
+cron_common_crontab_template(staff)
+cron_common_crontab_template(unconfined)
+typealias user_crontab_t alias { crontab_t };
+typealias sysadm_crontab_t alias { auditadm_crontab_t secadm_crontab_t };
+typealias sysadm_crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };

type system_cron_spool_t, cron_spool_type;
files_type(system_cron_spool_t)
@@ -117,12 +118,7 @@ files_type(system_cronjob_var_lib_t)
type system_cronjob_var_run_t;
files_pid_file(system_cronjob_var_run_t)

-type user_cron_spool_t, cron_spool_type;
-typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
-typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
-files_type(user_cron_spool_t)
-ubac_constrained(user_cron_spool_t)
-mta_system_content(user_cron_spool_t)
+typealias sysadm_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };

type user_cron_spool_log_t;
logging_log_file(user_cron_spool_log_t)
@@ -142,9 +138,6 @@ allow crontab_domain self:capability { c
allow crontab_domain self:process { getcap setsched signal_perms };
allow crontab_domain self:fifo_file rw_fifo_file_perms;

-manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
-filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
-
allow crontab_domain cron_spool_t:dir setattr_dir_perms;

allow crontab_domain crond_t:process signal;
@@ -215,8 +208,8 @@ tunable_policy(`fcron_crond',`
# Daemon local policy
#

-allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice };
-dontaudit crond_t self:capability { sys_resource sys_tty_config };
+allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice sys_resource };
+dontaudit crond_t self:capability { sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
@@ -230,6 +223,7 @@ allow crond_t self:msg { send receive };
allow crond_t self:key { search write link };
dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;

+allow crond_t cron_spool_type:file read_file_perms;
allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
logging_log_filetrans(crond_t, cron_log_t, file)

@@ -340,6 +334,23 @@ ifdef(`distro_debian',`
optional_policy(`
logwatch_search_cache_dir(crond_t)
')
+ optional_policy(`
+ apt_manage_cache(system_cronjob_t)
+ apt_read_db(system_cronjob_t)
+ dpkg_manage_db(system_cronjob_t)
+ ')
+')
+
+optional_policy(`
+ acct_manage_data(system_cronjob_t)
+')
+
+optional_policy(`
+ ntp_admin(system_cronjob_t, system_r)
+')
+
+optional_policy(`
+ apache_delete_lib_files(system_cronjob_t)
')

ifdef(`distro_redhat',`
@@ -429,6 +440,7 @@ optional_policy(`
systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
# so cron jobs can restart daemons
init_stream_connect(system_cronjob_t)
+ init_manage_script_service(system_cronjob_t)
')

optional_policy(`
@@ -440,14 +452,15 @@ optional_policy(`
# System local policy
#

-allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice };
+allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fd use;
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;

-allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow system_cronjob_t cron_log_t:file manage_file_perms;
logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+logging_manage_generic_logs(system_cronjob_t)

allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
@@ -464,7 +477,8 @@ files_lock_filetrans(system_cronjob_t, s
manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })
+allow system_cronjob_t system_cronjob_tmp_t:dir manage_dir_perms;

manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)

@@ -475,7 +489,8 @@ allow system_cronjob_t crond_t:process s
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms;

-allow system_cronjob_t crond_tmp_t:file { read write };
+allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
+allow cronjob_t crond_tmp_t:file rw_inherited_file_perms;

kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_network_state(system_cronjob_t)
@@ -567,6 +582,10 @@ optional_policy(`
')

optional_policy(`
+ read_mrtg_etc(system_cronjob_t)
+')
+
+optional_policy(`
cyrus_manage_data(system_cronjob_t)
')

@@ -719,27 +738,3 @@ optional_policy(`
nis_use_ypbind(cronjob_t)
')

-########################################
-#
-# Unconfined local policy
-#
-
-type unconfined_cronjob_t;
-domain_type(unconfined_cronjob_t)
-domain_cron_exemption_target(unconfined_cronjob_t)
-
-dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
-
-tunable_policy(`cron_userdomain_transition',`
- dontaudit crond_t unconfined_cronjob_t:process transition;
- dontaudit crond_t unconfined_cronjob_t:fd use;
- dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
-',`
- allow crond_t unconfined_cronjob_t:process transition;
- allow crond_t unconfined_cronjob_t:fd use;
- allow crond_t unconfined_cronjob_t:key manage_key_perms;
-')
-
-optional_policy(`
- unconfined_domain(unconfined_cronjob_t)
-')
Index: refpolicy-2.20170417/policy/modules/contrib/apt.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/apt.if
+++ refpolicy-2.20170417/policy/modules/contrib/apt.if
@@ -164,6 +164,26 @@ interface(`apt_use_ptys',`
## </summary>
## </param>
#
+interface(`apt_manage_cache',`
+ gen_require(`
+ type apt_var_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 apt_var_cache_t:dir manage_dir_perms;
+ allow $1 apt_var_cache_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Read apt package cache content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
interface(`apt_read_cache',`
gen_require(`
type apt_var_cache_t;
Index: refpolicy-2.20170417/policy/modules/contrib/mrtg.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/mrtg.if
+++ refpolicy-2.20170417/policy/modules/contrib/mrtg.if
@@ -2,6 +2,24 @@

########################################
## <summary>
+## Read mrtg configuration
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`read_mrtg_etc',`
+ gen_require(`
+ type mrtg_etc_t;
+ ')
+
+ allow $1 mrtg_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Create and append mrtg log files.
## </summary>
## <param name="domain">
Index: refpolicy-2.20170417/policy/modules/roles/staff.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/roles/staff.te
+++ refpolicy-2.20170417/policy/modules/roles/staff.te
@@ -81,7 +81,7 @@ ifndef(`distro_redhat',`
')

optional_policy(`
- cron_role(staff_r, staff_t)
+ cron_role(staff_r, staff)
')

optional_policy(`
Index: refpolicy-2.20170417/policy/modules/roles/unprivuser.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/roles/unprivuser.te
+++ refpolicy-2.20170417/policy/modules/roles/unprivuser.te
@@ -50,7 +50,7 @@ ifndef(`distro_redhat',`
')

optional_policy(`
- cron_role(user_r, user_t)
+ cron_role(user_r, user)
')

optional_policy(`
Index: refpolicy-2.20170417/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20170417/policy/modules/system/unconfined.te
@@ -76,7 +76,7 @@ optional_policy(`
')

optional_policy(`
- cron_unconfined_role(unconfined_r, unconfined_t)
+ cron_role(unconfined_r, unconfined)
')

optional_policy(`


2017-04-19 10:48:01

by Christian Göttsche

[permalink] [raw]
Subject: [refpolicy] [PATCH] user_crontab_t etc

fwiw, I am using a complete rewritten version of cron, where all user
cronjobs run in the user domain itself.
I think it is more secure and manageable as running all user crontabs
in a generic crontab_t domain or use sperate $1_cronjob_t ones.
Another point I dislike about the upstream cron policy is the power of
system_cronjob_t: I prefer cronjobs to transition into appropriate
domains for the specific task.



https://github.com/cgzones/debian-package-refpolicy/blob/management/debian/patches/0403-cron-check-module.patch

2017-04-19 12:22 GMT+02:00 Russell Coker via refpolicy
<[email protected]>:
> Firstly this patch applies to today's Git tree and is not dependent on the
> login patch which is still being debated.
>
> This patch uses user_crontab_t, sysadm_crontab_t etc domains, as we used to do
> but which was removed some time in the past.
>
> Chris, are you willing to consider restoring this functionality? If not what
> do you think would be the best way of catering for different needs in this
> regard? Should I try to make a patch with ifdef role_crontab_domain or
> something?
>
> Index: refpolicy-2.20170417/policy/modules/contrib/cron.if
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/cron.if
> +++ refpolicy-2.20170417/policy/modules/contrib/cron.if
> @@ -13,7 +13,7 @@
> template(`cron_common_crontab_template',`
> gen_require(`
> attribute crontab_domain;
> - type crontab_exec_t;
> + type crontab_exec_t, crond_t;
> ')
>
> ##############################
> @@ -21,23 +21,33 @@ template(`cron_common_crontab_template',
> # Declarations
> #
>
> - type $1_t, crontab_domain;
> - userdom_user_application_domain($1_t, crontab_exec_t)
> + type $1_crontab_t, crontab_domain;
> + userdom_user_application_domain($1_crontab_t, crontab_exec_t)
>
> - type $1_tmp_t;
> - userdom_user_tmp_file($1_tmp_t)
> + type $1_crontab_tmp_t;
> + userdom_user_tmp_file($1_crontab_tmp_t)
> +
> + type $1_cron_spool_t, cron_spool_type;
>
> ##############################
> #
> # Local policy
> #
>
> - manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
> - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
> - files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
> + manage_dirs_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t)
> + manage_files_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t)
> + files_tmp_filetrans($1_crontab_t, $1_crontab_tmp_t, { dir file })
> +
> + auth_domtrans_chk_passwd($1_crontab_t)
> + auth_use_nsswitch($1_crontab_t)
> + allow $1_crontab_t self:capability fsetid;
> +
> + files_type($1_cron_spool_t)
> + ubac_constrained($1_cron_spool_t)
> + mta_system_content($1_cron_spool_t)
>
> - auth_domtrans_chk_passwd($1_t)
> - auth_use_nsswitch($1_t)
> + manage_files_pattern($1_crontab_t, { cron_spool_t user_cron_spool_t }, $1_cron_spool_t)
> + filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t, file)
> ')
>
> ########################################
> @@ -51,15 +61,15 @@ template(`cron_common_crontab_template',
> ## </param>
> ## <param name="domain">
> ## <summary>
> -## User domain for the role.
> +## stem of domain for the role.
> ## </summary>
> ## </param>
> ## <rolecap/>
> #
> interface(`cron_role',`
> gen_require(`
> - type cronjob_t, crontab_t, crontab_exec_t;
> - type user_cron_spool_t, crond_t;
> + type $2_crontab_t, crontab_exec_t;
> + type $2_cron_spool_t, crond_t;
> bool cron_userdomain_transition;
> ')
>
> @@ -68,138 +78,42 @@ interface(`cron_role',`
> # Declarations
> #
>
> - role $1 types { cronjob_t crontab_t };
> + role $1 types { $2_crontab_t };
>
> ##############################
> #
> # Local policy
> #
>
> - domtrans_pattern($2, crontab_exec_t, crontab_t)
> + domtrans_pattern($2_t, crontab_exec_t, $2_crontab_t)
>
> - dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
> - allow $2 crond_t:process sigchld;
> + dontaudit crond_t $2_t:process { noatsecure siginh rlimitinh };
> + allow $2_t crond_t:process sigchld;
>
> - allow $2 user_cron_spool_t:file { getattr read write ioctl };
> + allow $2_t $2_cron_spool_t:file { getattr read write ioctl };
>
> - allow $2 crontab_t:process { ptrace signal_perms };
> - ps_process_pattern($2, crontab_t)
> + allow $2_t $2_crontab_t:process { ptrace signal_perms };
> + ps_process_pattern($2_t, $2_crontab_t)
>
> - corecmd_exec_bin(crontab_t)
> - corecmd_exec_shell(crontab_t)
> + corecmd_exec_bin($2_crontab_t)
> + corecmd_exec_shell($2_crontab_t)
>
> tunable_policy(`cron_userdomain_transition',`
> - allow crond_t $2:process transition;
> - allow crond_t $2:fd use;
> - allow crond_t $2:key manage_key_perms;
> -
> - allow $2 user_cron_spool_t:file entrypoint;
> + allow crond_t $2_t:process transition;
> + allow crond_t $2_t:fd use;
> + allow crond_t $2_t:key manage_key_perms;
>
> - allow $2 crond_t:fifo_file rw_fifo_file_perms;
> + allow $2_t $2_cron_spool_t:file entrypoint;
>
> - allow $2 cronjob_t:process { ptrace signal_perms };
> - ps_process_pattern($2, cronjob_t)
> + allow $2_t crond_t:fifo_file rw_fifo_file_perms;
> ',`
> - dontaudit crond_t $2:process transition;
> - dontaudit crond_t $2:fd use;
> - dontaudit crond_t $2:key manage_key_perms;
> -
> - dontaudit $2 user_cron_spool_t:file entrypoint;
> -
> - dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
> -
> - dontaudit $2 cronjob_t:process { ptrace signal_perms };
> - ')
> -
> - optional_policy(`
> - gen_require(`
> - class dbus send_msg;
> - ')
> -
> - dbus_stub(cronjob_t)
> -
> - allow cronjob_t $2:dbus send_msg;
> - ')
> -')
> -
> -########################################
> -## <summary>
> -## Role access for unconfined cron.
> -## </summary>
> -## <param name="role">
> -## <summary>
> -## Role allowed access.
> -## </summary>
> -## </param>
> -## <param name="domain">
> -## <summary>
> -## User domain for the role.
> -## </summary>
> -## </param>
> -#
> -interface(`cron_unconfined_role',`
> - gen_require(`
> - type unconfined_cronjob_t, crontab_t, crontab_exec_t;
> - type crond_t, user_cron_spool_t;
> - bool cron_userdomain_transition;
> - ')
> -
> - ##############################
> - #
> - # Declarations
> - #
> -
> - role $1 types { unconfined_cronjob_t crontab_t };
> -
> - ##############################
> - #
> - # Local policy
> - #
> -
> - domtrans_pattern($2, crontab_exec_t, crontab_t)
> -
> - dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
> - allow $2 crond_t:process sigchld;
> -
> - allow $2 user_cron_spool_t:file { getattr read write ioctl };
> -
> - allow $2 crontab_t:process { ptrace signal_perms };
> - ps_process_pattern($2, crontab_t)
> -
> - corecmd_exec_bin(crontab_t)
> - corecmd_exec_shell(crontab_t)
> -
> - tunable_policy(`cron_userdomain_transition',`
> - allow crond_t $2:process transition;
> - allow crond_t $2:fd use;
> - allow crond_t $2:key manage_key_perms;
> -
> - allow $2 user_cron_spool_t:file entrypoint;
> -
> - allow $2 crond_t:fifo_file rw_fifo_file_perms;
> -
> - allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
> - ps_process_pattern($2, unconfined_cronjob_t)
> - ',`
> - dontaudit crond_t $2:process transition;
> - dontaudit crond_t $2:fd use;
> - dontaudit crond_t $2:key manage_key_perms;
> -
> - dontaudit $2 user_cron_spool_t:file entrypoint;
> -
> - dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
> -
> - dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms };
> -')
> -
> - optional_policy(`
> - gen_require(`
> - class dbus send_msg;
> - ')
> + dontaudit crond_t $2_t:process transition;
> + dontaudit crond_t $2_t:fd use;
> + dontaudit crond_t $2_t:key manage_key_perms;
>
> - dbus_stub(unconfined_cronjob_t)
> + dontaudit $2_t $2_cron_spool_t:file entrypoint;
>
> - allow unconfined_cronjob_t $2:dbus send_msg;
> + dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms;
> ')
> ')
>
> Index: refpolicy-2.20170417/policy/modules/contrib/cron.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/cron.te
> +++ refpolicy-2.20170417/policy/modules/contrib/cron.te
> @@ -25,7 +25,7 @@ gen_tunable(cron_can_relabel, false)
> ## the generic cronjob domain.
> ## </p>
> ## </desc>
> -gen_tunable(cron_userdomain_transition, false)
> +gen_tunable(cron_userdomain_transition, true)
>
> ## <desc>
> ## <p>
> @@ -86,15 +86,16 @@ mta_system_content(crond_var_run_t)
> type crontab_exec_t;
> application_executable_file(crontab_exec_t)
>
> -cron_common_crontab_template(admin_crontab)
> -typealias admin_crontab_t alias sysadm_crontab_t;
> -typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t;
> -
> -cron_common_crontab_template(crontab)
> -typealias crontab_t alias { user_crontab_t staff_crontab_t };
> -typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
> -typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
> -typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
> +cron_common_crontab_template(sysadm)
> +typealias sysadm_crontab_t alias admin_crontab_t;
> +typealias sysadm_crontab_tmp_t alias admin_crontab_tmp_t;
> +
> +cron_common_crontab_template(user)
> +cron_common_crontab_template(staff)
> +cron_common_crontab_template(unconfined)
> +typealias user_crontab_t alias { crontab_t };
> +typealias sysadm_crontab_t alias { auditadm_crontab_t secadm_crontab_t };
> +typealias sysadm_crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
>
> type system_cron_spool_t, cron_spool_type;
> files_type(system_cron_spool_t)
> @@ -117,12 +118,7 @@ files_type(system_cronjob_var_lib_t)
> type system_cronjob_var_run_t;
> files_pid_file(system_cronjob_var_run_t)
>
> -type user_cron_spool_t, cron_spool_type;
> -typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
> -typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
> -files_type(user_cron_spool_t)
> -ubac_constrained(user_cron_spool_t)
> -mta_system_content(user_cron_spool_t)
> +typealias sysadm_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
>
> type user_cron_spool_log_t;
> logging_log_file(user_cron_spool_log_t)
> @@ -142,9 +138,6 @@ allow crontab_domain self:capability { c
> allow crontab_domain self:process { getcap setsched signal_perms };
> allow crontab_domain self:fifo_file rw_fifo_file_perms;
>
> -manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
> -filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
> -
> allow crontab_domain cron_spool_t:dir setattr_dir_perms;
>
> allow crontab_domain crond_t:process signal;
> @@ -215,8 +208,8 @@ tunable_policy(`fcron_crond',`
> # Daemon local policy
> #
>
> -allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice };
> -dontaudit crond_t self:capability { sys_resource sys_tty_config };
> +allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice sys_resource };
> +dontaudit crond_t self:capability { sys_tty_config };
> allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
> allow crond_t self:process { setexec setfscreate };
> allow crond_t self:fd use;
> @@ -230,6 +223,7 @@ allow crond_t self:msg { send receive };
> allow crond_t self:key { search write link };
> dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
>
> +allow crond_t cron_spool_type:file read_file_perms;
> allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
> logging_log_filetrans(crond_t, cron_log_t, file)
>
> @@ -340,6 +334,23 @@ ifdef(`distro_debian',`
> optional_policy(`
> logwatch_search_cache_dir(crond_t)
> ')
> + optional_policy(`
> + apt_manage_cache(system_cronjob_t)
> + apt_read_db(system_cronjob_t)
> + dpkg_manage_db(system_cronjob_t)
> + ')
> +')
> +
> +optional_policy(`
> + acct_manage_data(system_cronjob_t)
> +')
> +
> +optional_policy(`
> + ntp_admin(system_cronjob_t, system_r)
> +')
> +
> +optional_policy(`
> + apache_delete_lib_files(system_cronjob_t)
> ')
>
> ifdef(`distro_redhat',`
> @@ -429,6 +440,7 @@ optional_policy(`
> systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
> # so cron jobs can restart daemons
> init_stream_connect(system_cronjob_t)
> + init_manage_script_service(system_cronjob_t)
> ')
>
> optional_policy(`
> @@ -440,14 +452,15 @@ optional_policy(`
> # System local policy
> #
>
> -allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice };
> +allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
> allow system_cronjob_t self:process { signal_perms getsched setsched };
> allow system_cronjob_t self:fd use;
> allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
> allow system_cronjob_t self:passwd rootok;
>
> -allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
> +allow system_cronjob_t cron_log_t:file manage_file_perms;
> logging_log_filetrans(system_cronjob_t, cron_log_t, file)
> +logging_manage_generic_logs(system_cronjob_t)
>
> allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
> files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
> @@ -464,7 +477,8 @@ files_lock_filetrans(system_cronjob_t, s
> manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
> manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
> filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
> -files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
> +files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })
> +allow system_cronjob_t system_cronjob_tmp_t:dir manage_dir_perms;
>
> manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
>
> @@ -475,7 +489,8 @@ allow system_cronjob_t crond_t:process s
> allow system_cronjob_t cron_spool_t:dir list_dir_perms;
> allow system_cronjob_t cron_spool_t:file rw_file_perms;
>
> -allow system_cronjob_t crond_tmp_t:file { read write };
> +allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
> +allow cronjob_t crond_tmp_t:file rw_inherited_file_perms;
>
> kernel_read_kernel_sysctls(system_cronjob_t)
> kernel_read_network_state(system_cronjob_t)
> @@ -567,6 +582,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + read_mrtg_etc(system_cronjob_t)
> +')
> +
> +optional_policy(`
> cyrus_manage_data(system_cronjob_t)
> ')
>
> @@ -719,27 +738,3 @@ optional_policy(`
> nis_use_ypbind(cronjob_t)
> ')
>
> -########################################
> -#
> -# Unconfined local policy
> -#
> -
> -type unconfined_cronjob_t;
> -domain_type(unconfined_cronjob_t)
> -domain_cron_exemption_target(unconfined_cronjob_t)
> -
> -dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
> -
> -tunable_policy(`cron_userdomain_transition',`
> - dontaudit crond_t unconfined_cronjob_t:process transition;
> - dontaudit crond_t unconfined_cronjob_t:fd use;
> - dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
> -',`
> - allow crond_t unconfined_cronjob_t:process transition;
> - allow crond_t unconfined_cronjob_t:fd use;
> - allow crond_t unconfined_cronjob_t:key manage_key_perms;
> -')
> -
> -optional_policy(`
> - unconfined_domain(unconfined_cronjob_t)
> -')
> Index: refpolicy-2.20170417/policy/modules/contrib/apt.if
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/apt.if
> +++ refpolicy-2.20170417/policy/modules/contrib/apt.if
> @@ -164,6 +164,26 @@ interface(`apt_use_ptys',`
> ## </summary>
> ## </param>
> #
> +interface(`apt_manage_cache',`
> + gen_require(`
> + type apt_var_cache_t;
> + ')
> +
> + files_search_var($1)
> + allow $1 apt_var_cache_t:dir manage_dir_perms;
> + allow $1 apt_var_cache_t:file manage_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Read apt package cache content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> interface(`apt_read_cache',`
> gen_require(`
> type apt_var_cache_t;
> Index: refpolicy-2.20170417/policy/modules/contrib/mrtg.if
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/mrtg.if
> +++ refpolicy-2.20170417/policy/modules/contrib/mrtg.if
> @@ -2,6 +2,24 @@
>
> ########################################
> ## <summary>
> +## Read mrtg configuration
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`read_mrtg_etc',`
> + gen_require(`
> + type mrtg_etc_t;
> + ')
> +
> + allow $1 mrtg_etc_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Create and append mrtg log files.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170417/policy/modules/roles/staff.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/roles/staff.te
> +++ refpolicy-2.20170417/policy/modules/roles/staff.te
> @@ -81,7 +81,7 @@ ifndef(`distro_redhat',`
> ')
>
> optional_policy(`
> - cron_role(staff_r, staff_t)
> + cron_role(staff_r, staff)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20170417/policy/modules/roles/unprivuser.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/roles/unprivuser.te
> +++ refpolicy-2.20170417/policy/modules/roles/unprivuser.te
> @@ -50,7 +50,7 @@ ifndef(`distro_redhat',`
> ')
>
> optional_policy(`
> - cron_role(user_r, user_t)
> + cron_role(user_r, user)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20170417/policy/modules/system/unconfined.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/system/unconfined.te
> +++ refpolicy-2.20170417/policy/modules/system/unconfined.te
> @@ -76,7 +76,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> - cron_unconfined_role(unconfined_r, unconfined_t)
> + cron_role(unconfined_r, unconfined)
> ')
>
> optional_policy(`
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

2017-04-19 11:16:50

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] user_crontab_t etc

On Wed, 19 Apr 2017 08:48:01 PM Christian G?ttsche wrote:
> fwiw, I am using a complete rewritten version of cron, where all user
> cronjobs run in the user domain itself.

My policy does that too. Every cron job runs in the same domain as the
process that ran crontab(1). The only domain specific for running cron jobs is
system_cronjob_t.

> I think it is more secure and manageable as running all user crontabs
> in a generic crontab_t domain or use sperate $1_cronjob_t ones.
> Another point I dislike about the upstream cron policy is the power of
> system_cronjob_t: I prefer cronjobs to transition into appropriate
> domains for the specific task.

Sounds good. Let's see if we can find some suitable compromise with Chris and
remove the duplication.

> https://github.com/cgzones/debian-package-refpolicy/blob/management/debian/
> patches/0403-cron-check-module.patch
>
> 2017-04-19 12:22 GMT+02:00 Russell Coker via refpolicy
>
> <[email protected]>:
> > Firstly this patch applies to today's Git tree and is not dependent on
> > the login patch which is still being debated.
> >
> > This patch uses user_crontab_t, sysadm_crontab_t etc domains, as we used
> > to do but which was removed some time in the past.
> >
> > Chris, are you willing to consider restoring this functionality? If not
> > what do you think would be the best way of catering for different needs
> > in this regard? Should I try to make a patch with ifdef
> > role_crontab_domain or something?
> >
> > Index: refpolicy-2.20170417/policy/modules/contrib/cron.if
> >

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/

2017-04-20 22:35:42

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] user_crontab_t etc

On 04/19/2017 07:16 AM, Russell Coker via refpolicy wrote:
> On Wed, 19 Apr 2017 08:48:01 PM Christian G?ttsche wrote:
>> fwiw, I am using a complete rewritten version of cron, where all user
>> cronjobs run in the user domain itself.
>
> My policy does that too. Every cron job runs in the same domain as the
> process that ran crontab(1). The only domain specific for running cron jobs is
> system_cronjob_t.
>
>> I think it is more secure and manageable as running all user crontabs
>> in a generic crontab_t domain or use sperate $1_cronjob_t ones.
>> Another point I dislike about the upstream cron policy is the power of
>> system_cronjob_t: I prefer cronjobs to transition into appropriate
>> domains for the specific task.
>
> Sounds good. Let's see if we can find some suitable compromise with Chris and
> remove the duplication.

>> https://github.com/cgzones/debian-package-refpolicy/blob/management/debian/
>> patches/0403-cron-check-module.patch
>>
>> 2017-04-19 12:22 GMT+02:00 Russell Coker via refpolicy
>>
>> <[email protected]>:
>>> Firstly this patch applies to today's Git tree and is not dependent on
>>> the login patch which is still being debated.
>>>
>>> This patch uses user_crontab_t, sysadm_crontab_t etc domains, as we used
>>> to do but which was removed some time in the past.
>>>
>>> Chris, are you willing to consider restoring this functionality? If not
>>> what do you think would be the best way of catering for different needs
>>> in this regard? Should I try to make a patch with ifdef
>>> role_crontab_domain or something?

I think I am mostly fine, conceptually, with the changes, but I'll
restate just in case:

My preference is to have the default to run cronjobs in the user's
domain. While this is not the typical choice (i.e. not the most
strict), this is expected behavior for uninitiated users ("my cronjobs
can do whatever I can.")

I'm definitely open to shrinking system_cronjob_t by doing appropriate
transitions.

I'd like to keep cronjob_t for advanced users that want to limit
cronjobs. Preferably, it would use tunables to switch between cronjobs
in userdomains and cronjobs in cronjob_t. Should that not be tenable,
we can see what a build option (ifdef) would look like to see if it's
not too gnarly to keep.

--
Chris PeBenito