Chris PeBenito 62a7b0
## <summary>Periodic execution of scheduled commands.</summary>
Chris PeBenito 23caa6
Chris PeBenito e88003
#######################################
Chris PeBenito e88003
## <summary>
Chris PeBenito e88003
##	The per user domain template for the cron module.
Chris PeBenito e88003
## </summary>
Chris PeBenito e88003
## <desc>
Chris PeBenito e88003
##	

Chris PeBenito e88003
##	This template creates a derived domains which are used
Chris PeBenito e88003
##	for running programs on behalf of the user, from cron.
Chris PeBenito e88003
##	A type for the user crontab is also created.
Chris PeBenito e88003
##	

Chris PeBenito e88003
##	

Chris PeBenito e88003
##	This template is invoked automatically for each user, and
Chris PeBenito e88003
##	generally does not need to be invoked directly
Chris PeBenito e88003
##	by policy writers.
Chris PeBenito e88003
##	

Chris PeBenito e88003
## </desc>
Chris PeBenito e88003
## <param name="userdomain_prefix">
Chris PeBenito e88003
##	The prefix of the user domain (e.g., user
Chris PeBenito e88003
##	is the prefix for user_t).
Chris PeBenito e88003
## </param>
Chris PeBenito 451c1e
## <param name="user_domain">
Chris PeBenito 451c1e
##	The type of the user domain.
Chris PeBenito 451c1e
## </param>
Chris PeBenito 451c1e
## <param name="user_role">
Chris PeBenito 451c1e
##	The role associated with the user domain.
Chris PeBenito 451c1e
## </param>
Chris PeBenito 23caa6
#
Chris PeBenito 199895
template(`cron_per_userdomain_template',`
Chris PeBenito 12ae75
	gen_require(`
Chris PeBenito 12ae75
		attribute cron_spool_type;
Chris PeBenito 0efe52
		type crond_t, cron_spool_t, crontab_exec_t;
Chris PeBenito 12ae75
	')
Chris PeBenito 23caa6
Chris PeBenito 0c73cd
	# Type of user crontabs once moved to cron spool.
Chris PeBenito df00b2
	type $1_cron_spool_t, cron_spool_type;
Chris PeBenito 8fd367
	files_type($1_cron_spool_t)
Chris PeBenito 0c73cd
Chris PeBenito 2e863f
	type $1_crond_t;
Chris PeBenito 2e863f
	domain_type($1_crond_t)
Chris PeBenito 2e863f
	domain_cron_exemption_target($1_crond_t)
Chris PeBenito c9428d
	corecmd_shell_entry_type($1_crond_t)
Chris PeBenito 451c1e
	role $3 types $1_crond_t;
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	type $1_crontab_t;
Chris PeBenito c9428d
	domain_type($1_crontab_t)
Chris PeBenito c9428d
	domain_entry_file($1_crontab_t,crontab_exec_t)
Chris PeBenito 451c1e
	role $3 types $1_crontab_t;
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	##############################
Chris PeBenito 0c73cd
	#
Chris PeBenito 0c73cd
	# $1_crond_t local policy
Chris PeBenito 0c73cd
	#
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1_crond_t self:capability dac_override;
Chris PeBenito 0fd9dc
	allow $1_crond_t self:process { signal_perms setsched };
Chris PeBenito 0a10b1
	allow $1_crond_t self:fifo_file rw_file_perms;
Chris PeBenito 0fd9dc
	allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 0fd9dc
	allow $1_crond_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	# The entrypoint interface is not used as this is not
Chris PeBenito 0c73cd
	# a regular entrypoint.  Since crontab files are
Chris PeBenito 0c73cd
	# not directly executed, crond must ensure that
Chris PeBenito 0c73cd
	# the crontab file has a type that is appropriate
Chris PeBenito 0c73cd
	# for the domain of the user cron job.  It
Chris PeBenito 0c73cd
	# performs an entrypoint permission check
Chris PeBenito 0c73cd
	# for this purpose.
Chris PeBenito 0c73cd
	allow $1_crond_t $1_cron_spool_t:file entrypoint;
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	# Permit a transition from the crond_t domain to this domain.
Chris PeBenito 0c73cd
	# The transition is requested explicitly by the modified crond 
Chris PeBenito 0c73cd
	# via setexeccon.  There is no way to set up an automatic
Chris PeBenito 0c73cd
	# transition, since crontabs are configuration files, not executables.
Chris PeBenito 0c73cd
	allow crond_t $1_crond_t:process transition;
Chris PeBenito 0c73cd
	dontaudit crond_t $1_crond_t:process { noatsecure siginh rlimitinh };
Chris PeBenito 0c73cd
	allow crond_t $1_crond_t:fd use;
Chris PeBenito 0c73cd
	allow $1_crond_t crond_t:fd use;
Chris PeBenito 0c73cd
	allow $1_crond_t crond_t:fifo_file rw_file_perms;
Chris PeBenito 0c73cd
	allow $1_crond_t crond_t:process sigchld;
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	kernel_read_system_state($1_crond_t)
Chris PeBenito 0c73cd
	kernel_read_kernel_sysctl($1_crond_t)
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	# ps does not need to access /boot when run from cron
Chris PeBenito 0fd9dc
	bootloader_dontaudit_search_boot($1_crond_t)
Chris PeBenito 0fd9dc
Chris PeBenito 0fd9dc
	corenet_tcp_sendrecv_all_if($1_crond_t)
Chris PeBenito 0fd9dc
	corenet_raw_sendrecv_all_if($1_crond_t)
Chris PeBenito 0fd9dc
	corenet_udp_sendrecv_all_if($1_crond_t)
Chris PeBenito 0fd9dc
	corenet_tcp_sendrecv_all_nodes($1_crond_t)
Chris PeBenito 0fd9dc
	corenet_raw_sendrecv_all_nodes($1_crond_t)
Chris PeBenito 0fd9dc
	corenet_udp_sendrecv_all_nodes($1_crond_t)
Chris PeBenito 0fd9dc
	corenet_tcp_sendrecv_all_ports($1_crond_t)
Chris PeBenito 0fd9dc
	corenet_udp_sendrecv_all_ports($1_crond_t)
Chris PeBenito bd7037
	corenet_non_ipsec_sendrecv($1_crond_t)
Chris PeBenito 0fd9dc
	corenet_tcp_bind_all_nodes($1_crond_t)
Chris PeBenito 0fd9dc
	corenet_udp_bind_all_nodes($1_crond_t)
Chris PeBenito cff75c
	corenet_tcp_connect_all_ports($1_crond_t)
Chris PeBenito 23caa6
Karl MacMillan f0c985
	dev_read_urand($1_crond_t)
Chris PeBenito d18e3d
Chris PeBenito 0fd9dc
	fs_getattr_all_fs($1_crond_t)
Chris PeBenito d18e3d
Chris PeBenito c9428d
	domain_exec_all_entry_files($1_crond_t)
Chris PeBenito 3774e4
	# quiet other ps operations
Chris PeBenito 3774e4
	domain_dontaudit_read_all_domains_state($1_crond_t)
Chris PeBenito ac9aa2
	domain_dontaudit_getattr_all_domains($1_crond_t)
Chris PeBenito 075c4f
Chris PeBenito c9428d
	files_read_usr_files($1_crond_t)
Chris PeBenito 8fd367
	files_exec_etc_files($1_crond_t)
Chris PeBenito 0c73cd
	# for nscd:
Chris PeBenito c9428d
	files_dontaudit_search_pids($1_crond_t)
Chris PeBenito 23caa6
Chris PeBenito c9428d
	corecmd_exec_bin($1_crond_t)
Chris PeBenito c9428d
	corecmd_exec_sbin($1_crond_t)
Chris PeBenito 23caa6
Chris PeBenito c9428d
	libs_use_ld_so($1_crond_t)
Chris PeBenito c9428d
	libs_use_shared_libs($1_crond_t)
Chris PeBenito c9428d
	libs_exec_lib_files($1_crond_t)
Chris PeBenito c9428d
	libs_exec_ld_so($1_crond_t)
Chris PeBenito 23caa6
Chris PeBenito c9428d
	files_read_etc_runtime_files($1_crond_t)
Chris PeBenito 3774e4
	files_read_var_files($1_crond_t)
Chris PeBenito 3774e4
	files_search_spool($1_crond_t)
Chris PeBenito 23caa6
Chris PeBenito c9428d
	logging_search_logs($1_crond_t)
Chris PeBenito 23caa6
Chris PeBenito 5e0da6
	seutil_read_config($1_crond_t)
Chris PeBenito 23caa6
Chris PeBenito 0c73cd
	miscfiles_read_localization($1_crond_t)
Chris PeBenito d18e3d
Chris PeBenito 451c1e
	userdom_manage_user_tmp_files($1,$1_crond_t)
Chris PeBenito 451c1e
	userdom_manage_user_tmp_symlinks($1,$1_crond_t)
Chris PeBenito 451c1e
	userdom_manage_user_tmp_pipes($1,$1_crond_t)
Chris PeBenito 451c1e
	userdom_manage_user_tmp_sockets($1,$1_crond_t)
Chris PeBenito 2a9456
	# Run scripts in user home directory and access shared libs.
Chris PeBenito 451c1e
	userdom_exec_user_home_files($1,$1_crond_t)
Chris PeBenito 3774e4
	# Access user files and dirs.
Chris PeBenito 3774e4
#	userdom_manage_user_home_subdir_dirs($1,$1_crond_t)
Chris PeBenito 3774e4
	userdom_manage_user_home_subdir_files($1,$1_crond_t)
Chris PeBenito 3774e4
	userdom_manage_user_home_subdir_symlinks($1,$1_crond_t)
Chris PeBenito 3774e4
	userdom_manage_user_home_subdir_pipes($1,$1_crond_t)
Chris PeBenito 3774e4
	userdom_manage_user_home_subdir_sockets($1,$1_crond_t)
Chris PeBenito 3774e4
#	userdom_create_user_home($1,$1_crond_t,notdevfile_class_set)
Chris PeBenito 2a9456
Chris PeBenito 0c73cd
	tunable_policy(`fcron_crond', `
Chris PeBenito 0a10b1
		allow crond_t $1_cron_spool_t:file create_file_perms;
Chris PeBenito 0c73cd
	')
Chris PeBenito 0c73cd
Chris PeBenito 132880
	optional_policy(`nis',`
Chris PeBenito ab940a
		nis_use_ypbind($1_crond_t)
Chris PeBenito ab940a
	')
Chris PeBenito ab940a
Chris PeBenito 0c73cd
	ifdef(`TODO',`
Chris PeBenito 132880
	optional_policy(`apache',`
Chris PeBenito a996bd
		create_dir_file($1_crond_t, httpd_$1_content_t)
Chris PeBenito a996bd
	')
Chris PeBenito 2a9456
	allow $1_crond_t tmp_t:dir rw_dir_perms;
Chris PeBenito 2a9456
	type_transition $1_crond_t $1_tmp_t:{ file lnk_file sock_file fifo_file } $1_tmp_t;
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	ifdef(`mta.te', `
Chris PeBenito 0c73cd
		domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
Chris PeBenito 0a10b1
		allow $1_crond_t sendmail_exec_t:lnk_file r_file_perms;
Chris PeBenito d18e3d
Chris PeBenito 0c73cd
		# $1_mail_t should only be reading from the cron fifo not needing to write
Chris PeBenito 0c73cd
		dontaudit $1_mail_t crond_t:fifo_file write;
Chris PeBenito 0c73cd
		allow mta_user_agent $1_crond_t:fd use;
Chris PeBenito 0c73cd
	')
Chris PeBenito 0c73cd
	') dnl endif TODO
Chris PeBenito d18e3d
Chris PeBenito 0c73cd
	##############################
Chris PeBenito 0c73cd
	#
Chris PeBenito 0c73cd
	# $1_crontab_t local policy
Chris PeBenito 0c73cd
	#
Chris PeBenito 075c4f
Chris PeBenito df00b2
	# Transition from the user domain to the derived domain.
Chris PeBenito 451c1e
	domain_auto_trans($2, crontab_exec_t, $1_crontab_t)
Chris PeBenito 451c1e
	allow $2 $1_crontab_t:fd use;
Chris PeBenito 451c1e
	allow $1_crontab_t $2:fd use;
Chris PeBenito 451c1e
	allow $1_crontab_t $2:fifo_file rw_file_perms;
Chris PeBenito 451c1e
	allow $1_crontab_t $2:process sigchld;
Chris PeBenito df00b2
Chris PeBenito 3774e4
	# crontab shows up in user ps
Chris PeBenito 3774e4
	allow $2 $1_crontab_t:dir { search getattr read };
Chris PeBenito 3774e4
	allow $2 $1_crontab_t:{ file lnk_file } { read getattr };
Chris PeBenito 3774e4
	allow $2 $1_crontab_t:process getattr;
Chris PeBenito 3774e4
	dontaudit $2 $1_crontab_t:process ptrace;
Chris PeBenito 3774e4
Chris PeBenito 0c73cd
	# for ^Z
Chris PeBenito 451c1e
	allow $2 $1_crontab_t:process signal;
Chris PeBenito d18e3d
Chris PeBenito 0c73cd
	# Allow crond to read those crontabs in cron spool.
Chris PeBenito 681c9a
	allow crond_t $1_cron_spool_t:file create_file_perms;
Chris PeBenito d18e3d
Chris PeBenito 0c73cd
	# dac_override is to create the file in the directory under /tmp
Chris PeBenito 0c73cd
	allow $1_crontab_t self:capability { setuid setgid chown dac_override };
Chris PeBenito 0a10b1
	allow $1_crontab_t self:process signal_perms;
Chris PeBenito d18e3d
Chris PeBenito 0c73cd
	# create files in /var/spool/cron
Chris PeBenito 0a10b1
	allow $1_crontab_t $1_cron_spool_t:file create_file_perms;
Chris PeBenito 0a10b1
	allow $1_crontab_t cron_spool_t:dir rw_dir_perms;
Chris PeBenito 0efe52
	type_transition $1_crontab_t $1_cron_spool_t:file $1_cron_spool_t;
Chris PeBenito d18e3d
Chris PeBenito 0c73cd
	# crontab signals crond by updating the mtime on the spooldir
Chris PeBenito 0c73cd
	allow $1_crontab_t cron_spool_t:dir setattr;
Chris PeBenito d18e3d
Chris PeBenito cff75c
	kernel_read_system_state($1_crontab_t)
Chris PeBenito cff75c
Chris PeBenito df00b2
	# for the checks used by crontab -u
Chris PeBenito df00b2
	selinux_dontaudit_search_fs($1_crontab_t)
Chris PeBenito df00b2
Chris PeBenito 0fd9dc
	fs_getattr_xattr_fs($1_crontab_t)
Chris PeBenito d18e3d
Chris PeBenito 451c1e
	# Run helper programs as the user domain
Chris PeBenito 451c1e
	corecmd_bin_domtrans($1_crontab_t,$2)
Chris PeBenito 451c1e
	corecmd_sbin_domtrans($1_crontab_t,$2)
Chris PeBenito 451c1e
	corecmd_shell_domtrans($1_crontab_t,$2)
Chris PeBenito 451c1e
Chris PeBenito c9428d
	domain_use_wide_inherit_fd($1_crontab_t)
Chris PeBenito d18e3d
Chris PeBenito 8fd367
	files_read_etc_files($1_crontab_t)
Chris PeBenito df00b2
	files_dontaudit_search_pids($1_crontab_t)
Chris PeBenito d18e3d
Chris PeBenito c9428d
	libs_use_ld_so($1_crontab_t)
Chris PeBenito c9428d
	libs_use_shared_libs($1_crontab_t)
Chris PeBenito d18e3d
Chris PeBenito c9428d
	logging_send_syslog_msg($1_crontab_t)
Chris PeBenito d18e3d
Chris PeBenito 0c73cd
	miscfiles_read_localization($1_crontab_t)
Chris PeBenito d18e3d
Chris PeBenito cff75c
	seutil_read_config($1_crontab_t)
Chris PeBenito df00b2
Chris PeBenito 451c1e
	userdom_manage_user_tmp_dirs($1,$1_crontab_t)
Chris PeBenito 451c1e
	userdom_manage_user_tmp_files($1,$1_crontab_t)
Chris PeBenito 451c1e
	# Access terminals.
Chris PeBenito 451c1e
	userdom_use_user_terminals($1,$1_crontab_t)
Chris PeBenito 451c1e
	# Read user crontabs
Chris PeBenito 451c1e
	userdom_read_user_home_files($1,$1_crontab_t)
Chris PeBenito 2a9456
Chris PeBenito 0c73cd
	tunable_policy(`fcron_crond', `
Chris PeBenito 0c73cd
		# fcron wants an instant update of a crontab change for the administrator
Chris PeBenito 0c73cd
		# also crontab does a security check for crontab -u
Chris PeBenito 0c73cd
		dontaudit $1_crontab_t crond_t:process signal;
Chris PeBenito 0c73cd
	')
Chris PeBenito d18e3d
Chris PeBenito 0c73cd
	ifdef(`TODO',`
Chris PeBenito 2a9456
	allow $1_crond_t tmp_t:dir rw_dir_perms;
Chris PeBenito 2a9456
	type_transition $1_crond_t $1_tmp_t:{ file dir } $1_tmp_t;
Chris PeBenito d18e3d
Chris PeBenito 451c1e
	# Read user crontabs
Chris PeBenito 0c73cd
	dontaudit $1_crontab_t $1_home_dir_t:dir write;
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	# Inherit and use descriptors from gnome-pty-helper.
Chris PeBenito 0c73cd
	ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;')
Chris PeBenito 0c73cd
	') dnl endif TODO
Chris PeBenito 23caa6
')
Chris PeBenito daa0e0
Chris PeBenito e88003
#######################################
Chris PeBenito e88003
## <summary>
Chris PeBenito e88003
##	The administrative functions template for the cron module.
Chris PeBenito e88003
## </summary>
Chris PeBenito e88003
## <desc>
Chris PeBenito e88003
##	

Chris PeBenito e88003
##	This template creates rules for administrating the cron service,
Chris PeBenito e88003
##	allowing the specified user to manage other user crontabs.
Chris PeBenito e88003
##	

Chris PeBenito e88003
## </desc>
Chris PeBenito e88003
## <param name="userdomain_prefix">
Chris PeBenito e88003
##	The prefix of the user domain (e.g., user
Chris PeBenito e88003
##	is the prefix for user_t).
Chris PeBenito e88003
## </param>
Chris PeBenito daa0e0
#
Chris PeBenito 199895
template(`cron_admin_template',`
Chris PeBenito 0efe52
	gen_require(`
Chris PeBenito 0efe52
		attribute cron_spool_type;
Chris PeBenito 4ace0f
		type $1_crontab_t, $1_crond_t;
Chris PeBenito 0efe52
	')
Chris PeBenito 0efe52
Chris PeBenito 0c73cd
	# Allow our crontab domain to unlink a user cron spool file.
Chris PeBenito df00b2
	allow $1_crontab_t cron_spool_type:file { getattr read unlink };
Chris PeBenito df00b2
Chris PeBenito df00b2
	logging_read_generic_logs($1_crond_t)
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	# Manipulate other users crontab.
Chris PeBenito 5e0da6
	selinux_get_fs_mount($1_crontab_t)
Chris PeBenito 5e0da6
	selinux_validate_context($1_crontab_t)
Chris PeBenito 5e0da6
	selinux_compute_access_vector($1_crontab_t)
Chris PeBenito 5e0da6
	selinux_compute_create_context($1_crontab_t)
Chris PeBenito 5e0da6
	selinux_compute_relabel_context($1_crontab_t)
Chris PeBenito 5e0da6
	selinux_compute_user_contexts($1_crontab_t)
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	tunable_policy(`fcron_crond', `
Chris PeBenito 0c73cd
		# fcron wants an instant update of a crontab change for the administrator
Chris PeBenito 0c73cd
		# also crontab does a security check for crontab -u
Chris PeBenito 0c73cd
		allow $1_crontab_t self:process setfscreate;
Chris PeBenito 5e0da6
		selinux_get_fs_mount($1_crontab_t)
Chris PeBenito 0c73cd
	')
Chris PeBenito daa0e0
')
Chris PeBenito 3b857e
Chris PeBenito 3b857e
########################################
Chris PeBenito 783b38
## <summary>
Chris PeBenito 783b38
##	Make the specified program domain accessable
Chris PeBenito 783b38
##	from the system cron jobs.
Chris PeBenito 783b38
## </summary>
Chris PeBenito 783b38
## <param name="domain">
Chris PeBenito 783b38
##	The type of the process to transition to.
Chris PeBenito 783b38
## </param>
Chris PeBenito 783b38
## <param name="entrypoint">
Chris PeBenito 783b38
##	The type of the file used as an entrypoint to this domain.
Chris PeBenito 783b38
## </param>
Chris PeBenito 3b857e
#
Chris PeBenito 783b38
interface(`cron_system_entry',`
Chris PeBenito 783b38
	gen_require(`
Chris PeBenito 783b38
		type crond_t, system_crond_t;
Chris PeBenito 783b38
		class fd use;
Chris PeBenito 783b38
		class fifo_file rw_file_perms;
Chris PeBenito 783b38
		class process sigchld;
Chris PeBenito 783b38
	')
Chris PeBenito 783b38
Chris PeBenito 783b38
	domain_auto_trans(system_crond_t, $2, $1)
Chris PeBenito 783b38
Chris PeBenito 783b38
	# cjp: perhaps these four rules from the old
Chris PeBenito 783b38
	# domain_auto_trans are not needed?
Chris PeBenito 783b38
	allow system_crond_t $1:fd use;
Chris PeBenito 783b38
	allow $1 system_crond_t:fd use;
Chris PeBenito 783b38
	allow $1 system_crond_t:fifo_file rw_file_perms;
Chris PeBenito 783b38
	allow $1 system_crond_t:process sigchld;
Chris PeBenito 783b38
Chris PeBenito da4fc9
	allow $1 crond_t:fifo_file rw_file_perms;
Chris PeBenito 783b38
	allow $1 crond_t:fd use;
Chris PeBenito 783b38
	allow $1 crond_t:process sigchld;
Chris PeBenito 783b38
')
Chris PeBenito 783b38
Chris PeBenito 783b38
########################################
Chris PeBenito 783b38
## <summary>
Chris PeBenito 0f707d
##	Inherit and use a file descriptor
Chris PeBenito 0f707d
##	from the cron daemon.
Chris PeBenito 0f707d
## </summary>
Chris PeBenito 0f707d
## <param name="domain">
Chris PeBenito 0f707d
##	Domain allowed access.
Chris PeBenito 0f707d
## </param>
Chris PeBenito 0f707d
#
Chris PeBenito 0f707d
interface(`cron_use_fd',`
Chris PeBenito 0f707d
	gen_require(`
Chris PeBenito 0f707d
		type crond_t;
Chris PeBenito 0f707d
		class fd use;
Chris PeBenito 0f707d
	')
Chris PeBenito 0f707d
Chris PeBenito 0f707d
	allow $1 crond_t:fd use;
Chris PeBenito 0f707d
')
Chris PeBenito 0f707d
Chris PeBenito 0f707d
########################################
Chris PeBenito 0f707d
## <summary>
Chris PeBenito 246839
##	Send a SIGCHLD signal to the cron daemon.
Chris PeBenito 246839
## </summary>
Chris PeBenito 246839
## <param name="domain">
Chris PeBenito 246839
##	Domain allowed access.
Chris PeBenito 246839
## </param>
Chris PeBenito 246839
#
Chris PeBenito 246839
interface(`cron_sigchld',`
Chris PeBenito 246839
	gen_require(`
Chris PeBenito 246839
		type crond_t;
Chris PeBenito 246839
		class process sigchld;
Chris PeBenito 246839
	')
Chris PeBenito 246839
Chris PeBenito 246839
	allow $1 crond_t:process sigchld;
Chris PeBenito 246839
')
Chris PeBenito 246839
Chris PeBenito 246839
########################################
Chris PeBenito 246839
## <summary>
Chris PeBenito 0f707d
##	Read a cron daemon unnamed pipe.
Chris PeBenito fd89e1
## </summary>
Chris PeBenito fd89e1
## <param name="domain">
Chris PeBenito 0f707d
##	Domain allowed access.
Chris PeBenito fd89e1
## </param>
Chris PeBenito fd89e1
#
Chris PeBenito fd89e1
interface(`cron_read_pipe',`
Chris PeBenito fd89e1
	gen_require(`
Chris PeBenito fd89e1
		type crond_t;
Chris PeBenito fd89e1
	')
Chris PeBenito fd89e1
Chris PeBenito 725926
	allow $1 crond_t:fifo_file r_file_perms;
Chris PeBenito fd89e1
')
Chris PeBenito fd89e1
Chris PeBenito fd89e1
########################################
Chris PeBenito fd89e1
## <summary>
Chris PeBenito a77e65
##	Do not audit attempts to write cron daemon unnamed pipes.
Chris PeBenito a77e65
## </summary>
Chris PeBenito a77e65
## <param name="domain">
Chris PeBenito a77e65
##	Domain allowed access.
Chris PeBenito a77e65
## </param>
Chris PeBenito a77e65
#
Chris PeBenito a77e65
interface(`cron_dontaudit_write_pipe',`
Chris PeBenito a77e65
	gen_require(`
Chris PeBenito a77e65
		type crond_t;
Chris PeBenito a77e65
	')
Chris PeBenito a77e65
Chris PeBenito a77e65
	dontaudit $1 crond_t:fifo_file write;
Chris PeBenito a77e65
')
Chris PeBenito a77e65
Chris PeBenito a77e65
########################################
Chris PeBenito a77e65
## <summary>
Chris PeBenito 0f707d
##	Read and write a cron daemon unnamed pipe.
Chris PeBenito 0f707d
## </summary>
Chris PeBenito 0f707d
## <param name="domain">
Chris PeBenito 0f707d
##	Domain allowed access.
Chris PeBenito 0f707d
## </param>
Chris PeBenito 0f707d
#
Chris PeBenito 0f707d
interface(`cron_rw_pipe',`
Chris PeBenito 0f707d
	gen_require(`
Chris PeBenito 0f707d
		type crond_t;
Chris PeBenito 0f707d
	')
Chris PeBenito 0f707d
Chris PeBenito 04926d
	allow $1 crond_t:fifo_file { read write };
Chris PeBenito 04926d
')
Chris PeBenito 04926d
Chris PeBenito 04926d
########################################
Chris PeBenito 04926d
## <summary>
Chris PeBenito 04926d
##	Create, read, and write a cron daemon TCP socket.
Chris PeBenito 04926d
## </summary>
Chris PeBenito 04926d
## <param name="domain">
Chris PeBenito 04926d
##	Domain allowed access.
Chris PeBenito 04926d
## </param>
Chris PeBenito 04926d
#
Chris PeBenito 04926d
# cjp: need to fix this name
Chris PeBenito 04926d
interface(`cron_crw_tcp_socket',`
Chris PeBenito 04926d
	gen_require(`
Chris PeBenito 04926d
		type crond_t;
Chris PeBenito 04926d
	')
Chris PeBenito 04926d
Chris PeBenito 04926d
	allow $1 crond_t:tcp_socket { create read write };
Chris PeBenito 0f707d
')
Chris PeBenito 0f707d
Chris PeBenito 0f707d
########################################
Chris PeBenito 0f707d
## <summary>
Chris PeBenito 96ce00
##	Search the directory containing user cron tables.
Chris PeBenito 96ce00
## </summary>
Chris PeBenito 96ce00
## <param name="domain">
Chris PeBenito 96ce00
##	The type of the process to performing this action.
Chris PeBenito 96ce00
## </param>
Chris PeBenito 96ce00
#
Chris PeBenito 96ce00
interface(`cron_search_spool',`
Chris PeBenito 96ce00
	gen_require(`
Chris PeBenito 96ce00
		type cron_spool_t;
Chris PeBenito 96ce00
		class dir search;
Chris PeBenito 96ce00
	')
Chris PeBenito 96ce00
Chris PeBenito 96ce00
	files_search_spool($1)
Chris PeBenito 96ce00
	allow $1 cron_spool_t:dir search;
Chris PeBenito 96ce00
')
Chris PeBenito 246839
Chris PeBenito 246839
########################################
Chris PeBenito da4fc9
## <summary>
Chris PeBenito da4fc9
##	Execute APM in the apm domain.
Chris PeBenito da4fc9
## </summary>
Chris PeBenito da4fc9
## <param name="domain">
Chris PeBenito da4fc9
##	Domain allowed access.
Chris PeBenito da4fc9
## </param>
Chris PeBenito da4fc9
#
Chris PeBenito da4fc9
interface(`cron_domtrans_anacron_system_job',`
Chris PeBenito da4fc9
	gen_require(`
Chris PeBenito da4fc9
		type system_crond_t, anacron_exec_t;
Chris PeBenito da4fc9
	')
Chris PeBenito da4fc9
Chris PeBenito da4fc9
	domain_auto_trans($1,anacron_exec_t,system_crond_t)
Chris PeBenito da4fc9
Chris PeBenito da4fc9
	allow $1 system_crond_t:fd use;
Chris PeBenito da4fc9
	allow system_crond_t $1:fd use;
Chris PeBenito da4fc9
	allow system_crond_t $1:fifo_file rw_file_perms;
Chris PeBenito da4fc9
	allow system_crond_t $1:process sigchld;
Chris PeBenito da4fc9
')
Chris PeBenito da4fc9
Chris PeBenito da4fc9
########################################
Chris PeBenito 246839
## <summary>
Chris PeBenito 0f707d
##	Inherit and use a file descriptor
Chris PeBenito 0f707d
##	from system cron jobs.
Chris PeBenito 0f707d
## </summary>
Chris PeBenito 0f707d
## <param name="domain">
Chris PeBenito 0f707d
##	Domain allowed access.
Chris PeBenito 0f707d
## </param>
Chris PeBenito 0f707d
#
Chris PeBenito 0f707d
interface(`cron_use_system_job_fd',`
Chris PeBenito 0f707d
	gen_require(`
Chris PeBenito 0f707d
		type system_crond_t;
Chris PeBenito 0f707d
	')
Chris PeBenito 0f707d
Chris PeBenito 0f707d
	allow $1 system_crond_t:fd use;
Chris PeBenito 0f707d
')
Chris PeBenito 0f707d
Chris PeBenito 0f707d
########################################
Chris PeBenito 0f707d
## <summary>
Chris PeBenito 04926d
##	Write a system cron job unnamed pipe.
Chris PeBenito 0f707d
## </summary>
Chris PeBenito 0f707d
## <param name="domain">
Chris PeBenito 0f707d
##	Domain allowed access.
Chris PeBenito 0f707d
## </param>
Chris PeBenito 0f707d
#
Chris PeBenito 0f707d
interface(`cron_write_system_job_pipe',`
Chris PeBenito 0f707d
	gen_require(`
Chris PeBenito 0f707d
		type system_crond_t;
Chris PeBenito 0f707d
		class file write;
Chris PeBenito 0f707d
	')
Chris PeBenito 0f707d
Chris PeBenito 0f707d
	allow $1 system_crond_t:file write;
Chris PeBenito 0f707d
')
Chris PeBenito 0f707d
Chris PeBenito 0f707d
########################################
Chris PeBenito 0f707d
## <summary>
Chris PeBenito 04926d
##	Read and write a system cron job unnamed pipe.
Chris PeBenito 04926d
## </summary>
Chris PeBenito 04926d
## <param name="domain">
Chris PeBenito 04926d
##	Domain allowed access.
Chris PeBenito 04926d
## </param>
Chris PeBenito 04926d
#
Chris PeBenito 04926d
interface(`cron_rw_system_job_pipe',`
Chris PeBenito 04926d
	gen_require(`
Chris PeBenito 04926d
		type system_crond_t;
Chris PeBenito 04926d
	')
Chris PeBenito 04926d
Chris PeBenito 04926d
	allow $1 system_crond_t:file rw_file_perms;
Chris PeBenito 04926d
')
Chris PeBenito 04926d
Chris PeBenito 04926d
########################################
Chris PeBenito 04926d
## <summary>
Chris PeBenito 246839
##	Read temporary files from the system cron jobs.
Chris PeBenito 246839
## </summary>
Chris PeBenito 246839
## <param name="domain">
Chris PeBenito 246839
##	Domain allowed access.
Chris PeBenito 246839
## </param>
Chris PeBenito 246839
#
Chris PeBenito 246839
interface(`cron_read_system_job_tmp_files',`
Chris PeBenito 246839
	gen_require(`
Chris PeBenito 246839
		type system_crond_tmp_t;
Chris PeBenito 246839
		class file r_file_perms;
Chris PeBenito 246839
	')
Chris PeBenito 246839
Chris PeBenito 246839
	files_search_tmp($1)
Chris PeBenito 246839
	allow $1 system_crond_tmp_t:file r_file_perms;
Chris PeBenito 246839
')
Chris PeBenito 1504ff
Chris PeBenito 1504ff
########################################
Chris PeBenito 1504ff
## <summary>
Chris PeBenito 1504ff
##	Do not audit attempts to append temporary
Chris PeBenito 1504ff
##	files from the system cron jobs.
Chris PeBenito 1504ff
## </summary>
Chris PeBenito 1504ff
## <param name="domain">
Chris PeBenito 1504ff
##	Domain to not audit.
Chris PeBenito 1504ff
## </param>
Chris PeBenito 1504ff
#
Chris PeBenito 1504ff
interface(`cron_dontaudit_append_system_job_tmp_files',`
Chris PeBenito 1504ff
	gen_require(`
Chris PeBenito 1504ff
		type system_crond_tmp_t;
Chris PeBenito 1504ff
	')
Chris PeBenito 1504ff
Chris PeBenito 1504ff
	dontaudit $1 system_crond_tmp_t:file append;
Chris PeBenito 1504ff
')