Chris PeBenito 0fbfa5
#DESC Crond - Crond daemon
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Domains for the top-level crond daemon process and
Chris PeBenito 0fbfa5
# for system cron jobs.  The domains for user cron jobs
Chris PeBenito 0fbfa5
# are in macros/program/crond_macros.te.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# X-Debian-Packages: cron
Chris PeBenito 0fbfa5
# Authors:  Jonathan Crowley (MITRE) <jonathan@mitre.org>,
Chris PeBenito 0fbfa5
#	    Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# NB The constraints file has some entries for crond_t, this makes it
Chris PeBenito 0fbfa5
# different from all other domains...
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Domain for crond.  It needs auth_chkpwd to check for locked accounts.
Chris PeBenito 0fbfa5
daemon_domain(crond, `, privmail, auth_chkpwd, privfd, nscd_client_domain')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# This domain is granted permissions common to most domains (including can_net)
Chris PeBenito 0fbfa5
general_domain_access(crond_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Type for the anacron executable.
Chris PeBenito 0fbfa5
type anacron_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Type for temporary files.
Chris PeBenito 0fbfa5
tmp_domain(crond)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
crond_domain(system)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow system_crond_t proc_mdstat_t:file { getattr read };
Chris PeBenito 0fbfa5
allow system_crond_t proc_t:lnk_file read;
Chris PeBenito 0fbfa5
allow system_crond_t proc_t:filesystem getattr;
Chris PeBenito 0fbfa5
allow system_crond_t usbdevfs_t:filesystem getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`mta.te', `
Chris PeBenito 0fbfa5
allow mta_user_agent system_crond_t:fd use;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# read files in /etc
Chris PeBenito 0fbfa5
allow system_crond_t etc_t:file r_file_perms;
Chris PeBenito 0fbfa5
allow system_crond_t etc_runtime_t:file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
read_locale(crond_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
log_domain(crond)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Use capabilities.
Chris PeBenito 0fbfa5
allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };
Chris PeBenito 0fbfa5
dontaudit crond_t self:capability sys_resource;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Get security policy decisions.
Chris PeBenito 0fbfa5
can_getsecurity(crond_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for finding binaries and /bin/sh
Chris PeBenito 0fbfa5
allow crond_t { bin_t sbin_t }:dir search;
Chris PeBenito 0fbfa5
allow crond_t { bin_t sbin_t }:lnk_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read from /var/spool/cron.
Chris PeBenito 0fbfa5
allow crond_t var_lib_t:dir search;
Chris PeBenito 0fbfa5
allow crond_t var_spool_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow crond_t cron_spool_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow crond_t cron_spool_t:file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read /etc/security/default_contexts.
Chris PeBenito 0fbfa5
r_dir_file(crond_t, default_context_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow crond_t etc_t:file { getattr read };
Chris PeBenito 0fbfa5
allow crond_t etc_t:lnk_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow crond_t default_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# crond tries to search /root.  Not sure why.
Chris PeBenito 0fbfa5
allow crond_t sysadm_home_dir_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# to search /home
Chris PeBenito 0fbfa5
allow crond_t home_root_t:dir { getattr search };
Chris PeBenito 0fbfa5
allow crond_t user_home_dir_type:dir r_dir_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Run a shell.
Chris PeBenito 0fbfa5
can_exec(crond_t, shell_exec_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`distro_redhat', `
Chris PeBenito 0fbfa5
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
Chris PeBenito 0fbfa5
# via redirection of standard out.
Chris PeBenito 0fbfa5
ifdef(`rpm.te', `
Chris PeBenito 0fbfa5
allow crond_t rpm_log_t: file create_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
system_crond_entry(rpm_exec_t, rpm_t)
Chris PeBenito 0fbfa5
allow system_crond_t rpm_log_t:file create_file_perms;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow system_crond_t var_log_t:file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Set exec context.
Chris PeBenito 0fbfa5
can_setexec(crond_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Transition to this domain for anacron as well.
Chris PeBenito 0fbfa5
# Still need to study anacron.
Chris PeBenito 0fbfa5
domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access log files
Chris PeBenito 0fbfa5
file_type_auto_trans(system_crond_t, var_log_t, crond_log_t, file)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Inherit and use descriptors from init for anacron.
Chris PeBenito 0fbfa5
allow system_crond_t init_t:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Inherit and use descriptors from initrc for anacron.
Chris PeBenito 0fbfa5
allow system_crond_t initrc_t:fd use;
Chris PeBenito 0fbfa5
allow system_crond_t initrc_devpts_t:chr_file { read write };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Use capabilities.
Chris PeBenito 0fbfa5
allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow crond_t urandom_device_t:chr_file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read the system crontabs.
Chris PeBenito 0fbfa5
allow system_crond_t system_cron_spool_t:file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow crond_t system_cron_spool_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow crond_t system_cron_spool_t:file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read from /var/spool/cron.
Chris PeBenito 0fbfa5
allow system_crond_t cron_spool_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow system_crond_t cron_spool_t:file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Write to /var/lib/slocate.db.
Chris PeBenito 0fbfa5
allow system_crond_t var_lib_t:dir rw_dir_perms;
Chris PeBenito 0fbfa5
allow system_crond_t var_lib_t:file create_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Update whatis files.
Chris PeBenito 0fbfa5
allow system_crond_t catman_t:dir create_dir_perms;
Chris PeBenito 0fbfa5
allow system_crond_t catman_t:file create_file_perms;
Chris PeBenito 0fbfa5
allow system_crond_t man_t:file r_file_perms;
Chris PeBenito 0fbfa5
allow system_crond_t man_t:lnk_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Write /var/lock/makewhatis.lock.
Chris PeBenito 0fbfa5
lock_domain(system_crond)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for if /var/mail is a symlink
Chris PeBenito 0fbfa5
allow { system_crond_t crond_t } mail_spool_t:lnk_file read;
Chris PeBenito 0fbfa5
allow crond_t mail_spool_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`mta.te', `
Chris PeBenito 0fbfa5
r_dir_file(system_mail_t, crond_tmp_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Stat any file and search any directory for find.
Chris PeBenito 0fbfa5
allow system_crond_t { file_type fs_type }:notdevfile_class_set getattr;
Chris PeBenito 0fbfa5
allow system_crond_t device_type:{ chr_file blk_file } getattr;
Chris PeBenito 0fbfa5
allow system_crond_t file_type:dir { read search getattr };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Create temporary files.
Chris PeBenito 0fbfa5
type system_crond_tmp_t, file_type, sysadmfile, tmpfile;
Chris PeBenito 0fbfa5
file_type_auto_trans(system_crond_t, { tmp_t crond_tmp_t }, system_crond_tmp_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# /sbin/runlevel ask for w access to utmp, but will operate
Chris PeBenito 0fbfa5
# correctly without it.  Do not audit write denials to utmp.
Chris PeBenito 0fbfa5
# /sbin/runlevel needs lock access however
Chris PeBenito 0fbfa5
dontaudit system_crond_t initrc_var_run_t:file write;
Chris PeBenito 0fbfa5
allow system_crond_t initrc_var_run_t:file { getattr read lock };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access other spool directories like
Chris PeBenito 0fbfa5
# /var/spool/anacron and /var/spool/slrnpull.
Chris PeBenito 0fbfa5
allow system_crond_t var_spool_t:file create_file_perms;
Chris PeBenito 0fbfa5
allow system_crond_t var_spool_t:dir rw_dir_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Do not audit attempts to search unlabeled directories (e.g. slocate).
Chris PeBenito 0fbfa5
dontaudit system_crond_t unlabeled_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
dontaudit system_crond_t unlabeled_t:file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# reading /var/spool/cron/mailman
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
allow crond_t var_spool_t:file { getattr read };
Chris PeBenito 0fbfa5
allow system_crond_t devpts_t:filesystem getattr;
Chris PeBenito 0fbfa5
allow system_crond_t sysfs_t:filesystem getattr;
Chris PeBenito 0fbfa5
allow system_crond_t tmpfs_t:filesystem getattr;
Chris PeBenito 0fbfa5
allow system_crond_t rpc_pipefs_t:filesystem getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
#  These rules are here to allow system cron jobs to su
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
ifdef(`su.te', `
Chris PeBenito 0fbfa5
su_restricted_domain(system_crond,system)
Chris PeBenito 0fbfa5
role system_r types system_crond_su_t;
Chris PeBenito 0fbfa5
allow system_crond_su_t crond_t:fifo_file ioctl;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
allow system_crond_t self:passwd rootok;
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# prelink tells init to restart it self, we either need to allow or dontaudit
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
allow system_crond_t initctl_t:fifo_file write;
Chris PeBenito 0fbfa5
dontaudit userdomain system_crond_t:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
r_dir_file(crond_t, selinux_config_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow system cron jobs to relabel filesystem for restoring file contexts.
Chris PeBenito 0fbfa5
bool cron_can_relabel false;
Chris PeBenito 0fbfa5
if (cron_can_relabel) {
Chris PeBenito 0fbfa5
domain_auto_trans(system_crond_t, setfiles_exec_t, setfiles_t)
Chris PeBenito 0fbfa5
} else {
Chris PeBenito 0fbfa5
r_dir_file(system_crond_t, file_context_t)
Chris PeBenito 0fbfa5
can_getsecurity(system_crond_t)
Chris PeBenito 0fbfa5
}
Chris PeBenito 0fbfa5
allow system_crond_t removable_t:filesystem { getattr };
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Required for webalizer
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
ifdef(`apache.te', `
Chris PeBenito 0fbfa5
allow system_crond_t httpd_log_t:file { getattr read };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
dontaudit crond_t self:capability { sys_tty_config };