Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Macros for crond domains.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Authors:  Jonathan Crowley (MITRE) <jonathan@mitre.org>,
Chris PeBenito 0fbfa5
#	    Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
Chris PeBenito 0fbfa5
#           Russell Coker <rcoker@redhat.com>
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# crond_domain(domain_prefix)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Define a derived domain for cron jobs executed by crond on behalf 
Chris PeBenito 0fbfa5
# of a user domain.  These domains are separate from the top-level domain
Chris PeBenito 0fbfa5
# defined for the crond daemon and the domain defined for system cron jobs,
Chris PeBenito 0fbfa5
# which are specified in domains/program/crond.te.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
undefine(`crond_domain')
Chris PeBenito 0fbfa5
define(`crond_domain',`
Chris PeBenito 0fbfa5
# Derived domain for user cron jobs, user user_crond_domain if not system
Chris PeBenito 0fbfa5
ifelse(`system', `$1', `
Chris PeBenito 0fbfa5
type $1_crond_t, domain, privlog, privmail, nscd_client_domain;
Chris PeBenito 0fbfa5
', `
Chris PeBenito 0fbfa5
type $1_crond_t, domain, user_crond_domain;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access user files and dirs.
Chris PeBenito 0fbfa5
allow $1_crond_t home_root_t:dir search;
Chris PeBenito 0fbfa5
file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Run scripts in user home directory and access shared libs.
Chris PeBenito 0fbfa5
can_exec($1_crond_t, $1_home_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
file_type_auto_trans($1_crond_t, tmp_t, $1_tmp_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
r_dir_file($1_crond_t, selinux_config_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Type of user crontabs once moved to cron spool.
Chris PeBenito 0fbfa5
type $1_cron_spool_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`fcron.te', `
Chris PeBenito 0fbfa5
allow crond_t $1_cron_spool_t:file create_file_perms;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow $1_crond_t urandom_device_t:chr_file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow $1_crond_t usr_t:file { getattr ioctl read };
Chris PeBenito 0fbfa5
allow $1_crond_t usr_t:lnk_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Permit a transition from the crond_t domain to this domain.
Chris PeBenito 0fbfa5
# The transition is requested explicitly by the modified crond 
Chris PeBenito 0fbfa5
# via execve_secure.  There is no way to set up an automatic
Chris PeBenito 0fbfa5
# transition, since crontabs are configuration files, not executables.
Chris PeBenito 0fbfa5
domain_trans(crond_t, shell_exec_t, $1_crond_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`mta.te', `
Chris PeBenito 0fbfa5
domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
Chris PeBenito 0fbfa5
allow $1_crond_t sendmail_exec_t:lnk_file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# $1_mail_t should only be reading from the cron fifo not needing to write
Chris PeBenito 0fbfa5
dontaudit $1_mail_t crond_t:fifo_file write;
Chris PeBenito 0fbfa5
allow mta_user_agent $1_crond_t:fd use;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The user role is authorized for this domain.
Chris PeBenito 0fbfa5
role $1_r types $1_crond_t;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# This domain is granted permissions common to most domains.
Chris PeBenito 0fbfa5
can_network($1_crond_t)
Chris PeBenito 0fbfa5
can_ypbind($1_crond_t)
Chris PeBenito 0fbfa5
r_dir_file($1_crond_t, self)
Chris PeBenito 0fbfa5
allow $1_crond_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 0fbfa5
allow $1_crond_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow $1_crond_t etc_runtime_t:file { getattr read };
Chris PeBenito 0fbfa5
allow $1_crond_t self:process { fork signal_perms setsched };
Chris PeBenito 0fbfa5
allow $1_crond_t proc_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow $1_crond_t proc_t:file { getattr read ioctl };
Chris PeBenito 0fbfa5
read_locale($1_crond_t)
Chris PeBenito 0fbfa5
read_sysctl($1_crond_t)
Chris PeBenito 0fbfa5
allow $1_crond_t var_spool_t:dir search;
Chris PeBenito 0fbfa5
allow $1_crond_t fs_type:filesystem getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow $1_crond_t devtty_t:chr_file { read write };
Chris PeBenito 0fbfa5
allow $1_crond_t var_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow $1_crond_t var_t:file { getattr read ioctl };
Chris PeBenito 0fbfa5
allow $1_crond_t var_log_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Use capabilities.
Chris PeBenito 0fbfa5
allow $1_crond_t self:capability dac_override;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Inherit and use descriptors from initrc - I think this is wrong
Chris PeBenito 0fbfa5
#allow $1_crond_t initrc_t:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
# Since crontab files are not directly executed,
Chris PeBenito 0fbfa5
# crond must ensure that the crontab file has
Chris PeBenito 0fbfa5
# a type that is appropriate for the domain of
Chris PeBenito 0fbfa5
# the user cron job.  It performs an entrypoint
Chris PeBenito 0fbfa5
# permission check for this purpose.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
allow $1_crond_t $1_cron_spool_t:file entrypoint;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Run helper programs.
Chris PeBenito 0fbfa5
can_exec_any($1_crond_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# ps does not need to access /boot when run from cron
Chris PeBenito 0fbfa5
dontaudit $1_crond_t boot_t:dir search;
Chris PeBenito 0fbfa5
# quiet other ps operations
Chris PeBenito 0fbfa5
dontaudit $1_crond_t domain:dir { getattr search };
Chris PeBenito 0fbfa5
# for nscd
Chris PeBenito 0fbfa5
dontaudit $1_crond_t var_run_t:dir search;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# When system_crond_t domain executes a type $1 executable then transition to
Chris PeBenito 0fbfa5
# domain $2, allow $2 to interact with crond_t as well.
Chris PeBenito 0fbfa5
define(`system_crond_entry', `
Chris PeBenito 0fbfa5
ifdef(`crond.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(system_crond_t, $1, $2)
Chris PeBenito 0fbfa5
allow $2 crond_t:fifo_file { getattr read write ioctl };
Chris PeBenito 0fbfa5
# a rule for privfd may make this obsolete
Chris PeBenito 0fbfa5
allow $2 crond_t:fd use;
Chris PeBenito 0fbfa5
allow $2 crond_t:process sigchld;
Chris PeBenito 0fbfa5
')dnl end ifdef
Chris PeBenito 0fbfa5
')dnl end system_crond_entry