Blob Blame History Raw

policy_module(cron, 1.0)

########################################
#
# Declarations
#

# Allow system cron jobs to relabel filesystem for restoring file contexts.
bool cron_can_relabel false;

type anacron_exec_t;
files_make_file(anacron_exec_t)

type cron_spool_t;
files_make_file(cron_spool_t)

type crond_t; #, privmail, nscd_client_domain
type crond_exec_t;
init_make_daemon_domain(crond_t,crond_exec_t)
domain_make_file_descriptors_widely_inheritable(crond_t)

type crond_log_t;
logging_make_log_file(crond_log_t)

type crond_tmp_t;
files_make_temporary_file(crond_tmp_t)

type crond_var_run_t;
files_make_daemon_runtime_file(crond_var_run_t)

type crontab_exec_t;
files_make_file(crontab_exec_t)

type system_cron_spool_t;
type system_crond_t; #, privmail, nscd_client_domain;
init_make_daemon_domain(system_crond_t,anacron_exec_t)
corecommands_make_shell_entrypoint(system_crond_t)
role system_r types system_crond_t;

type system_crond_lock_t;
files_make_lock_file(system_crond_lock_t)

type system_crond_tmp_t;
files_make_temporary_file(system_crond_tmp_t)

########################################
#
# Cron Local policy
#

allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow crond_t self:process setexec;
allow crond_t self:fd use;
allow crond_t self:fifo_file { read getattr lock ioctl write append };
allow crond_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow crond_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
allow crond_t self:unix_dgram_socket sendto;
allow crond_t self:unix_stream_socket connectto;
allow crond_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
allow crond_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
allow crond_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
allow crond_t self:msg { send receive };

allow crond_t crond_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };

allow crond_t crond_var_run_t:file create_file_perms;
files_create_daemon_runtime_data(crond_t,crond_var_run_t)

allow crond_t crond_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
allow crond_t crond_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
files_create_private_tmp_data(crond_t, crond_tmp_t, { file dir })

allow crond_t cron_spool_t:dir { getattr search read };
allow crond_t cron_spool_t:file { getattr read };
allow crond_t system_cron_spool_t:dir { getattr search read };
allow crond_t system_cron_spool_t:file { getattr read };

kernel_read_kernel_sysctl(crond_t)
kernel_read_hardware_state(crond_t)
kernel_get_selinuxfs_mount_point(crond_t)
kernel_validate_selinux_context(crond_t)
kernel_compute_selinux_access_vector(crond_t)
kernel_compute_selinux_create_context(crond_t)
kernel_compute_selinux_relabel_context(crond_t)
kernel_compute_selinux_reachable_user_contexts(crond_t)

devices_get_pseudorandom_data(crond_t)

filesystem_get_all_filesystems_attributes(crond_t)

terminal_ignore_use_console(crond_t)

# need auth_chkpwd to check for locked accounts.
authlogin_check_password_transition(crond_t)

corecommands_execute_shell(crond_t)
corecommands_read_system_programs_directory(crond_t)

domain_use_widely_inheritable_file_descriptors(crond_t)

files_read_general_system_config(crond_t)
files_read_system_spools(crond_t)

init_use_file_descriptors(crond_t)
init_script_use_pseudoterminal(crond_t)

libraries_use_dynamic_loader(crond_t)
libraries_use_shared_libraries(crond_t)

logging_send_system_log_message(crond_t)

selinux_read_config(crond_t)
selinux_read_default_contexts(crond_t)
selinux_newrole_sigchld(crond_t)

miscfiles_read_localization(crond_t)

userdomain_use_all_unprivileged_users_file_descriptors(crond_t)

tunable_policy(`fcron_crond', `
allow crond_t system_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
')

tunable_policy(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(crond_t)
terminal_ignore_use_general_pseudoterminal(crond_t)
files_ignore_read_rootfs_file(crond_t)
')

optional_policy(`udev.te', `
udev_read_database(crond_t)
')

ifdef(`TODO',`
# NB The constraints file has some entries for crond_t, this makes it
# different from all other domains...

allow crond_t autofs_t:dir { search getattr };
dontaudit crond_t sysadm_home_dir_t:dir search;

optional_policy(`rhgb.te', `
allow crond_t rhgb_t:process sigchld;
allow crond_t rhgb_t:fd use;
allow crond_t rhgb_t:fifo_file { read write };
')

can_ypbind(crond_t)
ifdef(`automount.te', `
allow crond_t autofs_t:dir { search getattr };
')

# Read from /var/spool/cron.
allow crond_t var_lib_t:dir search;
allow crond_t mail_spool_t:dir search;
# for if /var/mail is a symlink
allow crond_t mail_spool_t:lnk_file read;

allow crond_t default_t:dir search;

# crond tries to search /root.  Not sure why.
allow crond_t sysadm_home_dir_t:dir r_dir_perms;

# to search /home
allow crond_t user_home_dir_type:dir r_dir_perms;

ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
ifdef(`rpm.te', `
allow crond_t rpm_log_t: file create_file_perms;

system_crond_entry(rpm_exec_t, rpm_t)
allow system_crond_t rpm_log_t:file create_file_perms;
')
')
') dnl endif TODO

########################################
#
# System cron process domain
#

allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
allow system_crond_t self:process { sigkill sigstop signull signal setsched };
allow system_crond_t self:fifo_file { read getattr write append };
allow system_crond_t self:passwd rootok;

# The entrypoint interface is not used as this is not
# a regular entrypoint.  Since crontab files are
# not directly executed, crond must ensure that
# the crontab file has a type that is appropriate
# for the domain of the user cron job.  It
# performs an entrypoint permission check
# for this purpose.
allow system_crond_t system_cron_spool_t:file entrypoint;

allow system_crond_t system_cron_spool_t:file { getattr read };

# Permit a transition from the crond_t domain to this domain.
# The transition is requested explicitly by the modified crond 
# via setexeccon.  There is no way to set up an automatic
# transition, since crontabs are configuration files, not executables.
allow crond_t system_crond_t:process transition;
dontaudit crond_t system_crond_t:process { noatsecure siginh rlimitinh };
allow crond_t system_crond_t:fd use;
allow system_crond_t crond_t:fd use;
allow system_crond_t crond_t:fifo_file rw_file_perms;
allow system_crond_t crond_t:process sigchld;

# Write /var/lock/makewhatis.lock.
allow system_crond_t system_crond_lock_t:file { create ioctl read getattr lock write setattr append link unlink rename };
files_create_private_lock_file(system_crond_t,system_crond_lock_t)

# write temporary files
allow system_crond_t system_crond_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
files_create_private_tmp_data(system_crond_t,system_crond_tmp_t)

# write temporary files in crond tmp dir:
allow system_crond_t crond_tmp_t:dir { getattr search read write add_name remove_name };
type_transition system_crond_t crond_tmp_t:file system_crond_tmp_t;

# Read from /var/spool/cron.
allow system_crond_t cron_spool_t:dir { getattr search read };
allow system_crond_t cron_spool_t:file { getattr read };

# Access crond log files
allow system_crond_t crond_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
logging_create_private_log(system_crond_t,crond_log_t)

kernel_read_kernel_sysctl(system_crond_t)
kernel_read_system_state(system_crond_t)
kernel_read_software_raid_state(system_crond_t)

# ps does not need to access /boot when run from cron
bootloader_ignore_search_bootloader_data_directory(system_crond_t)

corenetwork_network_tcp_on_all_interfaces(system_crond_t)
corenetwork_network_raw_on_all_interfaces(system_crond_t)
corenetwork_network_udp_on_all_interfaces(system_crond_t)
corenetwork_network_tcp_on_all_nodes(system_crond_t)
corenetwork_network_raw_on_all_nodes(system_crond_t)
corenetwork_network_udp_on_all_nodes(system_crond_t)
corenetwork_network_tcp_on_all_ports(system_crond_t)
corenetwork_network_udp_on_all_ports(system_crond_t)
corenetwork_bind_tcp_on_all_nodes(system_crond_t)
corenetwork_bind_udp_on_all_nodes(system_crond_t)

devices_get_all_block_device_attributes(system_crond_t)
devices_get_all_character_device_attributes(system_crond_t)
devices_get_pseudorandom_data(system_crond_t)

filesystem_get_all_filesystems_attributes(system_crond_t)
filesystem_get_all_file_attributes(system_crond_t)

init_use_file_descriptors(system_crond_t)
init_script_use_file_descriptors(system_crond_t)
init_script_use_pseudoterminal(system_crond_t)
init_script_read_runtime_data(system_crond_t)
init_script_ignore_modify_runtime_data(system_crond_t)

domain_execute_all_entrypoint_programs(system_crond_t)

files_execute_system_config_script(system_crond_t)
files_read_general_system_config(system_crond_t)
files_read_runtime_system_config(system_crond_t)
files_read_all_directories(system_crond_t)
files_get_all_file_attributes(system_crond_t)
files_read_general_application_resources(system_crond_t)
# for nscd:
files_ignore_search_runtime_data_directory(system_crond_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_system_spools(system_crond_t)

corecommands_execute_general_programs(system_crond_t)
corecommands_execute_system_programs(system_crond_t)

libraries_use_dynamic_loader(system_crond_t)
libraries_use_shared_libraries(system_crond_t)
libraries_execute_library_scripts(system_crond_t)
libraries_execute_dynamic_loader(system_crond_t)

logging_read_system_logs(system_crond_t)
logging_send_system_log_message(system_crond_t)

miscfiles_read_localization(system_crond_t)
miscfiles_read_man_pages(system_crond_t)
miscfiles_manage_man_page_cache(system_crond_t)

selinux_read_config(system_crond_t)

if (cron_can_relabel) {
selinux_setfiles_transition(system_crond_t)
} else {
kernel_get_selinuxfs_mount_point(system_crond_t)
kernel_validate_selinux_context(system_crond_t)
kernel_compute_selinux_access_vector(system_crond_t)
kernel_compute_selinux_create_context(system_crond_t)
kernel_compute_selinux_relabel_context(system_crond_t)
kernel_compute_selinux_reachable_user_contexts(system_crond_t)
selinux_read_file_contexts(system_crond_t)
}

ifdef(`TODO',`

can_ypbind(system_crond_t)

dontaudit userdomain system_crond_t:fd use;

# quiet other ps operations
dontaudit system_crond_t domain:dir { getattr search };

# Do not audit attempts to search unlabeled directories (e.g. slocate).
dontaudit system_crond_t unlabeled_t:dir r_dir_perms;
dontaudit system_crond_t unlabeled_t:file r_file_perms;

allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;

# prelink tells init to restart it self, we either need to allow or dontaudit
allow system_crond_t initctl_t:fifo_file write;

allow system_crond_t var_t:dir r_dir_perms;
allow system_crond_t var_t:file { getattr read ioctl };

# Write to /var/lib/slocate.db.
allow system_crond_t var_lib_t:dir rw_dir_perms;
allow system_crond_t var_lib_t:file create_file_perms;

# for if /var/mail is a symlink
allow system_crond_t mail_spool_t:lnk_file read;

#
#  These rules are here to allow system cron jobs to su
#
ifdef(`su.te', `
su_restricted_domain(system_crond,system)
role system_r types system_crond_su_t;
allow system_crond_su_t crond_t:fifo_file ioctl;
')

#
# Required for webalizer
#
ifdef(`apache.te', `
allow system_crond_t httpd_log_t:file { getattr read };
')

tunable_policy(`distro_redhat', `
optional_policy(`rpm.te', `
allow system_crond_t rpm_log_t:file create_file_perms;
')
')

ifdef(`mta.te', `
mta_send_mail_transition(system_crond_t)

# system_mail_t should only be reading from the cron fifo not needing to write
dontaudit system_mail_t crond_t:fifo_file write;
allow mta_user_agent system_crond_t:fd use;
r_dir_file(system_mail_t, crond_tmp_t)
')

') dnl end TODO