diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 773a27b..e910bc0 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -134,6 +134,8 @@ seutil_sigchld_newrole(crond_t) miscfiles_read_localization(crond_t) userdom_use_unpriv_users_fd(crond_t) +# Not sure why this is needed +userdom_list_all_users_home_dir(crond_t) ifdef(`distro_redhat', ` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files @@ -201,23 +203,6 @@ optional_policy(`udev',` udev_read_db(crond_t) ') -ifdef(`TODO',` -# NB The constraints file has some entries for crond_t, this makes it -# different from all other domains... - -# crond tries to search /root. Not sure why. -allow crond_t sysadm_home_dir_t:dir r_dir_perms; - -ifdef(`apache.te',` -allow system_crond_t httpd_modules_t:lnk_file read; -# Needed for certwatch -can_exec(system_crond_t, httpd_modules_t) -') - -# to search /home -allow crond_t user_home_dir_type:dir r_dir_perms; -') dnl endif TODO - ######################################## # # System cron process domain @@ -371,6 +356,11 @@ ifdef(`targeted_policy',` seutil_read_file_contexts(system_crond_t) ') + optional_policy(`apache',` + # Needed for certwatch + apache_exec_modules(system_crond_t) + ') + optional_policy(`cyrus',` cyrus_manage_data(system_crond_t) ') diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index b66833e..7513b24 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -3238,6 +3238,23 @@ interface(`userdom_read_sysadm_home_files',` ######################################## ## +## List all users home directories. +## +## +## Domain allowed access. +## +# +interface(`userdom_list_all_users_home_dir',` + gen_require(` + attribute home_dir_type; + ') + + files_list_home($1) + allow $1 home_dir_type:dir list_dir_perms; +') + +######################################## +## ## Search all users home directories. ## ##