diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
index 969629e..2eefc08 100644
--- a/policy/modules/services/cron.fc
+++ b/policy/modules/services/cron.fc
@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
@@ -17,9 +18,8 @@
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/at/[^/]* -- <<none>>
+/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
@@ -41,7 +41,7 @@ ifdef(`distro_suse', `
#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/fcron/[^/]* <<none>>
+/var/spool/fcron/.* <<none>>
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index 8933f6d..44caccc 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -31,16 +31,16 @@ template(`cron_common_crontab_template',`
# dac_override is to create the file in the directory under /tmp
allow $1_t self:capability { fowner setuid setgid chown dac_override };
- allow $1_t self:process signal_perms;
+ allow $1_t self:process { setsched signal_perms };
+ allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t $1_tmp_t:file manage_file_perms;
- files_tmp_filetrans($1_t,$1_tmp_t, file)
+ files_tmp_filetrans($1_t, $1_tmp_t, file)
# create files in /var/spool/cron
- # cjp: change this to a role transition
- manage_files_pattern($1_t, cron_spool_t, user_cron_spool_t)
+ manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file)
- files_search_spool($1_t)
+ files_list_spool($1_t)
# crontab signals crond by updating the mtime on the spooldir
allow $1_t cron_spool_t:dir setattr;
@@ -55,9 +55,16 @@ template(`cron_common_crontab_template',`
domain_use_interactive_fds($1_t)
files_read_etc_files($1_t)
+ files_read_usr_files($1_t)
files_dontaudit_search_pids($1_t)
+ auth_domtrans_chk_passwd($1_t)
+
logging_send_syslog_msg($1_t)
+ logging_send_audit_msgs($1_t)
+
+ init_dontaudit_write_utmp($1_t)
+ init_read_utmp($1_t)
miscfiles_read_localization($1_t)
@@ -253,19 +260,64 @@ interface(`cron_system_entry',`
type crond_t, system_cronjob_t;
')
- domain_auto_trans(system_cronjob_t, $2, $1)
+ domtrans_pattern(system_cronjob_t, $2, $1)
+ domtrans_pattern(crond_t, $2, $1)
- # cjp: perhaps these four rules from the old
- # domain_auto_trans are not needed?
- allow $1 system_cronjob_t:fd use;
- allow $1 system_cronjob_t:fifo_file rw_file_perms;
- allow $1 system_cronjob_t:process sigchld;
+ role system_r types $1;
+')
- allow $1 crond_t:fifo_file rw_file_perms;
- allow $1 crond_t:fd use;
- allow $1 crond_t:process sigchld;
+########################################
+## <summary>
+## Execute cron in the cron system domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_domtrans',`
+ gen_require(`
+ type system_cronjob_t, crond_exec_t;
+ ')
- role system_r types $1;
+ domtrans_pattern($1, crond_exec_t, system_cronjob_t)
+')
+
+########################################
+## <summary>
+## Execute crond_exec_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_exec',`
+ gen_require(`
+ type crond_exec_t;
+ ')
+
+ can_exec($1, crond_exec_t)
+')
+
+########################################
+## <summary>
+## Execute crond server in the nscd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`cron_initrc_domtrans',`
+ gen_require(`
+ type crond_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, crond_initrc_exec_t)
')
########################################
@@ -379,6 +431,24 @@ interface(`cron_rw_tcp_sockets',`
########################################
## <summary>
+## Dontaudit Read, and write cron daemon TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_dontaudit_rw_tcp_sockets',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ dontaudit $1 crond_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
## Search the directory containing user cron tables.
## </summary>
## <param name="domain">
@@ -398,6 +468,24 @@ interface(`cron_search_spool',`
########################################
## <summary>
+## Manage pid files used by cron
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_manage_pid_files',`
+ gen_require(`
+ type crond_var_run_t;
+ ')
+
+ manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
+')
+
+########################################
+## <summary>
## Execute anacron in the cron system domain.
## </summary>
## <param name="domain">
@@ -471,6 +559,24 @@ interface(`cron_rw_system_job_pipes',`
########################################
## <summary>
+## Allow read/write unix stream sockets from the system cron jobs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_system_job_stream_sockets',`
+ gen_require(`
+ type system_cronjob_t;
+ ')
+
+ allow $1 system_cronjob_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
## Read temporary files from the system cron jobs.
## </summary>
## <param name="domain">
@@ -504,5 +610,24 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
type system_cronjob_tmp_t;
')
- dontaudit $1 system_cronjob_tmp_t:file append;
+ dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write temporary
+## files from the system cron jobs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`cron_dontaudit_write_system_job_tmp_files',`
+ gen_require(`
+ type system_cronjob_tmp_t;
+ ')
+
+ dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index d73dc11..fe7c449 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -1,5 +1,5 @@
-policy_module(cron, 2.1.1)
+policy_module(cron, 2.1.2)
gen_require(`
class passwd rootok;
@@ -38,6 +38,9 @@ files_type(cron_spool_t)
type cron_var_lib_t;
files_type(cron_var_lib_t)
+type cron_var_run_t;
+files_type(cron_var_run_t)
+
# var/log files
type cron_log_t;
logging_log_file(cron_log_t)
@@ -56,6 +59,9 @@ init_daemon_domain(crond_t, crond_exec_t)
domain_interactive_fd(crond_t)
domain_cron_exemption_source(crond_t)
+type crond_initrc_exec_t;
+init_script_file(crond_initrc_exec_t)
+
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
@@ -99,7 +105,7 @@ domain_cron_exemption_target(unconfined_cronjob_t)
# Type of user crontabs once moved to cron spool.
type user_cron_spool_t, cron_spool_type;
-typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t };
+typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
files_type(user_cron_spool_t)
ubac_constrained(user_cron_spool_t)
@@ -131,7 +137,7 @@ tunable_policy(`fcron_crond', `
# Cron daemon local policy
#
-allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control };
+allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
@@ -147,20 +153,23 @@ allow crond_t self:msgq create_msgq_perms;
allow crond_t self:msg { send receive };
allow crond_t self:key { search write link };
-allow crond_t crond_var_run_t:file manage_file_perms;
+manage_files_pattern(crond_t, cron_log_t, cron_log_t)
+logging_log_filetrans(crond_t, cron_log_t, file)
+
+manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
files_pid_filetrans(crond_t, crond_var_run_t, file)
-allow crond_t cron_spool_t:dir rw_dir_perms;
-allow crond_t cron_spool_t:file read_file_perms;
+manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
-allow crond_t system_cron_spool_t:dir list_dir_perms;
-allow crond_t system_cron_spool_t:file read_file_perms;
+list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
kernel_read_kernel_sysctls(crond_t)
+kernel_read_fs_sysctls(crond_t)
kernel_search_key(crond_t)
dev_read_sysfs(crond_t)
@@ -175,6 +184,7 @@ dev_read_urand(crond_t)
fs_getattr_all_fs(crond_t)
fs_search_auto_mountpoints(crond_t)
+fs_list_inotifyfs(crond_t)
# need auth_chkpwd to check for locked accounts.
auth_domtrans_chk_passwd(crond_t)
@@ -185,6 +195,8 @@ corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
+files_read_usr_files(crond_t)
+files_read_etc_runtime_files(crond_t)
files_read_etc_files(crond_t)
files_read_generic_spool(crond_t)
files_list_usr(crond_t)
@@ -193,6 +205,7 @@ files_search_var_lib(crond_t)
files_search_default(crond_t)
init_rw_utmp(crond_t)
+init_spec_domtrans_script(crond_t)
auth_use_nsswitch(crond_t)
@@ -228,13 +241,17 @@ ifdef(`distro_redhat', `
')
')
+tunable_policy(`fcron_crond', `
+ allow crond_t system_cron_spool_t:file manage_file_perms;
+')
+
optional_policy(`
locallogin_search_keys(crond_t)
locallogin_link_keys(crond_t)
')
-tunable_policy(`fcron_crond', `
- allow crond_t system_cron_spool_t:file manage_file_perms;
+optional_policy(`
+ amanda_search_var_lib(crond_t)
')
optional_policy(`
@@ -242,7 +259,7 @@ optional_policy(`
')
optional_policy(`
- hal_dbus_send(crond_t)
+ hal_dbus_chat(crond_t)
')
optional_policy(`
@@ -251,6 +268,10 @@ optional_policy(`
')
optional_policy(`
+ rpc_search_nfs_state_data(crond_t)
+')
+
+optional_policy(`
# Commonly used from postinst scripts
rpm_read_pipes(crond_t)
')
@@ -269,8 +290,8 @@ optional_policy(`
# System cron process domain
#
-allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
-allow system_cronjob_t self:process { signal_perms setsched };
+allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
@@ -371,7 +392,8 @@ init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
init_dontaudit_rw_utmp(system_cronjob_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
-init_write_initctl(system_cronjob_t)
+init_telinit(system_cronjob_t)
+init_domtrans_script(system_cronjob_t)
auth_use_nsswitch(system_cronjob_t)
@@ -379,6 +401,7 @@ libs_exec_lib_files(system_cronjob_t)
libs_exec_ld_so(system_cronjob_t)
logging_read_generic_logs(system_cronjob_t)
+logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
miscfiles_read_localization(system_cronjob_t)
@@ -429,6 +452,10 @@ optional_policy(`
')
optional_policy(`
+ lpd_list_spool(system_cronjob_t)
+')
+
+optional_policy(`
mrtg_append_create_logs(system_cronjob_t)
')
@@ -445,9 +472,11 @@ optional_policy(`
')
optional_policy(`
- prelink_read_cache(system_cronjob_t)
- prelink_manage_log(system_cronjob_t)
prelink_delete_cache(system_cronjob_t)
+ prelink_manage_lib(system_cronjob_t)
+ prelink_manage_log(system_cronjob_t)
+ prelink_read_cache(system_cronjob_t)
+ prelink_relabelfrom_lib(system_cronjob_t)
')
optional_policy(`
@@ -461,8 +490,7 @@ optional_policy(`
')
optional_policy(`
- # cjp: why?
- squid_domtrans(system_cronjob_t)
+ spamassassin_manage_lib_files(system_cronjob_t)
')
optional_policy(`
@@ -474,20 +502,11 @@ optional_policy(`
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-ifdef(`TODO',`
-ifdef(`mta.te', `
-allow system_cronjob_t mail_spool_t:lnk_file read;
-allow mta_user_agent system_cronjob_t:fd use;
-r_dir_file(system_mail_t, crond_tmp_t)
-')
-') dnl end TODO
-
########################################
#
# User cronjobs local policy
#
-allow cronjob_t self:capability dac_override;
allow cronjob_t self:process { signal_perms setsched };
allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
@@ -571,6 +590,9 @@ userdom_manage_user_home_content_pipes(cronjob_t)
userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
+list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+
tunable_policy(`fcron_crond', `
allow crond_t user_cron_spool_t:file manage_file_perms;
')