diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc index 969629e..2eefc08 100644 --- a/policy/modules/services/cron.fc +++ b/policy/modules/services/cron.fc @@ -1,3 +1,4 @@ +/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) @@ -17,9 +18,8 @@ /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -/var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0) -/var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0) -/var/spool/at/[^/]* -- <> +/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) +/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) /var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) @@ -41,7 +41,7 @@ ifdef(`distro_suse', ` #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) /var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0) -/var/spool/fcron/[^/]* <> +/var/spool/fcron/.* <> /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index 8933f6d..44caccc 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -31,16 +31,16 @@ template(`cron_common_crontab_template',` # dac_override is to create the file in the directory under /tmp allow $1_t self:capability { fowner setuid setgid chown dac_override }; - allow $1_t self:process signal_perms; + allow $1_t self:process { setsched signal_perms }; + allow $1_t self:fifo_file rw_fifo_file_perms; allow $1_t $1_tmp_t:file manage_file_perms; - files_tmp_filetrans($1_t,$1_tmp_t, file) + files_tmp_filetrans($1_t, $1_tmp_t, file) # create files in /var/spool/cron - # cjp: change this to a role transition - manage_files_pattern($1_t, cron_spool_t, user_cron_spool_t) + manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file) - files_search_spool($1_t) + files_list_spool($1_t) # crontab signals crond by updating the mtime on the spooldir allow $1_t cron_spool_t:dir setattr; @@ -55,9 +55,16 @@ template(`cron_common_crontab_template',` domain_use_interactive_fds($1_t) files_read_etc_files($1_t) + files_read_usr_files($1_t) files_dontaudit_search_pids($1_t) + auth_domtrans_chk_passwd($1_t) + logging_send_syslog_msg($1_t) + logging_send_audit_msgs($1_t) + + init_dontaudit_write_utmp($1_t) + init_read_utmp($1_t) miscfiles_read_localization($1_t) @@ -253,19 +260,64 @@ interface(`cron_system_entry',` type crond_t, system_cronjob_t; ') - domain_auto_trans(system_cronjob_t, $2, $1) + domtrans_pattern(system_cronjob_t, $2, $1) + domtrans_pattern(crond_t, $2, $1) - # cjp: perhaps these four rules from the old - # domain_auto_trans are not needed? - allow $1 system_cronjob_t:fd use; - allow $1 system_cronjob_t:fifo_file rw_file_perms; - allow $1 system_cronjob_t:process sigchld; + role system_r types $1; +') - allow $1 crond_t:fifo_file rw_file_perms; - allow $1 crond_t:fd use; - allow $1 crond_t:process sigchld; +######################################## +## +## Execute cron in the cron system domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_domtrans',` + gen_require(` + type system_cronjob_t, crond_exec_t; + ') - role system_r types $1; + domtrans_pattern($1, crond_exec_t, system_cronjob_t) +') + +######################################## +## +## Execute crond_exec_t +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_exec',` + gen_require(` + type crond_exec_t; + ') + + can_exec($1, crond_exec_t) +') + +######################################## +## +## Execute crond server in the nscd domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`cron_initrc_domtrans',` + gen_require(` + type crond_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, crond_initrc_exec_t) ') ######################################## @@ -379,6 +431,24 @@ interface(`cron_rw_tcp_sockets',` ######################################## ## +## Dontaudit Read, and write cron daemon TCP sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_dontaudit_rw_tcp_sockets',` + gen_require(` + type crond_t; + ') + + dontaudit $1 crond_t:tcp_socket { read write }; +') + +######################################## +## ## Search the directory containing user cron tables. ## ## @@ -398,6 +468,24 @@ interface(`cron_search_spool',` ######################################## ## +## Manage pid files used by cron +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_manage_pid_files',` + gen_require(` + type crond_var_run_t; + ') + + manage_files_pattern($1, crond_var_run_t, crond_var_run_t) +') + +######################################## +## ## Execute anacron in the cron system domain. ## ## @@ -471,6 +559,24 @@ interface(`cron_rw_system_job_pipes',` ######################################## ## +## Allow read/write unix stream sockets from the system cron jobs. +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_rw_system_job_stream_sockets',` + gen_require(` + type system_cronjob_t; + ') + + allow $1 system_cronjob_t:unix_stream_socket { read write }; +') + +######################################## +## ## Read temporary files from the system cron jobs. ## ## @@ -504,5 +610,24 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` type system_cronjob_tmp_t; ') - dontaudit $1 system_cronjob_tmp_t:file append; + dontaudit $1 system_cronjob_tmp_t:file append_file_perms; +') + +######################################## +## +## Do not audit attempts to write temporary +## files from the system cron jobs. +## +## +## +## Domain to not audit. +## +## +# +interface(`cron_dontaudit_write_system_job_tmp_files',` + gen_require(` + type system_cronjob_tmp_t; + ') + + dontaudit $1 system_cronjob_tmp_t:file write_file_perms; ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index d73dc11..fe7c449 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -1,5 +1,5 @@ -policy_module(cron, 2.1.1) +policy_module(cron, 2.1.2) gen_require(` class passwd rootok; @@ -38,6 +38,9 @@ files_type(cron_spool_t) type cron_var_lib_t; files_type(cron_var_lib_t) +type cron_var_run_t; +files_type(cron_var_run_t) + # var/log files type cron_log_t; logging_log_file(cron_log_t) @@ -56,6 +59,9 @@ init_daemon_domain(crond_t, crond_exec_t) domain_interactive_fd(crond_t) domain_cron_exemption_source(crond_t) +type crond_initrc_exec_t; +init_script_file(crond_initrc_exec_t) + type crond_tmp_t; files_tmp_file(crond_tmp_t) @@ -99,7 +105,7 @@ domain_cron_exemption_target(unconfined_cronjob_t) # Type of user crontabs once moved to cron spool. type user_cron_spool_t, cron_spool_type; -typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t }; +typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; files_type(user_cron_spool_t) ubac_constrained(user_cron_spool_t) @@ -131,7 +137,7 @@ tunable_policy(`fcron_crond', ` # Cron daemon local policy # -allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control }; +allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; dontaudit crond_t self:capability { sys_resource sys_tty_config }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; @@ -147,20 +153,23 @@ allow crond_t self:msgq create_msgq_perms; allow crond_t self:msg { send receive }; allow crond_t self:key { search write link }; -allow crond_t crond_var_run_t:file manage_file_perms; +manage_files_pattern(crond_t, cron_log_t, cron_log_t) +logging_log_filetrans(crond_t, cron_log_t, file) + +manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) files_pid_filetrans(crond_t, crond_var_run_t, file) -allow crond_t cron_spool_t:dir rw_dir_perms; -allow crond_t cron_spool_t:file read_file_perms; +manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) files_tmp_filetrans(crond_t, crond_tmp_t, { file dir }) -allow crond_t system_cron_spool_t:dir list_dir_perms; -allow crond_t system_cron_spool_t:file read_file_perms; +list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) +read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) kernel_read_kernel_sysctls(crond_t) +kernel_read_fs_sysctls(crond_t) kernel_search_key(crond_t) dev_read_sysfs(crond_t) @@ -175,6 +184,7 @@ dev_read_urand(crond_t) fs_getattr_all_fs(crond_t) fs_search_auto_mountpoints(crond_t) +fs_list_inotifyfs(crond_t) # need auth_chkpwd to check for locked accounts. auth_domtrans_chk_passwd(crond_t) @@ -185,6 +195,8 @@ corecmd_read_bin_symlinks(crond_t) domain_use_interactive_fds(crond_t) +files_read_usr_files(crond_t) +files_read_etc_runtime_files(crond_t) files_read_etc_files(crond_t) files_read_generic_spool(crond_t) files_list_usr(crond_t) @@ -193,6 +205,7 @@ files_search_var_lib(crond_t) files_search_default(crond_t) init_rw_utmp(crond_t) +init_spec_domtrans_script(crond_t) auth_use_nsswitch(crond_t) @@ -228,13 +241,17 @@ ifdef(`distro_redhat', ` ') ') +tunable_policy(`fcron_crond', ` + allow crond_t system_cron_spool_t:file manage_file_perms; +') + optional_policy(` locallogin_search_keys(crond_t) locallogin_link_keys(crond_t) ') -tunable_policy(`fcron_crond', ` - allow crond_t system_cron_spool_t:file manage_file_perms; +optional_policy(` + amanda_search_var_lib(crond_t) ') optional_policy(` @@ -242,7 +259,7 @@ optional_policy(` ') optional_policy(` - hal_dbus_send(crond_t) + hal_dbus_chat(crond_t) ') optional_policy(` @@ -251,6 +268,10 @@ optional_policy(` ') optional_policy(` + rpc_search_nfs_state_data(crond_t) +') + +optional_policy(` # Commonly used from postinst scripts rpm_read_pipes(crond_t) ') @@ -269,8 +290,8 @@ optional_policy(` # System cron process domain # -allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid }; -allow system_cronjob_t self:process { signal_perms setsched }; +allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; +allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; @@ -371,7 +392,8 @@ init_use_script_fds(system_cronjob_t) init_read_utmp(system_cronjob_t) init_dontaudit_rw_utmp(system_cronjob_t) # prelink tells init to restart it self, we either need to allow or dontaudit -init_write_initctl(system_cronjob_t) +init_telinit(system_cronjob_t) +init_domtrans_script(system_cronjob_t) auth_use_nsswitch(system_cronjob_t) @@ -379,6 +401,7 @@ libs_exec_lib_files(system_cronjob_t) libs_exec_ld_so(system_cronjob_t) logging_read_generic_logs(system_cronjob_t) +logging_send_audit_msgs(system_cronjob_t) logging_send_syslog_msg(system_cronjob_t) miscfiles_read_localization(system_cronjob_t) @@ -429,6 +452,10 @@ optional_policy(` ') optional_policy(` + lpd_list_spool(system_cronjob_t) +') + +optional_policy(` mrtg_append_create_logs(system_cronjob_t) ') @@ -445,9 +472,11 @@ optional_policy(` ') optional_policy(` - prelink_read_cache(system_cronjob_t) - prelink_manage_log(system_cronjob_t) prelink_delete_cache(system_cronjob_t) + prelink_manage_lib(system_cronjob_t) + prelink_manage_log(system_cronjob_t) + prelink_read_cache(system_cronjob_t) + prelink_relabelfrom_lib(system_cronjob_t) ') optional_policy(` @@ -461,8 +490,7 @@ optional_policy(` ') optional_policy(` - # cjp: why? - squid_domtrans(system_cronjob_t) + spamassassin_manage_lib_files(system_cronjob_t) ') optional_policy(` @@ -474,20 +502,11 @@ optional_policy(` userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -ifdef(`TODO',` -ifdef(`mta.te', ` -allow system_cronjob_t mail_spool_t:lnk_file read; -allow mta_user_agent system_cronjob_t:fd use; -r_dir_file(system_mail_t, crond_tmp_t) -') -') dnl end TODO - ######################################## # # User cronjobs local policy # -allow cronjob_t self:capability dac_override; allow cronjob_t self:process { signal_perms setsched }; allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; @@ -571,6 +590,9 @@ userdom_manage_user_home_content_pipes(cronjob_t) userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) +list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) + tunable_policy(`fcron_crond', ` allow crond_t user_cron_spool_t:file manage_file_perms; ')