diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index 3848744..c72ccde 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -16,6 +16,16 @@ domain_make_domain($1_crond_t); corecommands_make_shell_entrypoint($1_crond_t) role $1_r types $1_crond_t; +type $1_crontab_t; +domain_make_domain($1_crontab_t) +domain_make_entrypoint_file($1_crontab_t,crontab_exec_t) +role $1_r types $1_crontab_t; + +############################## +# +# $1_crond_t local policy +# + allow $1_crond_t self:capability dac_override; allow $1_crond_t self:process { sigkill sigstop signull signal setsched }; allow $1_crond_t self:fifo_file { read getattr write append }; @@ -111,5 +121,89 @@ dontaudit $1_crond_t boot_t:dir search; dontaudit $1_crond_t domain:dir { getattr search }; # for nscd dontaudit $1_crond_t var_run_t:dir search; + +') dnl endif TODO + +############################## +# +# $1_crontab_t local policy +# + +# for ^Z +allow $1_t $1_crontab_t:process signal; + +# Allow crond to read those crontabs in cron spool. +allow crond_t $1_cron_spool_t:file { getattr read }; + +# dac_override is to create the file in the directory under /tmp +allow $1_crontab_t self:capability { setuid setgid chown dac_override }; +allow $1_crontab_t self:process { sigkill sigstop signull signal }; + +# crontab signals crond by updating the mtime on the spooldir +allow $1_crontab_t cron_spool_t:dir setattr; + +allow $1_crontab_t crond_log_t:file { getattr read append }; + +filesystem_get_persistent_filesystem_attributes($1_crontab_t) + +domain_use_widely_inheritable_file_descriptors($1_crontab_t) + +files_read_general_system_config($1_crontab_t) + +libraries_use_dynamic_loader($1_crontab_t) +libraries_read_shared_libraries($1_crontab_t) + +logging_send_system_log_message($1_crontab_t) + +miscfiles_read_localization($1_crontab_t) + +ifdef(`TODO',` + +# Transition from the user domain to the derived domain. +domain_auto_trans($1_t, crontab_exec_t, $1_crontab_t) + +can_ps($1_t, $1_crontab_t) + +dontaudit $1_crontab_t proc_t:dir search; +dontaudit $1_crontab_t selinux_config_t:dir search; +# for the checks used by crontab -u +dontaudit $1_crontab_t security_t:dir search; + +# Type for temporary files. +file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file }) + +# Use the type when creating files in /var/spool/cron. +allow sysadm_crontab_t $1_cron_spool_t:file { getattr read }; +allow $1_crontab_t { var_t var_spool_t }:dir { getattr search }; +file_type_auto_trans($1_crontab_t, cron_spool_t, $1_cron_spool_t, file) + +ifdef(`fcron.te', ` +# fcron wants an instant update of a crontab change for the administrator +# also crontab does a security check for crontab -u +ifelse(`$1', `sysadm', ` +allow $1_crontab_t self:process setfscreate; +kernel_get_selinuxfs_mount_point($1_crontab_t) +', ` +dontaudit $1_crontab_t crond_t:process signal; +')dnl end ifelse +')dnl end ifdef fcron + +# Run helper programs as $1_t +allow $1_crontab_t { bin_t sbin_t }:dir search; +allow $1_crontab_t bin_t:lnk_file read; +domain_auto_trans($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t) + +# Read user crontabs +allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms; +allow $1_crontab_t $1_home_t:file r_file_perms; +dontaudit $1_crontab_t $1_home_dir_t:dir write; + +# Access terminals. +access_terminal($1_crontab_t, $1); + +# Inherit and use descriptors from gnome-pty-helper. +ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;') + +dontaudit $1_crontab_t var_run_t:dir search; ') dnl endif TODO ')