diff options
author | Russell Coker <russell@coker.com.au> | 2023-09-28 23:46:14 +1000 |
---|---|---|
committer | Kenton Groombridge <concord@gentoo.org> | 2023-10-06 11:30:52 -0400 |
commit | 90affee2271dfbaad7e02781e1c583e886229754 (patch) | |
tree | 570c52daffff76af57f577a474be44f9d22c73ad | |
parent | small systemd patches (#708) (diff) | |
download | hardened-refpolicy-90affee2271dfbaad7e02781e1c583e886229754.tar.gz hardened-refpolicy-90affee2271dfbaad7e02781e1c583e886229754.tar.bz2 hardened-refpolicy-90affee2271dfbaad7e02781e1c583e886229754.zip |
misc small patches for cron policy (#701)
* Some misc small patches for cron policy
Signed-off-by: Russell Coker <russell@coker.com.au>
* added systemd_dontaudit_connect_machined interface
Signed-off-by: Russell Coker <russell@coker.com.au>
* Remove the line about connecting to tor
Signed-off-by: Russell Coker <russell@coker.com.au>
* remove the dontaudit for connecting to machined
Signed-off-by: Russell Coker <russell@coker.com.au>
* changed to distro_debian
Signed-off-by: Russell Coker <russell@coker.com.au>
* mta: Whitespace changes.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
* cron: Move lines.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Co-authored-by: Chris PeBenito <pebenito@ieee.org>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
-rw-r--r-- | policy/modules/services/cron.if | 36 | ||||
-rw-r--r-- | policy/modules/services/cron.te | 11 | ||||
-rw-r--r-- | policy/modules/services/mta.te | 7 | ||||
-rw-r--r-- | policy/modules/services/postfix.te | 1 | ||||
-rw-r--r-- | policy/modules/system/init.if | 18 | ||||
-rw-r--r-- | policy/modules/system/systemd.if | 18 |
6 files changed, 90 insertions, 1 deletions
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index 87306cfd..049b0149 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -757,6 +757,24 @@ interface(`cron_rw_tmp_files',` ######################################## ## <summary> +## Read and write inherited crond temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_rw_inherited_tmp_files',` + gen_require(` + type crond_tmp_t; + ') + + allow $1 crond_tmp_t:file rw_inherited_file_perms; +') + +######################################## +## <summary> ## Read system cron job lib files. ## </summary> ## <param name="domain"> @@ -890,6 +908,24 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` ######################################## ## <summary> +## allow appending temporary system cron job files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to allow. +## </summary> +## </param> +# +interface(`cron_append_system_job_tmp_files',` + gen_require(` + type system_cronjob_tmp_t; + ') + + allow $1 system_cronjob_tmp_t:file append_file_perms; +') + +######################################## +## <summary> ## Read and write to inherited system cron job temporary files. ## </summary> ## <param name="domain"> diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index b2de6de3..9df1e306 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -436,6 +436,8 @@ optional_policy(` systemd_dbus_chat_logind(system_cronjob_t) systemd_read_journal_files(system_cronjob_t) systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) + # for runuser + init_search_keys(system_cronjob_t) # so cron jobs can restart daemons init_stream_connect(system_cronjob_t) init_manage_script_service(system_cronjob_t) @@ -491,6 +493,7 @@ kernel_getattr_message_if(system_cronjob_t) kernel_read_irq_sysctls(system_cronjob_t) kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_network_state(system_cronjob_t) +kernel_read_rpc_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) kernel_read_software_raid_state(system_cronjob_t) @@ -535,6 +538,7 @@ files_read_usr_files(system_cronjob_t) files_read_var_files(system_cronjob_t) files_dontaudit_search_runtime(system_cronjob_t) files_manage_generic_spool(system_cronjob_t) +files_manage_var_lib_dirs(system_cronjob_t) files_create_boot_flag(system_cronjob_t) files_read_var_lib_symlinks(system_cronjob_t) @@ -554,6 +558,7 @@ logging_manage_generic_logs(system_cronjob_t) logging_send_audit_msgs(system_cronjob_t) logging_send_syslog_msg(system_cronjob_t) +miscfiles_read_generic_certs(system_cronjob_t) miscfiles_read_localization(system_cronjob_t) seutil_read_config(system_cronjob_t) @@ -655,6 +660,10 @@ optional_policy(` ') optional_policy(` + ntp_read_config(system_cronjob_t) +') + +optional_policy(` postfix_read_config(system_cronjob_t) ') @@ -678,6 +687,8 @@ optional_policy(` # for gpg-connect-agent to access /run/user/0 userdom_manage_user_runtime_dirs(system_cronjob_t) + # for /run/user/0/gnupg + userdom_manage_user_tmp_dirs(system_cronjob_t) ') ######################################## diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index 8ed3c848..63c8562a 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -285,7 +285,12 @@ optional_policy(` userdom_dontaudit_use_user_ptys(system_mail_t) optional_policy(` - cron_dontaudit_append_system_job_tmp_files(system_mail_t) + ifdef(`distro_debian',` + # anacron on Debian gives empty email if this is not permitted + cron_append_system_job_tmp_files(system_mail_t) + ', ` + cron_dontaudit_append_system_job_tmp_files(system_mail_t) + ') ') ') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 7b158e70..528a84de 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -652,6 +652,7 @@ optional_policy(` optional_policy(` cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) + cron_use_system_job_fds(postfix_postdrop_t) ') optional_policy(` diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index daab804c..d91eadfb 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -3858,3 +3858,21 @@ interface(`init_getrlimit',` allow $1 init_t:process getrlimit; ') + +######################################## +## <summary> +## Allow searching init_t keys +## </summary> +## <param name="domain"> +## <summary> +## Source domain +## </summary> +## </param> +# +interface(`init_search_keys',` + gen_require(` + type init_t; + ') + + allow $1 init_t:key search; +') diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 64455eed..19b2dbd8 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -1519,6 +1519,24 @@ interface(`systemd_connect_machined',` ######################################## ## <summary> +## dontaudit connecting to /run/systemd/userdb/io.systemd.Machine socket +## </summary> +## <param name="domain"> +## <summary> +## Domain that can access the socket +## </summary> +## </param> +# +interface(`systemd_dontaudit_connect_machined',` + gen_require(` + type systemd_machined_t; + ') + + dontaudit $1 systemd_machined_t:unix_stream_socket connectto; +') + +######################################## +## <summary> ## Send and receive messages from ## systemd machined over dbus. ## </summary> |