diff options
Diffstat (limited to 'policy/modules/contrib/cron.if')
-rw-r--r-- | policy/modules/contrib/cron.if | 632 |
1 files changed, 632 insertions, 0 deletions
diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if new file mode 100644 index 00000000..6e12dc75 --- /dev/null +++ b/policy/modules/contrib/cron.if @@ -0,0 +1,632 @@ +## <summary>Periodic execution of scheduled commands.</summary> + +####################################### +## <summary> +## The common rules for a crontab domain. +## </summary> +## <param name="userdomain_prefix"> +## <summary> +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +# +template(`cron_common_crontab_template',` + ############################## + # + # Declarations + # + + type $1_t; + userdom_user_application_domain($1_t, crontab_exec_t) + + type $1_tmp_t; + userdom_user_tmp_file($1_tmp_t) + + ############################## + # + # Local policy + # + + # dac_override is to create the file in the directory under /tmp + allow $1_t self:capability { fowner setuid setgid chown dac_override }; + allow $1_t self:process { setsched signal_perms }; + allow $1_t self:fifo_file rw_fifo_file_perms; + + allow $1_t $1_tmp_t:file manage_file_perms; + files_tmp_filetrans($1_t, $1_tmp_t, file) + + # create files in /var/spool/cron + manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) + filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file) + files_list_spool($1_t) + + # crontab signals crond by updating the mtime on the spooldir + allow $1_t cron_spool_t:dir setattr; + + kernel_read_system_state($1_t) + + # for the checks used by crontab -u + selinux_dontaudit_search_fs($1_t) + + fs_getattr_xattr_fs($1_t) + + domain_use_interactive_fds($1_t) + + files_read_etc_files($1_t) + files_read_usr_files($1_t) + files_dontaudit_search_pids($1_t) + + auth_domtrans_chk_passwd($1_t) + + logging_send_syslog_msg($1_t) + logging_send_audit_msgs($1_t) + + init_dontaudit_write_utmp($1_t) + init_read_utmp($1_t) + + miscfiles_read_localization($1_t) + + seutil_read_config($1_t) + + userdom_manage_user_tmp_dirs($1_t) + userdom_manage_user_tmp_files($1_t) + # Access terminals. + userdom_use_user_terminals($1_t) + # Read user crontabs + userdom_read_user_home_content_files($1_t) + + tunable_policy(`fcron_crond',` + # fcron wants an instant update of a crontab change for the administrator + # also crontab does a security check for crontab -u + dontaudit $1_t crond_t:process signal; + ') + + optional_policy(` + nscd_socket_use($1_t) + ') +') + +######################################## +## <summary> +## Role access for cron +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`cron_role',` + gen_require(` + type cronjob_t, crontab_t, crontab_exec_t; + ') + + role $1 types { cronjob_t crontab_t }; + + # cronjob shows up in user ps + ps_process_pattern($2, cronjob_t) + + # Transition from the user domain to the derived domain. + domtrans_pattern($2, crontab_exec_t, crontab_t) + + # crontab shows up in user ps + ps_process_pattern($2, crontab_t) + allow $2 crontab_t:process signal; + + # Run helper programs as the user domain + #corecmd_bin_domtrans(crontab_t, $2) + #corecmd_shell_domtrans(crontab_t, $2) + corecmd_exec_bin(crontab_t) + corecmd_exec_shell(crontab_t) + + optional_policy(` + gen_require(` + class dbus send_msg; + ') + + dbus_stub(cronjob_t) + + allow cronjob_t $2:dbus send_msg; + ') +') + +######################################## +## <summary> +## Role access for unconfined cronjobs +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`cron_unconfined_role',` + gen_require(` + type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t; + ') + + role $1 types { unconfined_cronjob_t crontab_t }; + + # cronjob shows up in user ps + ps_process_pattern($2, unconfined_cronjob_t) + + # Transition from the user domain to the derived domain. + domtrans_pattern($2, crontab_exec_t, crontab_t) + + # crontab shows up in user ps + ps_process_pattern($2, crontab_t) + allow $2 crontab_t:process signal; + + # Run helper programs as the user domain + #corecmd_bin_domtrans(crontab_t, $2) + #corecmd_shell_domtrans(crontab_t, $2) + corecmd_exec_bin(crontab_t) + corecmd_exec_shell(crontab_t) + + optional_policy(` + gen_require(` + class dbus send_msg; + ') + + dbus_stub(unconfined_cronjob_t) + + allow unconfined_cronjob_t $2:dbus send_msg; + ') +') + +######################################## +## <summary> +## Role access for cron +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`cron_admin_role',` + gen_require(` + type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t; + class passwd crontab; + ') + + role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t }; + + # cronjob shows up in user ps + ps_process_pattern($2, cronjob_t) + + # Manipulate other users crontab. + allow $2 self:passwd crontab; + + # Transition from the user domain to the derived domain. + domtrans_pattern($2, crontab_exec_t, admin_crontab_t) + + # crontab shows up in user ps + ps_process_pattern($2, admin_crontab_t) + allow $2 admin_crontab_t:process signal; + + # Run helper programs as the user domain + #corecmd_bin_domtrans(admin_crontab_t, $2) + #corecmd_shell_domtrans(admin_crontab_t, $2) + corecmd_exec_bin(admin_crontab_t) + corecmd_exec_shell(admin_crontab_t) + + optional_policy(` + gen_require(` + class dbus send_msg; + ') + + dbus_stub(admin_cronjob_t) + + allow cronjob_t $2:dbus send_msg; + ') +') + +######################################## +## <summary> +## Make the specified program domain accessable +## from the system cron jobs. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process to transition to. +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## The type of the file used as an entrypoint to this domain. +## </summary> +## </param> +# +interface(`cron_system_entry',` + gen_require(` + type crond_t, system_cronjob_t; + ') + + domtrans_pattern(system_cronjob_t, $2, $1) + domtrans_pattern(crond_t, $2, $1) + + role system_r types $1; +') + +######################################## +## <summary> +## Execute cron in the cron system domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cron_domtrans',` + gen_require(` + type system_cronjob_t, crond_exec_t; + ') + + domtrans_pattern($1, crond_exec_t, system_cronjob_t) +') + +######################################## +## <summary> +## Execute crond_exec_t +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_exec',` + gen_require(` + type crond_exec_t; + ') + + can_exec($1, crond_exec_t) +') + +######################################## +## <summary> +## Execute crond server in the nscd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cron_initrc_domtrans',` + gen_require(` + type crond_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, crond_initrc_exec_t) +') + +######################################## +## <summary> +## Inherit and use a file descriptor +## from the cron daemon. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_use_fds',` + gen_require(` + type crond_t; + ') + + allow $1 crond_t:fd use; +') + +######################################## +## <summary> +## Send a SIGCHLD signal to the cron daemon. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_sigchld',` + gen_require(` + type crond_t; + ') + + allow $1 crond_t:process sigchld; +') + +######################################## +## <summary> +## Read a cron daemon unnamed pipe. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_read_pipes',` + gen_require(` + type crond_t; + ') + + allow $1 crond_t:fifo_file read_fifo_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to write cron daemon unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`cron_dontaudit_write_pipes',` + gen_require(` + type crond_t; + ') + + dontaudit $1 crond_t:fifo_file write; +') + +######################################## +## <summary> +## Read and write a cron daemon unnamed pipe. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_rw_pipes',` + gen_require(` + type crond_t; + ') + + allow $1 crond_t:fifo_file { getattr read write }; +') + +######################################## +## <summary> +## Read, and write cron daemon TCP sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_rw_tcp_sockets',` + gen_require(` + type crond_t; + ') + + allow $1 crond_t:tcp_socket { read write }; +') + +######################################## +## <summary> +## Dontaudit Read, and write cron daemon TCP sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`cron_dontaudit_rw_tcp_sockets',` + gen_require(` + type crond_t; + ') + + dontaudit $1 crond_t:tcp_socket { read write }; +') + +######################################## +## <summary> +## Search the directory containing user cron tables. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_search_spool',` + gen_require(` + type cron_spool_t; + ') + + files_search_spool($1) + allow $1 cron_spool_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Manage pid files used by cron +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_manage_pid_files',` + gen_require(` + type crond_var_run_t; + ') + + manage_files_pattern($1, crond_var_run_t, crond_var_run_t) +') + +######################################## +## <summary> +## Execute anacron in the cron system domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cron_anacron_domtrans_system_job',` + gen_require(` + type system_cronjob_t, anacron_exec_t; + ') + + domtrans_pattern($1, anacron_exec_t, system_cronjob_t) +') + +######################################## +## <summary> +## Inherit and use a file descriptor +## from system cron jobs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_use_system_job_fds',` + gen_require(` + type system_cronjob_t; + ') + + allow $1 system_cronjob_t:fd use; +') + +######################################## +## <summary> +## Write a system cron job unnamed pipe. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_write_system_job_pipes',` + gen_require(` + type system_cronjob_t; + ') + + allow $1 system_cronjob_t:file write; +') + +######################################## +## <summary> +## Read and write a system cron job unnamed pipe. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_rw_system_job_pipes',` + gen_require(` + type system_cronjob_t; + ') + + allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Allow read/write unix stream sockets from the system cron jobs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_rw_system_job_stream_sockets',` + gen_require(` + type system_cronjob_t; + ') + + allow $1 system_cronjob_t:unix_stream_socket { read write }; +') + +######################################## +## <summary> +## Read temporary files from the system cron jobs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_read_system_job_tmp_files',` + gen_require(` + type system_cronjob_tmp_t; + ') + + files_search_tmp($1) + allow $1 system_cronjob_tmp_t:file read_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to append temporary +## files from the system cron jobs. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`cron_dontaudit_append_system_job_tmp_files',` + gen_require(` + type system_cronjob_tmp_t; + ') + + dontaudit $1 system_cronjob_tmp_t:file append_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to write temporary +## files from the system cron jobs. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`cron_dontaudit_write_system_job_tmp_files',` + gen_require(` + type system_cronjob_tmp_t; + ') + + dontaudit $1 system_cronjob_tmp_t:file write_file_perms; +') |