diff options
Diffstat (limited to 'policy/modules/contrib/cron.te')
-rw-r--r-- | policy/modules/contrib/cron.te | 631 |
1 files changed, 631 insertions, 0 deletions
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te new file mode 100644 index 00000000..f25d9d14 --- /dev/null +++ b/policy/modules/contrib/cron.te @@ -0,0 +1,631 @@ +policy_module(cron, 2.4.0) + +gen_require(` + class passwd rootok; +') + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow system cron jobs to relabel filesystem +## for restoring file contexts. +## </p> +## </desc> +gen_tunable(cron_can_relabel, false) + +## <desc> +## <p> +## Enable extra rules in the cron domain +## to support fcron. +## </p> +## </desc> +gen_tunable(fcron_crond, false) + +attribute cron_spool_type; + +type anacron_exec_t; +application_executable_file(anacron_exec_t) + +type cron_spool_t; +files_type(cron_spool_t) + +# var/lib files +type cron_var_lib_t; +files_type(cron_var_lib_t) + +type cron_var_run_t; +files_type(cron_var_run_t) + +# var/log files +type cron_log_t; +logging_log_file(cron_log_t) + +type cronjob_t; +typealias cronjob_t alias { user_crond_t staff_crond_t sysadm_crond_t }; +typealias cronjob_t alias { auditadm_crond_t secadm_crond_t }; +domain_type(cronjob_t) +domain_cron_exemption_target(cronjob_t) +domain_interactive_fd(cronjob_t) +corecmd_shell_entry_type(cronjob_t) +ubac_constrained(cronjob_t) + +type crond_t; +type crond_exec_t; +init_daemon_domain(crond_t, crond_exec_t) +domain_interactive_fd(crond_t) +domain_cron_exemption_source(crond_t) + +type crond_initrc_exec_t; +init_script_file(crond_initrc_exec_t) + +type crond_tmp_t; +files_tmp_file(crond_tmp_t) + +type crond_var_run_t; +files_pid_file(crond_var_run_t) + +type crontab_exec_t; +application_executable_file(crontab_exec_t) + +cron_common_crontab_template(admin_crontab) +typealias admin_crontab_t alias sysadm_crontab_t; +typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t; + +cron_common_crontab_template(crontab) +typealias crontab_t alias { user_crontab_t staff_crontab_t }; +typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; +typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; +typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; + +type system_cron_spool_t, cron_spool_type; +files_type(system_cron_spool_t) + +type system_cronjob_t alias system_crond_t; +init_daemon_domain(system_cronjob_t, anacron_exec_t) +corecmd_shell_entry_type(system_cronjob_t) +domain_interactive_fd(system_cronjob_t) +role system_r types system_cronjob_t; + +type system_cronjob_lock_t alias system_crond_lock_t; +files_lock_file(system_cronjob_lock_t) + +type system_cronjob_tmp_t alias system_crond_tmp_t; +files_tmp_file(system_cronjob_tmp_t) + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) +') + +type unconfined_cronjob_t; +domain_type(unconfined_cronjob_t) +domain_cron_exemption_target(unconfined_cronjob_t) + +# Type of user crontabs once moved to cron spool. +type user_cron_spool_t, cron_spool_type; +typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; +typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; +files_type(user_cron_spool_t) +ubac_constrained(user_cron_spool_t) + +######################################## +# +# Admin crontab local policy +# + +# Allow our crontab domain to unlink a user cron spool file. +allow admin_crontab_t user_cron_spool_t:file { getattr read unlink }; + +# Manipulate other users crontab. +selinux_get_fs_mount(admin_crontab_t) +selinux_validate_context(admin_crontab_t) +selinux_compute_access_vector(admin_crontab_t) +selinux_compute_create_context(admin_crontab_t) +selinux_compute_relabel_context(admin_crontab_t) +selinux_compute_user_contexts(admin_crontab_t) + +tunable_policy(`fcron_crond', ` + # fcron wants an instant update of a crontab change for the administrator + # also crontab does a security check for crontab -u + allow admin_crontab_t self:process setfscreate; +') + +######################################## +# +# Cron daemon local policy +# + +allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; +dontaudit crond_t self:capability { sys_resource sys_tty_config }; +allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow crond_t self:process { setexec setfscreate }; +allow crond_t self:fd use; +allow crond_t self:fifo_file rw_fifo_file_perms; +allow crond_t self:unix_dgram_socket create_socket_perms; +allow crond_t self:unix_stream_socket create_stream_socket_perms; +allow crond_t self:unix_dgram_socket sendto; +allow crond_t self:unix_stream_socket connectto; +allow crond_t self:shm create_shm_perms; +allow crond_t self:sem create_sem_perms; +allow crond_t self:msgq create_msgq_perms; +allow crond_t self:msg { send receive }; +allow crond_t self:key { search write link }; + +manage_files_pattern(crond_t, cron_log_t, cron_log_t) +logging_log_filetrans(crond_t, cron_log_t, file) + +manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) +files_pid_filetrans(crond_t, crond_var_run_t, file) + +manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) + +manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) +manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) +files_tmp_filetrans(crond_t, crond_tmp_t, { file dir }) + +list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) +read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) + +kernel_read_kernel_sysctls(crond_t) +kernel_read_fs_sysctls(crond_t) +kernel_search_key(crond_t) + +dev_read_sysfs(crond_t) +selinux_get_fs_mount(crond_t) +selinux_validate_context(crond_t) +selinux_compute_access_vector(crond_t) +selinux_compute_create_context(crond_t) +selinux_compute_relabel_context(crond_t) +selinux_compute_user_contexts(crond_t) + +dev_read_urand(crond_t) + +fs_getattr_all_fs(crond_t) +fs_search_auto_mountpoints(crond_t) +fs_list_inotifyfs(crond_t) + +# need auth_chkpwd to check for locked accounts. +auth_domtrans_chk_passwd(crond_t) + +corecmd_exec_shell(crond_t) +corecmd_list_bin(crond_t) +corecmd_read_bin_symlinks(crond_t) + +domain_use_interactive_fds(crond_t) + +files_read_usr_files(crond_t) +files_read_etc_runtime_files(crond_t) +files_read_etc_files(crond_t) +files_read_generic_spool(crond_t) +files_list_usr(crond_t) +# Read from /var/spool/cron. +files_search_var_lib(crond_t) +files_search_default(crond_t) + +init_rw_utmp(crond_t) +init_spec_domtrans_script(crond_t) + +auth_use_nsswitch(crond_t) + +logging_send_syslog_msg(crond_t) +logging_set_loginuid(crond_t) + +seutil_read_config(crond_t) +seutil_read_default_contexts(crond_t) +seutil_sigchld_newrole(crond_t) + +miscfiles_read_localization(crond_t) + +userdom_use_unpriv_users_fds(crond_t) +# Not sure why this is needed +userdom_list_user_home_dirs(crond_t) + +mta_send_mail(crond_t) + +ifdef(`distro_debian',` + # pam_limits is used + allow crond_t self:process setrlimit; + + optional_policy(` + # Debian logcheck has the home dir set to its cache + logwatch_search_cache_dir(crond_t) + ') +') + +ifdef(`distro_redhat', ` + # Run the rpm program in the rpm_t domain. Allow creation of RPM log files + # via redirection of standard out. + optional_policy(` + rpm_manage_log(crond_t) + ') +') + +tunable_policy(`allow_polyinstantiation',` + files_polyinstantiate_all(crond_t) +') + +tunable_policy(`fcron_crond', ` + allow crond_t system_cron_spool_t:file manage_file_perms; +') + +optional_policy(` + locallogin_search_keys(crond_t) + locallogin_link_keys(crond_t) +') + +optional_policy(` + amanda_search_var_lib(crond_t) +') + +optional_policy(` + amavis_search_lib(crond_t) +') + +optional_policy(` + hal_dbus_chat(crond_t) +') + +optional_policy(` + # cjp: why? + munin_search_lib(crond_t) +') + +optional_policy(` + rpc_search_nfs_state_data(crond_t) +') + +optional_policy(` + # Commonly used from postinst scripts + rpm_read_pipes(crond_t) +') + +optional_policy(` + # allow crond to find /usr/lib/postgresql/bin/do.maintenance + postgresql_search_db(crond_t) +') + +optional_policy(` + udev_read_db(crond_t) +') + +######################################## +# +# System cron process domain +# + +allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; +allow system_cronjob_t self:process { signal_perms getsched setsched }; +allow system_cronjob_t self:fifo_file rw_fifo_file_perms; +allow system_cronjob_t self:passwd rootok; + +# This is to handle creation of files in /var/log directory. +# Used currently by rpm script log files +allow system_cronjob_t cron_log_t:file manage_file_perms; +logging_log_filetrans(system_cronjob_t, cron_log_t, file) + +# This is to handle /var/lib/misc directory. Used currently +# by prelink var/lib files for cron +allow system_cronjob_t cron_var_lib_t:file manage_file_perms; +files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) + +allow system_cronjob_t system_cron_spool_t:file read_file_perms; +# The entrypoint interface is not used as this is not +# a regular entrypoint. Since crontab files are +# not directly executed, crond must ensure that +# the crontab file has a type that is appropriate +# for the domain of the user cron job. It +# performs an entrypoint permission check +# for this purpose. +allow system_cronjob_t system_cron_spool_t:file entrypoint; + +# Permit a transition from the crond_t domain to this domain. +# The transition is requested explicitly by the modified crond +# via setexeccon. There is no way to set up an automatic +# transition, since crontabs are configuration files, not executables. +allow crond_t system_cronjob_t:process transition; +dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh }; +allow crond_t system_cronjob_t:fd use; +allow system_cronjob_t crond_t:fd use; +allow system_cronjob_t crond_t:fifo_file rw_file_perms; +allow system_cronjob_t crond_t:process sigchld; + +# Write /var/lock/makewhatis.lock. +allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; +files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file) + +# write temporary files +manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) +manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) +filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) +files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) + +# Read from /var/spool/cron. +allow system_cronjob_t cron_spool_t:dir list_dir_perms; +allow system_cronjob_t cron_spool_t:file read_file_perms; + +kernel_read_kernel_sysctls(system_cronjob_t) +kernel_read_system_state(system_cronjob_t) +kernel_read_software_raid_state(system_cronjob_t) + +# ps does not need to access /boot when run from cron +files_dontaudit_search_boot(system_cronjob_t) + +corecmd_exec_all_executables(system_cronjob_t) + +corenet_all_recvfrom_unlabeled(system_cronjob_t) +corenet_all_recvfrom_netlabel(system_cronjob_t) +corenet_tcp_sendrecv_generic_if(system_cronjob_t) +corenet_udp_sendrecv_generic_if(system_cronjob_t) +corenet_tcp_sendrecv_generic_node(system_cronjob_t) +corenet_udp_sendrecv_generic_node(system_cronjob_t) +corenet_tcp_sendrecv_all_ports(system_cronjob_t) +corenet_udp_sendrecv_all_ports(system_cronjob_t) + +dev_getattr_all_blk_files(system_cronjob_t) +dev_getattr_all_chr_files(system_cronjob_t) +dev_read_urand(system_cronjob_t) + +fs_getattr_all_fs(system_cronjob_t) +fs_getattr_all_files(system_cronjob_t) +fs_getattr_all_symlinks(system_cronjob_t) +fs_getattr_all_pipes(system_cronjob_t) +fs_getattr_all_sockets(system_cronjob_t) + +# quiet other ps operations +domain_dontaudit_read_all_domains_state(system_cronjob_t) + +files_exec_etc_files(system_cronjob_t) +files_read_etc_files(system_cronjob_t) +files_read_etc_runtime_files(system_cronjob_t) +files_list_all(system_cronjob_t) +files_getattr_all_dirs(system_cronjob_t) +files_getattr_all_files(system_cronjob_t) +files_getattr_all_symlinks(system_cronjob_t) +files_getattr_all_pipes(system_cronjob_t) +files_getattr_all_sockets(system_cronjob_t) +files_read_usr_files(system_cronjob_t) +files_read_var_files(system_cronjob_t) +# for nscd: +files_dontaudit_search_pids(system_cronjob_t) +# Access other spool directories like +# /var/spool/anacron and /var/spool/slrnpull. +files_manage_generic_spool(system_cronjob_t) + +init_use_script_fds(system_cronjob_t) +init_read_utmp(system_cronjob_t) +init_dontaudit_rw_utmp(system_cronjob_t) +# prelink tells init to restart it self, we either need to allow or dontaudit +init_telinit(system_cronjob_t) +init_domtrans_script(system_cronjob_t) + +auth_use_nsswitch(system_cronjob_t) + +libs_exec_lib_files(system_cronjob_t) +libs_exec_ld_so(system_cronjob_t) + +logging_read_generic_logs(system_cronjob_t) +logging_send_audit_msgs(system_cronjob_t) +logging_send_syslog_msg(system_cronjob_t) + +miscfiles_read_localization(system_cronjob_t) +miscfiles_manage_man_pages(system_cronjob_t) + +seutil_read_config(system_cronjob_t) + +ifdef(`distro_redhat', ` + # Run the rpm program in the rpm_t domain. Allow creation of RPM log files + # via redirection of standard out. + optional_policy(` + rpm_manage_log(system_cronjob_t) + ') +') + +tunable_policy(`cron_can_relabel',` + seutil_domtrans_setfiles(system_cronjob_t) +',` + selinux_get_fs_mount(system_cronjob_t) + selinux_validate_context(system_cronjob_t) + selinux_compute_access_vector(system_cronjob_t) + selinux_compute_create_context(system_cronjob_t) + selinux_compute_relabel_context(system_cronjob_t) + selinux_compute_user_contexts(system_cronjob_t) + seutil_read_file_contexts(system_cronjob_t) +') + +optional_policy(` + # Needed for certwatch + apache_exec_modules(system_cronjob_t) + apache_read_config(system_cronjob_t) + apache_read_log(system_cronjob_t) + apache_read_sys_content(system_cronjob_t) +') + +optional_policy(` + cyrus_manage_data(system_cronjob_t) +') + +optional_policy(` + ftp_read_log(system_cronjob_t) +') + +optional_policy(` + inn_manage_log(system_cronjob_t) + inn_manage_pid(system_cronjob_t) + inn_read_config(system_cronjob_t) +') + +optional_policy(` + lpd_list_spool(system_cronjob_t) +') + +optional_policy(` + mrtg_append_create_logs(system_cronjob_t) +') + +optional_policy(` + mta_send_mail(system_cronjob_t) +') + +optional_policy(` + mysql_read_config(system_cronjob_t) +') + +optional_policy(` + postfix_read_config(system_cronjob_t) +') + +optional_policy(` + prelink_delete_cache(system_cronjob_t) + prelink_manage_lib(system_cronjob_t) + prelink_manage_log(system_cronjob_t) + prelink_read_cache(system_cronjob_t) + prelink_relabelfrom_lib(system_cronjob_t) +') + +optional_policy(` + samba_read_config(system_cronjob_t) + samba_read_log(system_cronjob_t) + #samba_read_secrets(system_cronjob_t) +') + +optional_policy(` + slocate_create_append_log(system_cronjob_t) +') + +optional_policy(` + spamassassin_manage_lib_files(system_cronjob_t) +') + +optional_policy(` + sysstat_manage_log(system_cronjob_t) +') + +optional_policy(` + unconfined_domain(system_cronjob_t) + userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) +') + +######################################## +# +# User cronjobs local policy +# + +allow cronjob_t self:process { signal_perms setsched }; +allow cronjob_t self:fifo_file rw_fifo_file_perms; +allow cronjob_t self:unix_stream_socket create_stream_socket_perms; +allow cronjob_t self:unix_dgram_socket create_socket_perms; + +# The entrypoint interface is not used as this is not +# a regular entrypoint. Since crontab files are +# not directly executed, crond must ensure that +# the crontab file has a type that is appropriate +# for the domain of the user cron job. It +# performs an entrypoint permission check +# for this purpose. +allow cronjob_t user_cron_spool_t:file entrypoint; + +# Permit a transition from the crond_t domain to this domain. +# The transition is requested explicitly by the modified crond +# via setexeccon. There is no way to set up an automatic +# transition, since crontabs are configuration files, not executables. +allow crond_t cronjob_t:process transition; +dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh }; +allow crond_t cronjob_t:fd use; +allow crond_t cronjob_t:key create; +allow cronjob_t crond_t:fd use; +allow cronjob_t crond_t:fifo_file rw_file_perms; +allow cronjob_t crond_t:process sigchld; + +kernel_read_system_state(cronjob_t) +kernel_read_kernel_sysctls(cronjob_t) + +# ps does not need to access /boot when run from cron +files_dontaudit_search_boot(cronjob_t) + +corenet_all_recvfrom_unlabeled(cronjob_t) +corenet_all_recvfrom_netlabel(cronjob_t) +corenet_tcp_sendrecv_generic_if(cronjob_t) +corenet_udp_sendrecv_generic_if(cronjob_t) +corenet_tcp_sendrecv_generic_node(cronjob_t) +corenet_udp_sendrecv_generic_node(cronjob_t) +corenet_tcp_sendrecv_all_ports(cronjob_t) +corenet_udp_sendrecv_all_ports(cronjob_t) +corenet_tcp_connect_all_ports(cronjob_t) +corenet_sendrecv_all_client_packets(cronjob_t) + +dev_read_urand(cronjob_t) + +fs_getattr_all_fs(cronjob_t) + +corecmd_exec_all_executables(cronjob_t) + +# quiet other ps operations +domain_dontaudit_read_all_domains_state(cronjob_t) +domain_dontaudit_getattr_all_domains(cronjob_t) + +files_read_usr_files(cronjob_t) +files_exec_etc_files(cronjob_t) +# for nscd: +files_dontaudit_search_pids(cronjob_t) + +libs_exec_lib_files(cronjob_t) +libs_exec_ld_so(cronjob_t) + +files_read_etc_runtime_files(cronjob_t) +files_read_var_files(cronjob_t) +files_search_spool(cronjob_t) + +logging_search_logs(cronjob_t) + +seutil_read_config(cronjob_t) + +miscfiles_read_localization(cronjob_t) + +userdom_manage_user_tmp_files(cronjob_t) +userdom_manage_user_tmp_symlinks(cronjob_t) +userdom_manage_user_tmp_pipes(cronjob_t) +userdom_manage_user_tmp_sockets(cronjob_t) +# Run scripts in user home directory and access shared libs. +userdom_exec_user_home_content_files(cronjob_t) +# Access user files and dirs. +userdom_manage_user_home_content_files(cronjob_t) +userdom_manage_user_home_content_symlinks(cronjob_t) +userdom_manage_user_home_content_pipes(cronjob_t) +userdom_manage_user_home_content_sockets(cronjob_t) +#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) + +list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) + +tunable_policy(`fcron_crond', ` + allow crond_t user_cron_spool_t:file manage_file_perms; +') + +# need a per-role version of this: +#optional_policy(` +# mono_domtrans(cronjob_t) +#') + +optional_policy(` + nis_use_ypbind(cronjob_t) +') + +######################################## +# +# Unconfined cronjobs local policy +# + +optional_policy(` + # Permit a transition from the crond_t domain to this domain. + # The transition is requested explicitly by the modified crond + # via setexeccon. There is no way to set up an automatic + # transition, since crontabs are configuration files, not executables. + allow crond_t unconfined_cronjob_t:process transition; + dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh }; + allow crond_t unconfined_cronjob_t:fd use; + + unconfined_domain(unconfined_cronjob_t) +') |