selinux-refpolicy/policy/modules/services/cron.te

781 lines
21 KiB
Plaintext
Raw Normal View History

policy_module(cron, 2.17.1)
gen_require(`
class passwd rootok;
')
########################################
#
# Declarations
#
## <desc>
## <p>
## Determine whether system cron jobs
## can relabel filesystem for
## restoring file contexts.
## </p>
## </desc>
gen_tunable(cron_can_relabel, false)
## <desc>
## <p>
## Determine whether crond can execute jobs
## in the user domain as opposed to the
## the generic cronjob domain.
## </p>
## </desc>
gen_tunable(cron_userdomain_transition, false)
## <desc>
## <p>
## Determine whether extra rules
## should be enabled to support fcron.
## </p>
## </desc>
gen_tunable(fcron_crond, false)
attribute cron_spool_type;
attribute crontab_domain;
type anacron_exec_t;
application_executable_file(anacron_exec_t)
type cron_runtime_t alias cron_var_run_t;
files_runtime_file(cron_runtime_t)
type cron_spool_t;
files_type(cron_spool_t)
type cron_var_lib_t;
files_type(cron_var_lib_t)
type cron_log_t;
logging_log_file(cron_log_t)
type cronjob_t;
domain_type(cronjob_t)
domain_cron_exemption_target(cronjob_t)
corecmd_shell_entry_type(cronjob_t)
ubac_constrained(cronjob_t)
type crond_t;
type crond_exec_t;
init_daemon_domain(crond_t, crond_exec_t)
domain_interactive_fd(crond_t)
domain_cron_exemption_source(crond_t)
type crond_initrc_exec_t;
init_script_file(crond_initrc_exec_t)
type crond_runtime_t alias crond_var_run_t;
files_runtime_file(crond_runtime_t)
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
files_poly_parent(crond_tmp_t)
type crond_unit_t;
init_unit_file(crond_unit_t)
type crontab_exec_t;
application_executable_file(crontab_exec_t)
cron_common_crontab_template(admin_crontab)
cron_common_crontab_template(crontab)
type system_cron_spool_t, cron_spool_type;
files_type(system_cron_spool_t)
type system_cronjob_t alias system_crond_t;
init_daemon_domain(system_cronjob_t, anacron_exec_t)
corecmd_shell_entry_type(system_cronjob_t)
domain_entry_file(system_cronjob_t, system_cron_spool_t)
type system_cronjob_lock_t alias system_crond_lock_t;
files_lock_file(system_cronjob_lock_t)
type system_cronjob_runtime_t alias system_cronjob_var_run_t;
files_runtime_file(system_cronjob_runtime_t)
type system_cronjob_tmp_t alias system_crond_tmp_t;
files_tmp_file(system_cronjob_tmp_t)
type system_cronjob_var_lib_t;
files_type(system_cronjob_var_lib_t)
type user_cron_spool_t, cron_spool_type;
files_type(user_cron_spool_t)
ubac_constrained(user_cron_spool_t)
type user_cron_spool_log_t;
logging_log_file(user_cron_spool_log_t)
ubac_constrained(user_cron_spool_log_t)
ifdef(`enable_mcs',`
init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
')
optional_policy(`
mta_system_content(cron_spool_t)
mta_system_content(crond_tmp_t)
mta_system_content(crond_runtime_t)
mta_system_content(system_cron_spool_t)
mta_system_content(user_cron_spool_t)
mta_system_content(user_cron_spool_log_t)
')
##############################
#
# Common crontab local policy
#
allow crontab_domain self:capability { chown dac_override fowner setgid setuid };
allow crontab_domain self:process { getcap setsched signal_perms };
allow crontab_domain self:fifo_file rw_fifo_file_perms;
manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
allow crontab_domain cron_spool_t:dir setattr_dir_perms;
allow crontab_domain crond_t:process signal;
allow crontab_domain crond_runtime_t:file read_file_perms;
kernel_read_system_state(crontab_domain)
selinux_dontaudit_search_fs(crontab_domain)
files_list_spool(crontab_domain)
files_read_etc_files(crontab_domain)
files_read_usr_files(crontab_domain)
files_search_runtime(crontab_domain)
fs_getattr_xattr_fs(crontab_domain)
fs_manage_cgroup_dirs(crontab_domain)
fs_rw_cgroup_files(crontab_domain)
domain_use_interactive_fds(crontab_domain)
fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
auth_rw_var_auth(crontab_domain)
logging_send_syslog_msg(crontab_domain)
logging_send_audit_msgs(crontab_domain)
logging_set_loginuid(crontab_domain)
init_dontaudit_write_utmp(crontab_domain)
init_read_utmp(crontab_domain)
init_read_state(crontab_domain)
miscfiles_read_localization(crontab_domain)
seutil_read_config(crontab_domain)
userdom_manage_user_tmp_dirs(crontab_domain)
userdom_manage_user_tmp_files(crontab_domain)
userdom_use_user_terminals(crontab_domain)
tunable_policy(`fcron_crond',`
dontaudit crontab_domain crond_t:process signal;
')
########################################
#
# Admin local policy
#
allow admin_crontab_t self:capability fsetid;
allow admin_crontab_t crond_t:process signal;
selinux_get_fs_mount(admin_crontab_t)
selinux_validate_context(admin_crontab_t)
selinux_compute_access_vector(admin_crontab_t)
selinux_compute_create_context(admin_crontab_t)
selinux_compute_relabel_context(admin_crontab_t)
selinux_compute_user_contexts(admin_crontab_t)
tunable_policy(`fcron_crond',`
allow admin_crontab_t self:process setfscreate;
')
########################################
#
# Daemon local policy
#
allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_fifo_file_perms;
allow crond_t self:unix_dgram_socket sendto;
allow crond_t self:unix_stream_socket { accept connectto listen };
allow crond_t self:shm create_shm_perms;
allow crond_t self:sem create_sem_perms;
allow crond_t self:msgq create_msgq_perms;
allow crond_t self:msg { send receive };
allow crond_t self:key { search write link };
dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
logging_log_filetrans(crond_t, cron_log_t, file)
manage_files_pattern(crond_t, crond_runtime_t, crond_runtime_t)
files_runtime_filetrans(crond_t, crond_runtime_t, file)
manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
allow crond_t cron_spool_t:dir watch;
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
files_tmp_filetrans(crond_t, crond_tmp_t, { dir file })
list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
allow crond_t system_cron_spool_t:dir watch;
allow crond_t system_cron_spool_t:file watch;
rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
allow crond_t user_cron_spool_t:dir watch;
manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)
allow crond_t system_cronjob_t:process transition;
allow crond_t system_cronjob_t:fd use;
allow crond_t system_cronjob_t:key manage_key_perms;
dontaudit crond_t { cronjob_t system_cronjob_t }:process { noatsecure siginh rlimitinh };
domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
kernel_read_kernel_sysctls(crond_t)
kernel_read_fs_sysctls(crond_t)
kernel_search_key(crond_t)
corecmd_exec_shell(crond_t)
corecmd_exec_bin(crond_t)
corecmd_list_bin(crond_t)
dev_read_sysfs(crond_t)
dev_read_urand(crond_t)
domain_use_interactive_fds(crond_t)
domain_subj_id_change_exemption(crond_t)
domain_role_change_exemption(crond_t)
fs_getattr_all_fs(crond_t)
fs_list_inotifyfs(crond_t)
fs_manage_cgroup_dirs(crond_t)
fs_rw_cgroup_files(crond_t)
fs_search_auto_mountpoints(crond_t)
files_read_usr_files(crond_t)
files_read_etc_runtime_files(crond_t)
files_read_generic_spool(crond_t)
files_list_usr(crond_t)
files_search_var_lib(crond_t)
files_search_default(crond_t)
files_read_all_locks(crond_t)
mls_fd_share_all_levels(crond_t)
mls_file_read_all_levels(crond_t)
mls_file_write_all_levels(crond_t)
mls_process_set_level(crond_t)
mls_trusted_object(crond_t)
selinux_get_fs_mount(crond_t)
selinux_validate_context(crond_t)
selinux_compute_access_vector(crond_t)
selinux_compute_create_context(crond_t)
selinux_compute_relabel_context(crond_t)
selinux_compute_user_contexts(crond_t)
init_read_state(crond_t)
init_rw_utmp(crond_t)
init_spec_domtrans_script(crond_t)
init_stop_all_units(system_cronjob_t)
init_start_all_units(system_cronjob_t)
init_get_generic_units_status(system_cronjob_t)
init_get_system_status(system_cronjob_t)
auth_manage_var_auth(crond_t)
Update cron use to pam interface I'm seeing a many denials for cron related to faillog_t, lastlog_t and wtmp_t. These are all due to the fact cron is using pam (and my system is configured with pam_faillog). I have updated cron to use auth_use_pam interface to grant needed permissions. Additional change to allow systemd_logind dbus for cron. I have included many of the denials I'm seeing, but there are probably others I didn't capture. type=AVC msg=audit(1551411001.389:1281): avc: denied { read write } for pid=8807 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 type=AVC msg=audit(1551411001.389:1281): avc: denied { open } for pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1551411001.389:1281): arch=c000003e syscall=2 success=yes exit=3 a0=7f94f608c2ee a1=2 a2=0 a3=75646f6d6d61705f items=1 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key="logins" type=AVC msg=audit(1551411001.389:1282): avc: denied { lock } for pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1551411001.389:1282): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1551411001.389:1283): avc: denied { write } for pid=8807 comm="crond" name="wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1 type=AVC msg=audit(1551411001.389:1283): avc: denied { open } for pid=8807 comm="crond" path="/var/log/wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1 type=AVC msg=audit(1551412201.489:1513): avc: denied { getattr } for pid=7323 comm="systemd-logind" path="/proc/9183/cgroup" dev="proc" ino=49836 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file permissive=1 type=AVC msg=audit(1551412201.511:1514): avc: denied { read write } for pid=9183 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 type=AVC msg=audit(1551412201.511:1514): avc: denied { open } for pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 type=AVC msg=audit(1551412201.511:1515): avc: denied { lock } for pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1551412201.511:1515): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=9183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null) type=USER_START msg=audit(1551412201.511:1516): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_REFR msg=audit(1551412201.512:1517): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_DISP msg=audit(1551412201.524:1521): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_END msg=audit(1551412201.525:1522): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_AVC msg=audit(1551629402.000:21914): pid=7387 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=6407 tpid=7395 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-05 22:33:50 +00:00
auth_use_pam(crond_t)
logging_send_audit_msgs(crond_t)
logging_send_syslog_msg(crond_t)
logging_set_loginuid(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
miscfiles_read_localization(crond_t)
userdom_list_user_home_dirs(crond_t)
tunable_policy(`cron_userdomain_transition',`
dontaudit crond_t cronjob_t:process transition;
dontaudit crond_t cronjob_t:fd use;
dontaudit crond_t cronjob_t:key manage_key_perms;
',`
allow crond_t cronjob_t:process transition;
allow crond_t cronjob_t:fd use;
allow crond_t cronjob_t:key manage_key_perms;
')
ifdef(`distro_debian',`
allow crond_t self:process setrlimit;
optional_policy(`
apt_domtrans(system_cronjob_t)
apt_manage_cache(system_cronjob_t)
apt_read_db(system_cronjob_t)
dpkg_manage_db(system_cronjob_t)
')
optional_policy(`
logwatch_search_cache_dir(crond_t)
')
')
ifdef(`distro_redhat',`
optional_policy(`
rpm_manage_log(crond_t)
')
')
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all(crond_t)
')
tunable_policy(`fcron_crond',`
allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms;
allow crond_t crond_runtime_t:sock_file manage_sock_file_perms;
files_runtime_filetrans(crond_t, crond_runtime_t, sock_file)
')
optional_policy(`
apache_search_sys_content(crond_t)
')
optional_policy(`
dbus_system_bus_client(crond_t)
optional_policy(`
hal_dbus_chat(crond_t)
')
optional_policy(`
init_dbus_chat(crond_t)
')
optional_policy(`
unconfined_dbus_send(crond_t)
')
')
optional_policy(`
amanda_search_var_lib(crond_t)
')
optional_policy(`
amavis_search_lib(crond_t)
')
optional_policy(`
djbdns_search_tinydns_keys(crond_t)
djbdns_link_tinydns_keys(crond_t)
')
optional_policy(`
hal_write_log(crond_t)
')
optional_policy(`
locallogin_search_keys(crond_t)
locallogin_link_keys(crond_t)
')
optional_policy(`
mta_send_mail(crond_t)
')
optional_policy(`
munin_search_lib(crond_t)
')
optional_policy(`
postgresql_search_db(crond_t)
')
optional_policy(`
rpc_search_nfs_state_data(crond_t)
')
optional_policy(`
rpm_read_pipes(crond_t)
')
optional_policy(`
seutil_sigchld_newrole(crond_t)
')
optional_policy(`
Update cron use to pam interface I'm seeing a many denials for cron related to faillog_t, lastlog_t and wtmp_t. These are all due to the fact cron is using pam (and my system is configured with pam_faillog). I have updated cron to use auth_use_pam interface to grant needed permissions. Additional change to allow systemd_logind dbus for cron. I have included many of the denials I'm seeing, but there are probably others I didn't capture. type=AVC msg=audit(1551411001.389:1281): avc: denied { read write } for pid=8807 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 type=AVC msg=audit(1551411001.389:1281): avc: denied { open } for pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1551411001.389:1281): arch=c000003e syscall=2 success=yes exit=3 a0=7f94f608c2ee a1=2 a2=0 a3=75646f6d6d61705f items=1 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key="logins" type=AVC msg=audit(1551411001.389:1282): avc: denied { lock } for pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1551411001.389:1282): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1551411001.389:1283): avc: denied { write } for pid=8807 comm="crond" name="wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1 type=AVC msg=audit(1551411001.389:1283): avc: denied { open } for pid=8807 comm="crond" path="/var/log/wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1 type=AVC msg=audit(1551412201.489:1513): avc: denied { getattr } for pid=7323 comm="systemd-logind" path="/proc/9183/cgroup" dev="proc" ino=49836 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file permissive=1 type=AVC msg=audit(1551412201.511:1514): avc: denied { read write } for pid=9183 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 type=AVC msg=audit(1551412201.511:1514): avc: denied { open } for pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 type=AVC msg=audit(1551412201.511:1515): avc: denied { lock } for pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1551412201.511:1515): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=9183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null) type=USER_START msg=audit(1551412201.511:1516): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_REFR msg=audit(1551412201.512:1517): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_DISP msg=audit(1551412201.524:1521): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_END msg=audit(1551412201.525:1522): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_AVC msg=audit(1551629402.000:21914): pid=7387 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=6407 tpid=7395 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-05 22:33:50 +00:00
systemd_dbus_chat_logind(crond_t)
systemd_write_inherited_logind_sessions_pipes(crond_t)
')
optional_policy(`
init_dbus_chat(crond_t)
2019-01-14 11:36:53 +00:00
init_dbus_chat(system_cronjob_t)
systemd_dbus_chat_logind(system_cronjob_t)
systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
# so cron jobs can restart daemons
init_stream_connect(system_cronjob_t)
init_manage_script_service(system_cronjob_t)
')
optional_policy(`
udev_read_db(crond_t)
')
########################################
#
# System local policy
#
allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice sys_resource };
allow system_cronjob_t self:process { signal_perms getsched setsched setrlimit };
allow system_cronjob_t self:fd use;
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
allow system_cronjob_t cron_log_t:file manage_file_perms;
logging_log_filetrans(system_cronjob_t, cron_log_t, file)
allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
allow system_cronjob_t cron_runtime_t:file manage_file_perms;
files_runtime_filetrans(system_cronjob_t, cron_runtime_t, file)
manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
allow system_cronjob_t system_cronjob_lock_t:lnk_file manage_lnk_file_perms;
files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, { file lnk_file })
manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })
manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_fifo_file_perms;
allow system_cronjob_t crond_t:process sigchld;
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms;
allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
# popcon wants to stat /proc/kmsg and /proc/kcore
kernel_getattr_core_if(system_cronjob_t)
kernel_getattr_message_if(system_cronjob_t)
kernel_read_crypto_sysctls(system_cronjob_t)
kernel_read_irq_sysctls(system_cronjob_t)
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_network_state(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
kernel_read_software_raid_state(system_cronjob_t)
files_dontaudit_search_boot(system_cronjob_t)
corecmd_exec_all_executables(system_cronjob_t)
corenet_all_recvfrom_netlabel(system_cronjob_t)
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
corenet_udp_sendrecv_generic_if(system_cronjob_t)
corenet_tcp_sendrecv_generic_node(system_cronjob_t)
corenet_udp_sendrecv_generic_node(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
2019-01-14 11:36:53 +00:00
dev_getattr_mtrr_dev(system_cronjob_t)
dev_read_rand(system_cronjob_t)
dev_read_urand(system_cronjob_t)
dev_read_sysfs(system_cronjob_t)
# for checkarray to write to sync_action
dev_rw_sysfs(system_cronjob_t)
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
fs_getattr_all_symlinks(system_cronjob_t)
fs_getattr_all_pipes(system_cronjob_t)
fs_getattr_all_sockets(system_cronjob_t)
domain_dontaudit_read_all_domains_state(system_cronjob_t)
files_exec_etc_files(system_cronjob_t)
files_exec_usr_files(system_cronjob_t)
files_read_etc_runtime_files(system_cronjob_t)
files_list_all(system_cronjob_t)
files_getattr_all_dirs(system_cronjob_t)
files_getattr_all_files(system_cronjob_t)
files_getattr_all_symlinks(system_cronjob_t)
files_getattr_all_pipes(system_cronjob_t)
files_getattr_all_sockets(system_cronjob_t)
files_read_usr_files(system_cronjob_t)
files_read_var_files(system_cronjob_t)
files_dontaudit_search_runtime(system_cronjob_t)
files_manage_generic_spool(system_cronjob_t)
files_create_boot_flag(system_cronjob_t)
files_read_var_lib_symlinks(system_cronjob_t)
mls_file_read_to_clearance(system_cronjob_t)
init_domtrans_script(system_cronjob_t)
init_read_generic_units_symlinks(system_cronjob_t)
init_read_utmp(system_cronjob_t)
init_use_script_fds(system_cronjob_t)
auth_use_nsswitch(system_cronjob_t)
libs_exec_lib_files(system_cronjob_t)
libs_exec_ld_so(system_cronjob_t)
logging_manage_generic_logs(system_cronjob_t)
logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
miscfiles_read_localization(system_cronjob_t)
seutil_read_config(system_cronjob_t)
ifdef(`distro_redhat',`
optional_policy(`
rpm_manage_log(system_cronjob_t)
')
')
tunable_policy(`cron_can_relabel',`
seutil_domtrans_setfiles(system_cronjob_t)
',`
selinux_get_fs_mount(system_cronjob_t)
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
selinux_compute_relabel_context(system_cronjob_t)
selinux_compute_user_contexts(system_cronjob_t)
seutil_read_file_contexts(system_cronjob_t)
')
optional_policy(`
acct_manage_data(system_cronjob_t)
')
optional_policy(`
apache_exec_modules(system_cronjob_t)
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
apache_delete_lib_files(system_cronjob_t)
')
optional_policy(`
cyrus_manage_data(system_cronjob_t)
')
optional_policy(`
dbus_system_bus_client(system_cronjob_t)
optional_policy(`
networkmanager_dbus_chat(system_cronjob_t)
')
')
optional_policy(`
devicekit_read_runtime_files(system_cronjob_t)
devicekit_append_inherited_log_files(system_cronjob_t)
')
optional_policy(`
exim_read_spool_files(system_cronjob_t)
')
optional_policy(`
ftp_read_log(system_cronjob_t)
')
optional_policy(`
gpg_exec(system_cronjob_t)
')
optional_policy(`
inn_manage_log(system_cronjob_t)
inn_manage_runtime_dirs(system_cronjob_t)
inn_manage_runtime_files(system_cronjob_t)
inn_manage_runtime_sockets(system_cronjob_t)
inn_read_config(system_cronjob_t)
')
optional_policy(`
livecd_read_tmp_files(system_cronjob_t)
')
optional_policy(`
lpd_list_spool(system_cronjob_t)
')
optional_policy(`
mrtg_append_create_logs(system_cronjob_t)
mrtg_read_config(system_cronjob_t)
')
optional_policy(`
mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
')
optional_policy(`
mysql_read_config(system_cronjob_t)
')
optional_policy(`
postfix_read_config(system_cronjob_t)
')
optional_policy(`
samba_read_config(system_cronjob_t)
samba_read_log(system_cronjob_t)
')
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
')
optional_policy(`
sysstat_manage_log(system_cronjob_t)
')
optional_policy(`
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
# for gpg-connect-agent to access /run/user/0
userdom_manage_user_runtime_dirs(system_cronjob_t)
')
########################################
#
# Cronjob local policy
#
allow cronjob_t self:process { signal_perms setsched };
allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
allow cronjob_t crond_tmp_t:file rw_inherited_file_perms;
kernel_read_system_state(cronjob_t)
kernel_read_kernel_sysctls(cronjob_t)
files_dontaudit_search_boot(cronjob_t)
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_sendrecv_all_client_packets(cronjob_t)
corenet_tcp_connect_all_ports(cronjob_t)
corecmd_exec_all_executables(cronjob_t)
dev_read_urand(cronjob_t)
fs_getattr_all_fs(cronjob_t)
domain_dontaudit_read_all_domains_state(cronjob_t)
domain_dontaudit_getattr_all_domains(cronjob_t)
files_exec_etc_files(cronjob_t)
files_read_etc_runtime_files(cronjob_t)
files_read_var_files(cronjob_t)
files_read_usr_files(cronjob_t)
files_search_spool(cronjob_t)
files_dontaudit_search_runtime(cronjob_t)
libs_exec_lib_files(cronjob_t)
libs_exec_ld_so(cronjob_t)
logging_search_logs(cronjob_t)
seutil_read_config(cronjob_t)
miscfiles_read_localization(cronjob_t)
userdom_exec_user_home_content_files(cronjob_t)
userdom_user_content_access_template(cron, { cronjob_t crontab_domain })
tunable_policy(`cron_manage_generic_user_content',`
userdom_manage_user_tmp_pipes(cronjob_t)
userdom_manage_user_tmp_sockets(cronjob_t)
userdom_manage_user_home_content_pipes(cronjob_t)
userdom_manage_user_home_content_sockets(cronjob_t)
')
tunable_policy(`cron_userdomain_transition',`
dontaudit cronjob_t crond_t:fd use;
dontaudit cronjob_t crond_t:fifo_file rw_fifo_file_perms;
dontaudit cronjob_t crond_t:process sigchld;
dontaudit cronjob_t user_cron_spool_t:file entrypoint;
',`
allow cronjob_t crond_t:fd use;
allow cronjob_t crond_t:fifo_file rw_fifo_file_perms;
allow cronjob_t crond_t:process sigchld;
allow cronjob_t user_cron_spool_t:file entrypoint;
')
optional_policy(`
nis_use_ypbind(cronjob_t)
')
########################################
#
# Unconfined local policy
#
type unconfined_cronjob_t;
domain_type(unconfined_cronjob_t)
domain_cron_exemption_target(unconfined_cronjob_t)
dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
tunable_policy(`cron_userdomain_transition',`
dontaudit crond_t unconfined_cronjob_t:process transition;
dontaudit crond_t unconfined_cronjob_t:fd use;
dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
',`
allow crond_t unconfined_cronjob_t:process transition;
allow crond_t unconfined_cronjob_t:fd use;
allow crond_t unconfined_cronjob_t:key manage_key_perms;
')
optional_policy(`
unconfined_domain(unconfined_cronjob_t)
')