## Periodic execution of scheduled commands. ####################################### ## ## The template to define a crontab domain. ## ## ## ## Domain prefix to be used. ## ## # template(`cron_common_crontab_template',` gen_require(` attribute crontab_domain; type crontab_exec_t; ') ############################## # # Declarations # type $1_t, crontab_domain; userdom_user_application_domain($1_t, crontab_exec_t) type $1_tmp_t; userdom_user_tmp_file($1_tmp_t) ############################## # # Local policy # manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) files_tmp_filetrans($1_t, $1_tmp_t, { dir file }) auth_domtrans_chk_passwd($1_t) auth_use_nsswitch($1_t) ') ######################################## ## ## Role access for cron. ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## ## # interface(`cron_role',` gen_require(` type cronjob_t, crontab_t, crontab_exec_t; type user_cron_spool_t, crond_t; bool cron_userdomain_transition; ') ############################## # # Declarations # role $1 types { cronjob_t crontab_t }; ############################## # # Local policy # domtrans_pattern($2, crontab_exec_t, crontab_t) dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; allow $2 crond_t:process sigchld; allow $2 user_cron_spool_t:file { getattr read write ioctl }; allow $2 crontab_t:process { ptrace signal_perms }; ps_process_pattern($2, crontab_t) corecmd_exec_bin(crontab_t) corecmd_exec_shell(crontab_t) tunable_policy(`cron_userdomain_transition',` allow crond_t $2:process transition; allow crond_t $2:fd use; allow crond_t $2:key manage_key_perms; allow $2 user_cron_spool_t:file entrypoint; allow $2 crond_t:fifo_file rw_fifo_file_perms; allow $2 cronjob_t:process { ptrace signal_perms }; ps_process_pattern($2, cronjob_t) ',` dontaudit crond_t $2:process transition; dontaudit crond_t $2:fd use; dontaudit crond_t $2:key manage_key_perms; dontaudit $2 user_cron_spool_t:file entrypoint; dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; dontaudit $2 cronjob_t:process { ptrace signal_perms }; ') optional_policy(` gen_require(` class dbus send_msg; ') dbus_stub(cronjob_t) allow cronjob_t $2:dbus send_msg; ') ') ######################################## ## ## Role access for unconfined cron. ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # interface(`cron_unconfined_role',` gen_require(` type unconfined_cronjob_t, crontab_t, crontab_exec_t; type crond_t, user_cron_spool_t; bool cron_userdomain_transition; ') ############################## # # Declarations # role $1 types { unconfined_cronjob_t crontab_t }; ############################## # # Local policy # domtrans_pattern($2, crontab_exec_t, crontab_t) dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; allow $2 crond_t:process sigchld; allow $2 user_cron_spool_t:file { getattr read write ioctl }; allow $2 crontab_t:process { ptrace signal_perms }; ps_process_pattern($2, crontab_t) corecmd_exec_bin(crontab_t) corecmd_exec_shell(crontab_t) tunable_policy(`cron_userdomain_transition',` allow crond_t $2:process transition; allow crond_t $2:fd use; allow crond_t $2:key manage_key_perms; allow $2 user_cron_spool_t:file entrypoint; allow $2 crond_t:fifo_file rw_fifo_file_perms; allow $2 unconfined_cronjob_t:process { ptrace signal_perms }; ps_process_pattern($2, unconfined_cronjob_t) ',` dontaudit crond_t $2:process transition; dontaudit crond_t $2:fd use; dontaudit crond_t $2:key manage_key_perms; dontaudit $2 user_cron_spool_t:file entrypoint; dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms }; ') optional_policy(` gen_require(` class dbus send_msg; ') dbus_stub(unconfined_cronjob_t) allow unconfined_cronjob_t $2:dbus send_msg; ') ') ######################################## ## ## Role access for admin cron. ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # interface(`cron_admin_role',` gen_require(` type cronjob_t, crontab_exec_t, admin_crontab_t; class passwd crontab; type crond_t, crond_var_run_t, user_cron_spool_t; bool cron_userdomain_transition, fcron_crond; ') ############################## # # Declarations # role $1 types { cronjob_t admin_crontab_t }; ############################## # # Local policy # domtrans_pattern($2, crontab_exec_t, admin_crontab_t) dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; allow $2 crond_t:process sigchld; allow $2 user_cron_spool_t:file { getattr read write ioctl }; allow $2 admin_crontab_t:process { ptrace signal_perms }; ps_process_pattern($2, admin_crontab_t) # Manipulate other users crontab. allow $2 self:passwd crontab; corecmd_exec_bin(admin_crontab_t) corecmd_exec_shell(admin_crontab_t) tunable_policy(`cron_userdomain_transition',` allow crond_t $2:process transition; allow crond_t $2:fd use; allow crond_t $2:key manage_key_perms; allow $2 user_cron_spool_t:file entrypoint; allow $2 crond_t:fifo_file rw_fifo_file_perms; allow $2 cronjob_t:process { ptrace signal_perms }; ps_process_pattern($2, cronjob_t) ',` dontaudit crond_t $2:process transition; dontaudit crond_t $2:fd use; dontaudit crond_t $2:key manage_key_perms; dontaudit $2 user_cron_spool_t:file entrypoint; dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; dontaudit $2 cronjob_t:process { ptrace signal_perms }; ') tunable_policy(`fcron_crond',` # Support for fcrondyn stream_connect_pattern($2, crond_var_run_t, crond_var_run_t, crond_t) ') optional_policy(` gen_require(` class dbus send_msg; ') dbus_stub(admin_cronjob_t) allow cronjob_t $2:dbus send_msg; ') ') ######################################## ## ## Make the specified program domain ## accessable from the system cron jobs. ## ## ## ## The type of the process to transition to. ## ## ## ## ## The type of the file used as an entrypoint to this domain. ## ## # interface(`cron_system_entry',` gen_require(` type crond_t, system_cronjob_t; type user_cron_spool_log_t; ') rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t) domtrans_pattern(system_cronjob_t, $2, $1) domtrans_pattern(crond_t, $2, $1) role system_r types $1; ') ######################################## ## ## Execute cron in the cron system domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`cron_domtrans',` gen_require(` type system_cronjob_t, crond_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, crond_exec_t, system_cronjob_t) ') ######################################## ## ## Execute crond in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`cron_exec',` gen_require(` type crond_exec_t; ') corecmd_search_bin($1) can_exec($1, crond_exec_t) ') ######################################## ## ## Execute crond server in the crond domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`cron_initrc_domtrans',` gen_require(` type crond_initrc_exec_t; ') init_labeled_script_domtrans($1, crond_initrc_exec_t) ') ######################################## ## ## Use crond file descriptors. ## ## ## ## Domain allowed access. ## ## # interface(`cron_use_fds',` gen_require(` type crond_t; ') allow $1 crond_t:fd use; ') ######################################## ## ## Send child terminated signals to crond. ## ## ## ## Domain allowed access. ## ## # interface(`cron_sigchld',` gen_require(` type crond_t; ') allow $1 crond_t:process sigchld; ') ######################################## ## ## Set the attributes of cron log files. ## ## ## ## Domain allowed access. ## ## # interface(`cron_setattr_log_files',` gen_require(` type cron_log_t; ') allow $1 cron_log_t:file setattr_file_perms; ') ######################################## ## ## Create cron log files. ## ## ## ## Domain allowed access. ## ## # interface(`cron_create_log_files',` gen_require(` type cron_log_t; ') create_files_pattern($1, cron_log_t, cron_log_t) ') ######################################## ## ## Write to cron log files. ## ## ## ## Domain allowed access. ## ## # interface(`cron_write_log_files',` gen_require(` type cron_log_t; ') allow $1 cron_log_t:file write_file_perms; ') ######################################## ## ## Create, read, write and delete ## cron log files. ## ## ## ## Domain allowed access. ## ## # interface(`cron_manage_log_files',` gen_require(` type cron_log_t; ') manage_files_pattern($1, cron_log_t, cron_log_t) logging_search_logs($1) ') ######################################## ## ## Create specified objects in generic ## log directories with the cron log file type. ## ## ## ## Domain allowed access. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`cron_generic_log_filetrans_log',` gen_require(` type cron_log_t; ') logging_log_filetrans($1, cron_log_t, $2, $3) ') ######################################## ## ## Read cron daemon unnamed pipes. ## ## ## ## Domain allowed access. ## ## # interface(`cron_read_pipes',` gen_require(` type crond_t; ') allow $1 crond_t:fifo_file read_fifo_file_perms; ') ######################################## ## ## Do not audit attempts to write ## cron daemon unnamed pipes. ## ## ## ## Domain to not audit. ## ## # interface(`cron_dontaudit_write_pipes',` gen_require(` type crond_t; ') dontaudit $1 crond_t:fifo_file write; ') ######################################## ## ## Read and write crond unnamed pipes. ## ## ## ## Domain allowed access. ## ## # interface(`cron_rw_pipes',` gen_require(` type crond_t; ') allow $1 crond_t:fifo_file rw_fifo_file_perms; ') ######################################## ## ## Read and write crond TCP sockets. ## ## ## ## Domain allowed access. ## ## # interface(`cron_rw_tcp_sockets',` gen_require(` type crond_t; ') allow $1 crond_t:tcp_socket { read write }; ') ######################################## ## ## Do not audit attempts to read and ## write cron daemon TCP sockets. ## ## ## ## Domain to not audit. ## ## # interface(`cron_dontaudit_rw_tcp_sockets',` gen_require(` type crond_t; ') dontaudit $1 crond_t:tcp_socket { read write }; ') ######################################## ## ## Search cron spool directories. ## ## ## ## Domain allowed access. ## ## # interface(`cron_search_spool',` gen_require(` type cron_spool_t; ') files_search_spool($1) allow $1 cron_spool_t:dir search_dir_perms; ') ######################################## ## ## Create, read, write, and delete ## crond pid files. ## ## ## ## Domain allowed access. ## ## # interface(`cron_manage_pid_files',` gen_require(` type crond_var_run_t; ') manage_files_pattern($1, crond_var_run_t, crond_var_run_t) ') ######################################## ## ## Execute anacron in the cron ## system domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`cron_anacron_domtrans_system_job',` gen_require(` type system_cronjob_t, anacron_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, anacron_exec_t, system_cronjob_t) ') ######################################## ## ## Use system cron job file descriptors. ## ## ## ## Domain allowed access. ## ## # interface(`cron_use_system_job_fds',` gen_require(` type system_cronjob_t; ') allow $1 system_cronjob_t:fd use; ') ######################################## ## ## Create, read, write, and delete the system spool. ## ## ## ## Domain allowed access. ## ## # interface(`cron_manage_system_spool',` gen_require(` type system_cron_spool_t; ') files_search_spool($1) manage_files_pattern($1, system_cron_spool_t, system_cron_spool_t) ') ######################################## ## ## Read the system spool. ## ## ## ## Domain allowed access. ## ## # interface(`cron_read_system_spool',` gen_require(` type system_cron_spool_t; ') cron_search_spool($1) list_dirs_pattern($1, system_cron_spool_t, system_cron_spool_t) read_files_pattern($1, system_cron_spool_t, system_cron_spool_t) ') ######################################## ## ## Read and write crond temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`cron_rw_tmp_files',` gen_require(` type crond_tmp_t; ') allow $1 crond_tmp_t:file rw_file_perms; ') ######################################## ## ## Read system cron job lib files. ## ## ## ## Domain allowed access. ## ## # interface(`cron_read_system_job_lib_files',` gen_require(` type system_cronjob_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') ######################################## ## ## Create, read, write, and delete ## system cron job lib files. ## ## ## ## Domain allowed access. ## ## # interface(`cron_manage_system_job_lib_files',` gen_require(` type system_cronjob_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') ######################################## ## ## Write system cron job unnamed pipes. ## ## ## ## Domain allowed access. ## ## # interface(`cron_write_system_job_pipes',` gen_require(` type system_cronjob_t; ') allow $1 system_cronjob_t:file write; ') ######################################## ## ## Read and write system cron job ## unnamed pipes. ## ## ## ## Domain allowed access. ## ## # interface(`cron_rw_system_job_pipes',` gen_require(` type system_cronjob_t; ') allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms; ') ######################################## ## ## Read and write inherited system cron ## job unix domain stream sockets. ## ## ## ## Domain allowed access. ## ## # interface(`cron_rw_system_job_stream_sockets',` gen_require(` type system_cronjob_t; ') allow $1 system_cronjob_t:unix_stream_socket { read write }; ') ######################################## ## ## Read system cron job temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`cron_read_system_job_tmp_files',` gen_require(` type system_cronjob_tmp_t; ') files_search_tmp($1) allow $1 system_cronjob_tmp_t:file read_file_perms; ') ######################################## ## ## Do not audit attempts to append temporary ## system cron job files. ## ## ## ## Domain to not audit. ## ## # interface(`cron_dontaudit_append_system_job_tmp_files',` gen_require(` type system_cronjob_tmp_t; ') dontaudit $1 system_cronjob_tmp_t:file append_file_perms; ') ######################################## ## ## Read and write to inherited system cron job temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`cron_rw_inherited_system_job_tmp_files',` gen_require(` type system_cronjob_tmp_t; ') allow $1 system_cronjob_tmp_t:file rw_inherited_file_perms; ') ######################################## ## ## Do not audit attempts to write temporary ## system cron job files. ## ## ## ## Domain to not audit. ## ## # interface(`cron_dontaudit_write_system_job_tmp_files',` gen_require(` type system_cronjob_tmp_t; ') dontaudit $1 system_cronjob_tmp_t:file write_file_perms; ') ######################################## ## ## Execute crontab in the caller domain. ## ## ## ## Domain allowed access. ## ## ## # interface(`cron_exec_crontab',` gen_require(` type crontab_exec_t; ') corecmd_search_bin($1) can_exec($1, crontab_exec_t) ') ######################################## ## ## All of the rules required to ## administrate a cron environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # interface(`cron_admin',` gen_require(` type crond_t, cronjob_t, crond_initrc_exec_t; type cron_var_lib_t, system_cronjob_var_lib_t; type crond_tmp_t, admin_crontab_tmp_t; type crontab_tmp_t, system_cronjob_tmp_t; type cron_var_run_t, system_cronjob_var_run_t, crond_var_run_t; type cron_log_t, system_cronjob_lock_t, user_cron_spool_log_t; attribute cron_spool_type; ') allow $1 { crond_t cronjob_t }:process { ptrace signal_perms }; ps_process_pattern($1, { crond_t cronjob_t }) init_startstop_service($1, $2, crond_t, crond_initrc_exec_t) files_search_var_lib($1) admin_pattern($1, { cron_var_lib_t system_cronjob_var_lib_t }) files_search_tmp($1) admin_pattern($1, { crond_tmp_t admin_crontab_tmp_t }) admin_pattern($1, { crontab_tmp_t system_cronjob_tmp_t }) files_search_pids($1) admin_pattern($1, { cron_var_run_t crond_var_run_t system_cronjob_var_run_t }) files_search_locks($1) admin_pattern($1, system_cronjob_lock_t) logging_search_logs($1) admin_pattern($1, { cron_log_t user_cron_spool_log_t }) files_search_spool($1) admin_pattern($1, cron_spool_type) ')