nnd
/
selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cron: Use raw entrypoint rule for system_cronjob_t. 

By using domain_entry_file() to provide the entrypoint permission, it makes
the spool file an executable, with unexpected access.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
This commit is contained in:
Chris PeBenito 2024-02-23 16:06:03 -05:00
parent 0f71792c8c
commit e1bc4830d6
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
policy/modules/services/cron.te
View File

@ -91,7 +91,6 @@ files_type(system_cron_spool_t)
type system_cronjob_t alias system_crond_t;
init_daemon_domain(system_cronjob_t, anacron_exec_t)
corecmd_shell_entry_type(system_cronjob_t)
domain_entry_file(system_cronjob_t, system_cron_spool_t)
type system_cronjob_lock_t alias system_crond_lock_t;
files_lock_file(system_cronjob_lock_t)
@ -459,6 +458,7 @@ allow system_cronjob_t cron_runtime_t:file manage_file_perms;
files_runtime_filetrans(system_cronjob_t, cron_runtime_t, file)
manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
allow system_cronjob_t system_cron_spool_t:file entrypoint;
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
allow system_cronjob_t system_cronjob_lock_t:lnk_file manage_lnk_file_perms;