selinux-refpolicy/policy/modules/services/cron.te
Chris PeBenito 1900668638 trunk: Unified labeled networking policy from Paul Moore.
The latest revision of the labeled policy patches which enable both labeled 
and unlabeled policy support for NetLabel.  This revision takes into account
Chris' feedback from the first version and reduces the number of interface
calls in each domain down to two at present: one for unlabeled access, one for
NetLabel access.  The older, transport layer specific interfaces, are still  
present for use by third-party modules but are not used in the default policy
modules.

trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.

This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.
2007-06-27 15:23:21 +00:00

488 lines
13 KiB
Plaintext

policy_module(cron,1.6.2)
gen_require(`
class passwd rootok;
')
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow system cron jobs to relabel filesystem
## for restoring file contexts.
## </p>
## </desc>
gen_tunable(cron_can_relabel,false)
## <desc>
## <p>
## Enable extra rules in the cron domain
## to support fcron.
## </p>
## </desc>
gen_tunable(fcron_crond,false)
attribute cron_spool_type;
type anacron_exec_t;
corecmd_executable_file(anacron_exec_t)
type cron_spool_t;
files_type(cron_spool_t)
# var/lib files
type cron_var_lib_t;
files_type(cron_var_lib_t)
# var/log files
type cron_log_t;
logging_log_file(cron_log_t)
type crond_t;
type crond_exec_t;
init_daemon_domain(crond_t,crond_exec_t)
domain_interactive_fd(crond_t)
domain_cron_exemption_source(crond_t)
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
type crond_var_run_t;
files_pid_file(crond_var_run_t)
type crontab_exec_t;
corecmd_executable_file(crontab_exec_t)
type system_cron_spool_t, cron_spool_type;
files_type(system_cron_spool_t)
ifdef(`targeted_policy',`
typealias crond_t alias system_crond_t;
',`
type system_crond_t;
')
init_daemon_domain(system_crond_t,anacron_exec_t)
corecmd_shell_entry_type(system_crond_t)
role system_r types system_crond_t;
type system_crond_lock_t;
files_lock_file(system_crond_lock_t)
type system_crond_tmp_t;
files_tmp_file(system_crond_tmp_t)
ifdef(`targeted_policy',`
type sysadm_cron_spool_t;
files_type(sysadm_cron_spool_t)
')
ifdef(`enable_mcs',`
init_ranged_daemon_domain(crond_t,crond_exec_t,s0 - mcs_systemhigh)
')
########################################
#
# Cron Local policy
#
allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_fifo_file_perms;
allow crond_t self:unix_dgram_socket create_socket_perms;
allow crond_t self:unix_stream_socket create_stream_socket_perms;
allow crond_t self:unix_dgram_socket sendto;
allow crond_t self:unix_stream_socket connectto;
allow crond_t self:shm create_shm_perms;
allow crond_t self:sem create_sem_perms;
allow crond_t self:msgq create_msgq_perms;
allow crond_t self:msg { send receive };
allow crond_t self:key { search write link };
allow crond_t crond_var_run_t:file manage_file_perms;
files_pid_filetrans(crond_t,crond_var_run_t,file)
allow crond_t cron_spool_t:dir rw_dir_perms;
allow crond_t cron_spool_t:file read_file_perms;
allow crond_t system_cron_spool_t:dir list_dir_perms;
allow crond_t system_cron_spool_t:file read_file_perms;
kernel_read_kernel_sysctls(crond_t)
kernel_search_key(crond_t)
dev_read_sysfs(crond_t)
selinux_get_fs_mount(crond_t)
selinux_validate_context(crond_t)
selinux_compute_access_vector(crond_t)
selinux_compute_create_context(crond_t)
selinux_compute_relabel_context(crond_t)
selinux_compute_user_contexts(crond_t)
dev_read_urand(crond_t)
fs_getattr_all_fs(crond_t)
fs_search_auto_mountpoints(crond_t)
# need auth_chkpwd to check for locked accounts.
auth_domtrans_chk_passwd(crond_t)
corecmd_exec_shell(crond_t)
corecmd_list_bin(crond_t)
corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
files_read_etc_files(crond_t)
files_read_generic_spool(crond_t)
files_list_usr(crond_t)
# Read from /var/spool/cron.
files_search_var_lib(crond_t)
files_search_default(crond_t)
init_rw_utmp(crond_t)
libs_use_ld_so(crond_t)
libs_use_shared_libs(crond_t)
logging_send_syslog_msg(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
seutil_sigchld_newrole(crond_t)
miscfiles_read_localization(crond_t)
userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
userdom_list_all_users_home_dirs(crond_t)
mta_send_mail(crond_t)
ifdef(`distro_debian',`
optional_policy(`
# Debian logcheck has the home dir set to its cache
logwatch_search_cache_dir(crond_t)
')
')
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`
rpm_manage_log(crond_t)
')
')
optional_policy(`
locallogin_search_keys(crond_t)
locallogin_link_keys(crond_t)
')
ifdef(`targeted_policy',`
manage_dirs_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t)
manage_files_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t)
manage_lnk_files_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t)
manage_fifo_files_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t)
manage_sock_files_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t)
files_tmp_filetrans(crond_t,system_crond_tmp_t,{ dir file lnk_file sock_file fifo_file })
unconfined_domain(crond_t)
userdom_manage_generic_user_home_content_dirs(crond_t)
userdom_manage_generic_user_home_content_files(crond_t)
userdom_manage_generic_user_home_content_symlinks(crond_t)
userdom_manage_generic_user_home_content_sockets(crond_t)
userdom_manage_generic_user_home_content_pipes(crond_t)
userdom_generic_user_home_dir_filetrans_generic_user_home_content(crond_t,{ dir file lnk_file fifo_file sock_file })
allow crond_t unconfined_t:dbus send_msg;
allow crond_t initrc_t:dbus send_msg;
optional_policy(`
mono_domtrans(crond_t)
')
',`
manage_dirs_pattern(crond_t,crond_tmp_t,crond_tmp_t)
manage_files_pattern(crond_t,crond_tmp_t,crond_tmp_t)
files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
')
tunable_policy(`fcron_crond', `
allow crond_t system_cron_spool_t:file manage_file_perms;
')
optional_policy(`
amavis_search_lib(crond_t)
')
optional_policy(`
hal_dbus_send(crond_t)
')
optional_policy(`
# cjp: why?
munin_search_lib(crond_t)
')
optional_policy(`
nis_use_ypbind(crond_t)
')
optional_policy(`
nscd_socket_use(crond_t)
')
optional_policy(`
# Commonly used from postinst scripts
rpm_read_pipes(crond_t)
')
optional_policy(`
# allow crond to find /usr/lib/postgresql/bin/do.maintenance
postgresql_search_db(crond_t)
')
optional_policy(`
udev_read_db(crond_t)
')
########################################
#
# System cron process domain
#
# This is to handle creation of files in /var/log directory.
# Used currently by rpm script log files
allow system_crond_t cron_log_t:file manage_file_perms;
logging_log_filetrans(system_crond_t,cron_log_t,file)
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
allow system_crond_t cron_var_lib_t:file manage_file_perms;
files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file)
optional_policy(`
# cjp: why?
squid_domtrans(system_crond_t)
')
ifdef(`targeted_policy',`
# cjp: FIXME
allow crond_t unconfined_t:process transition;
',`
allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
allow system_crond_t self:process { signal_perms setsched };
allow system_crond_t self:fifo_file rw_fifo_file_perms;
allow system_crond_t self:passwd rootok;
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
# the crontab file has a type that is appropriate
# for the domain of the user cron job. It
# performs an entrypoint permission check
# for this purpose.
allow system_crond_t system_cron_spool_t:file entrypoint;
allow system_crond_t system_cron_spool_t:file read_file_perms;
# Permit a transition from the crond_t domain to this domain.
# The transition is requested explicitly by the modified crond
# via setexeccon. There is no way to set up an automatic
# transition, since crontabs are configuration files, not executables.
allow crond_t system_crond_t:process transition;
dontaudit crond_t system_crond_t:process { noatsecure siginh rlimitinh };
allow crond_t system_crond_t:fd use;
allow system_crond_t crond_t:fd use;
allow system_crond_t crond_t:fifo_file rw_file_perms;
allow system_crond_t crond_t:process sigchld;
# Write /var/lock/makewhatis.lock.
allow system_crond_t system_crond_lock_t:file manage_file_perms;
files_lock_filetrans(system_crond_t,system_crond_lock_t,file)
# write temporary files
manage_files_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t)
manage_lnk_files_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t)
filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file })
files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
# Read from /var/spool/cron.
allow system_crond_t cron_spool_t:dir list_dir_perms;
allow system_crond_t cron_spool_t:file read_file_perms;
kernel_read_kernel_sysctls(system_crond_t)
kernel_read_system_state(system_crond_t)
kernel_read_software_raid_state(system_crond_t)
# ps does not need to access /boot when run from cron
files_dontaudit_search_boot(system_crond_t)
corecmd_exec_all_executables(system_crond_t)
corenet_all_recvfrom_unlabeled(system_crond_t)
corenet_all_recvfrom_netlabel(system_crond_t)
corenet_tcp_sendrecv_all_if(system_crond_t)
corenet_udp_sendrecv_all_if(system_crond_t)
corenet_tcp_sendrecv_all_nodes(system_crond_t)
corenet_udp_sendrecv_all_nodes(system_crond_t)
corenet_tcp_sendrecv_all_ports(system_crond_t)
corenet_udp_sendrecv_all_ports(system_crond_t)
dev_getattr_all_blk_files(system_crond_t)
dev_getattr_all_chr_files(system_crond_t)
dev_read_urand(system_crond_t)
fs_getattr_all_fs(system_crond_t)
fs_getattr_all_files(system_crond_t)
fs_getattr_all_symlinks(system_crond_t)
fs_getattr_all_pipes(system_crond_t)
fs_getattr_all_sockets(system_crond_t)
# quiet other ps operations
domain_dontaudit_read_all_domains_state(system_crond_t)
files_exec_etc_files(system_crond_t)
files_read_etc_files(system_crond_t)
files_read_etc_runtime_files(system_crond_t)
files_list_all(system_crond_t)
files_getattr_all_dirs(system_crond_t)
files_getattr_all_files(system_crond_t)
files_getattr_all_symlinks(system_crond_t)
files_getattr_all_pipes(system_crond_t)
files_getattr_all_sockets(system_crond_t)
files_read_usr_files(system_crond_t)
files_read_var_files(system_crond_t)
# for nscd:
files_dontaudit_search_pids(system_crond_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_crond_t)
init_use_script_fds(system_crond_t)
init_read_utmp(system_crond_t)
init_dontaudit_rw_utmp(system_crond_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
init_write_initctl(system_crond_t)
libs_use_ld_so(system_crond_t)
libs_use_shared_libs(system_crond_t)
libs_exec_lib_files(system_crond_t)
libs_exec_ld_so(system_crond_t)
logging_read_generic_logs(system_crond_t)
logging_send_syslog_msg(system_crond_t)
miscfiles_read_localization(system_crond_t)
miscfiles_manage_man_pages(system_crond_t)
seutil_read_config(system_crond_t)
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_crond_t)
')
')
tunable_policy(`cron_can_relabel',`
seutil_domtrans_setfiles(system_crond_t)
',`
selinux_get_fs_mount(system_crond_t)
selinux_validate_context(system_crond_t)
selinux_compute_access_vector(system_crond_t)
selinux_compute_create_context(system_crond_t)
selinux_compute_relabel_context(system_crond_t)
selinux_compute_user_contexts(system_crond_t)
seutil_read_file_contexts(system_crond_t)
')
optional_policy(`
# Needed for certwatch
apache_exec_modules(system_crond_t)
apache_read_config(system_crond_t)
apache_read_log(system_crond_t)
apache_read_sys_content(system_crond_t)
')
optional_policy(`
cyrus_manage_data(system_crond_t)
')
optional_policy(`
ftp_read_log(system_crond_t)
')
optional_policy(`
inn_manage_log(system_crond_t)
inn_manage_pid(system_crond_t)
inn_read_config(system_crond_t)
')
optional_policy(`
mrtg_append_create_logs(system_crond_t)
')
optional_policy(`
mta_send_mail(system_crond_t)
')
optional_policy(`
mysql_read_config(system_crond_t)
')
optional_policy(`
nis_use_ypbind(system_crond_t)
')
optional_policy(`
nscd_socket_use(system_crond_t)
')
optional_policy(`
postfix_read_config(system_crond_t)
')
optional_policy(`
prelink_read_cache(system_crond_t)
prelink_manage_log(system_crond_t)
prelink_delete_cache(system_crond_t)
')
optional_policy(`
samba_read_config(system_crond_t)
samba_read_log(system_crond_t)
#samba_read_secrets(system_crond_t)
')
optional_policy(`
slocate_create_append_log(system_crond_t)
')
optional_policy(`
sysstat_manage_log(system_crond_t)
')
ifdef(`TODO',`
dontaudit userdomain system_crond_t:fd use;
allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
# for if /var/mail is a symlink
allow system_crond_t mail_spool_t:lnk_file read;
ifdef(`mta.te', `
allow mta_user_agent system_crond_t:fd use;
r_dir_file(system_mail_t, crond_tmp_t)
')
') dnl end TODO
')