1039 lines
21 KiB
Plaintext
1039 lines
21 KiB
Plaintext
## <summary>Periodic execution of scheduled commands.</summary>
|
|
|
|
#######################################
|
|
## <summary>
|
|
## The template to define a crontab domain.
|
|
## </summary>
|
|
## <param name="domain_prefix">
|
|
## <summary>
|
|
## Domain prefix to be used.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`cron_common_crontab_template',`
|
|
gen_require(`
|
|
attribute crontab_domain;
|
|
type crontab_exec_t;
|
|
')
|
|
|
|
##############################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type $1_t, crontab_domain;
|
|
userdom_user_application_domain($1_t, crontab_exec_t)
|
|
|
|
type $1_tmp_t;
|
|
userdom_user_tmp_file($1_tmp_t)
|
|
|
|
##############################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
|
|
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
|
|
files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
|
|
|
|
auth_domtrans_chk_passwd($1_t)
|
|
auth_use_nsswitch($1_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Role access for cron.
|
|
## </summary>
|
|
## <param name="role_prefix">
|
|
## <summary>
|
|
## The prefix of the user role (e.g., user
|
|
## is the prefix for user_r).
|
|
## </summary>
|
|
## </param>
|
|
## <param name="user_domain">
|
|
## <summary>
|
|
## User domain for the role.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="user_exec_domain">
|
|
## <summary>
|
|
## User exec domain for execute and transition access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
template(`cron_role',`
|
|
gen_require(`
|
|
type cronjob_t, crontab_t, crontab_exec_t;
|
|
type user_cron_spool_t, crond_t;
|
|
bool cron_userdomain_transition;
|
|
')
|
|
|
|
##############################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
role $4 types { cronjob_t crontab_t };
|
|
|
|
##############################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
domtrans_pattern($2, crontab_exec_t, crontab_t)
|
|
|
|
dontaudit crond_t $3:process { noatsecure rlimitinh siginh };
|
|
allow $2 crond_t:process sigchld;
|
|
|
|
allow $2 user_cron_spool_t:file rw_inherited_file_perms;
|
|
|
|
allow $2 crontab_t:process { ptrace signal_perms };
|
|
ps_process_pattern($2, crontab_t)
|
|
|
|
corecmd_exec_bin(crontab_t)
|
|
corecmd_exec_shell(crontab_t)
|
|
|
|
tunable_policy(`cron_userdomain_transition',`
|
|
allow crond_t $2:process transition;
|
|
allow crond_t $2:fd use;
|
|
allow crond_t $2:key manage_key_perms;
|
|
|
|
allow $2 user_cron_spool_t:file entrypoint;
|
|
|
|
allow $2 crond_t:fifo_file rw_fifo_file_perms;
|
|
|
|
allow $2 cronjob_t:process { ptrace signal_perms };
|
|
ps_process_pattern($2, cronjob_t)
|
|
',`
|
|
dontaudit crond_t $2:process transition;
|
|
dontaudit crond_t $2:fd use;
|
|
dontaudit crond_t $2:key manage_key_perms;
|
|
|
|
dontaudit $2 user_cron_spool_t:file entrypoint;
|
|
|
|
dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
|
|
|
|
dontaudit $2 cronjob_t:process { ptrace signal_perms };
|
|
')
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
class dbus send_msg;
|
|
')
|
|
|
|
dbus_stub(cronjob_t)
|
|
|
|
allow cronjob_t $2:dbus send_msg;
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Role access for unconfined cron.
|
|
## </summary>
|
|
## <param name="role_prefix">
|
|
## <summary>
|
|
## The prefix of the user role (e.g., user
|
|
## is the prefix for user_r).
|
|
## </summary>
|
|
## </param>
|
|
## <param name="user_domain">
|
|
## <summary>
|
|
## User domain for the role.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="user_exec_domain">
|
|
## <summary>
|
|
## User exec domain for execute and transition access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`cron_unconfined_role',`
|
|
gen_require(`
|
|
type unconfined_cronjob_t, crontab_t, crontab_exec_t;
|
|
type crond_t, user_cron_spool_t;
|
|
bool cron_userdomain_transition;
|
|
')
|
|
|
|
##############################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
role $4 types { unconfined_cronjob_t crontab_t };
|
|
|
|
##############################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
domtrans_pattern($2, crontab_exec_t, crontab_t)
|
|
|
|
dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
|
|
allow $2 crond_t:process sigchld;
|
|
|
|
allow $2 user_cron_spool_t:file rw_inherited_file_perms;
|
|
|
|
allow $2 crontab_t:process { ptrace signal_perms };
|
|
ps_process_pattern($2, crontab_t)
|
|
|
|
corecmd_exec_bin(crontab_t)
|
|
corecmd_exec_shell(crontab_t)
|
|
|
|
tunable_policy(`cron_userdomain_transition',`
|
|
allow crond_t $2:process transition;
|
|
allow crond_t $2:fd use;
|
|
allow crond_t $2:key manage_key_perms;
|
|
|
|
allow $2 user_cron_spool_t:file entrypoint;
|
|
|
|
allow $2 crond_t:fifo_file rw_fifo_file_perms;
|
|
|
|
allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
|
|
ps_process_pattern($2, unconfined_cronjob_t)
|
|
',`
|
|
dontaudit crond_t $2:process transition;
|
|
dontaudit crond_t $2:fd use;
|
|
dontaudit crond_t $2:key manage_key_perms;
|
|
|
|
dontaudit $2 user_cron_spool_t:file entrypoint;
|
|
|
|
dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
|
|
|
|
dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms };
|
|
')
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
class dbus send_msg;
|
|
')
|
|
|
|
dbus_stub(unconfined_cronjob_t)
|
|
|
|
allow unconfined_cronjob_t $2:dbus send_msg;
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Role access for admin cron.
|
|
## </summary>
|
|
## <param name="role_prefix">
|
|
## <summary>
|
|
## The prefix of the user role (e.g., user
|
|
## is the prefix for user_r).
|
|
## </summary>
|
|
## </param>
|
|
## <param name="user_domain">
|
|
## <summary>
|
|
## User domain for the role.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="user_exec_domain">
|
|
## <summary>
|
|
## User exec domain for execute and transition access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`cron_admin_role',`
|
|
gen_require(`
|
|
type cronjob_t, crontab_exec_t, admin_crontab_t;
|
|
class passwd crontab;
|
|
type crond_t, crond_runtime_t, user_cron_spool_t;
|
|
bool cron_userdomain_transition, fcron_crond;
|
|
')
|
|
|
|
##############################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
role $4 types { cronjob_t admin_crontab_t };
|
|
|
|
##############################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
|
|
|
|
dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
|
|
allow $2 crond_t:process sigchld;
|
|
|
|
allow $2 user_cron_spool_t:file rw_inherited_file_perms;
|
|
|
|
allow $2 admin_crontab_t:process { ptrace signal_perms };
|
|
ps_process_pattern($2, admin_crontab_t)
|
|
|
|
# Manipulate other users crontab.
|
|
allow $2 self:passwd crontab;
|
|
|
|
corecmd_exec_bin(admin_crontab_t)
|
|
corecmd_exec_shell(admin_crontab_t)
|
|
|
|
tunable_policy(`cron_userdomain_transition',`
|
|
allow crond_t $2:process transition;
|
|
allow crond_t $2:fd use;
|
|
allow crond_t $2:key manage_key_perms;
|
|
|
|
allow $2 user_cron_spool_t:file entrypoint;
|
|
|
|
allow $2 crond_t:fifo_file rw_fifo_file_perms;
|
|
|
|
allow $2 cronjob_t:process { ptrace signal_perms };
|
|
ps_process_pattern($2, cronjob_t)
|
|
',`
|
|
dontaudit crond_t $2:process transition;
|
|
dontaudit crond_t $2:fd use;
|
|
dontaudit crond_t $2:key manage_key_perms;
|
|
|
|
dontaudit $2 user_cron_spool_t:file entrypoint;
|
|
|
|
dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
|
|
|
|
dontaudit $2 cronjob_t:process { ptrace signal_perms };
|
|
')
|
|
|
|
tunable_policy(`fcron_crond',`
|
|
# Support for fcrondyn
|
|
stream_connect_pattern($2, crond_runtime_t, crond_runtime_t, crond_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
class dbus send_msg;
|
|
')
|
|
|
|
dbus_stub(admin_cronjob_t)
|
|
|
|
allow cronjob_t $2:dbus send_msg;
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make the specified program domain
|
|
## accessible from the system cron jobs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process to transition to.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="entrypoint">
|
|
## <summary>
|
|
## The type of the file used as an entrypoint to this domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_system_entry',`
|
|
gen_require(`
|
|
type crond_t, system_cronjob_t;
|
|
type user_cron_spool_log_t;
|
|
')
|
|
|
|
rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t)
|
|
|
|
domtrans_pattern(system_cronjob_t, $2, $1)
|
|
domtrans_pattern(crond_t, $2, $1)
|
|
|
|
role system_r types $1;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute cron in the cron system domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_domtrans',`
|
|
gen_require(`
|
|
type system_cronjob_t, crond_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, crond_exec_t, system_cronjob_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute crond in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_exec',`
|
|
gen_require(`
|
|
type crond_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
can_exec($1, crond_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute crond server in the crond domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_initrc_domtrans',`
|
|
gen_require(`
|
|
type crond_initrc_exec_t;
|
|
')
|
|
|
|
init_labeled_script_domtrans($1, crond_initrc_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Use crond file descriptors.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_use_fds',`
|
|
gen_require(`
|
|
type crond_t;
|
|
')
|
|
|
|
allow $1 crond_t:fd use;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send child terminated signals to crond.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_sigchld',`
|
|
gen_require(`
|
|
type crond_t;
|
|
')
|
|
|
|
allow $1 crond_t:process sigchld;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Set the attributes of cron log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_setattr_log_files',`
|
|
gen_require(`
|
|
type cron_log_t;
|
|
')
|
|
|
|
allow $1 cron_log_t:file setattr_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create cron log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_create_log_files',`
|
|
gen_require(`
|
|
type cron_log_t;
|
|
')
|
|
|
|
create_files_pattern($1, cron_log_t, cron_log_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Write to cron log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_write_log_files',`
|
|
gen_require(`
|
|
type cron_log_t;
|
|
')
|
|
|
|
allow $1 cron_log_t:file write_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write and delete
|
|
## cron log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_manage_log_files',`
|
|
gen_require(`
|
|
type cron_log_t;
|
|
')
|
|
|
|
manage_files_pattern($1, cron_log_t, cron_log_t)
|
|
|
|
logging_search_logs($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create specified objects in generic
|
|
## log directories with the cron log file type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="object_class">
|
|
## <summary>
|
|
## Class of the object being created.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="name" optional="true">
|
|
## <summary>
|
|
## The name of the object being created.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_generic_log_filetrans_log',`
|
|
gen_require(`
|
|
type cron_log_t;
|
|
')
|
|
|
|
logging_log_filetrans($1, cron_log_t, $2, $3)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read cron daemon unnamed pipes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_read_pipes',`
|
|
gen_require(`
|
|
type crond_t;
|
|
')
|
|
|
|
allow $1 crond_t:fifo_file read_fifo_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to write
|
|
## cron daemon unnamed pipes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_dontaudit_write_pipes',`
|
|
gen_require(`
|
|
type crond_t;
|
|
')
|
|
|
|
dontaudit $1 crond_t:fifo_file write;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write crond unnamed pipes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_rw_pipes',`
|
|
gen_require(`
|
|
type crond_t;
|
|
')
|
|
|
|
allow $1 crond_t:fifo_file rw_fifo_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write crond TCP sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_rw_tcp_sockets',`
|
|
gen_require(`
|
|
type crond_t;
|
|
')
|
|
|
|
allow $1 crond_t:tcp_socket { read write };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to read and
|
|
## write cron daemon TCP sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_dontaudit_rw_tcp_sockets',`
|
|
gen_require(`
|
|
type crond_t;
|
|
')
|
|
|
|
dontaudit $1 crond_t:tcp_socket { read write };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Search cron spool directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_search_spool',`
|
|
gen_require(`
|
|
type cron_spool_t;
|
|
')
|
|
|
|
files_search_spool($1)
|
|
allow $1 cron_spool_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute anacron in the cron
|
|
## system domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_anacron_domtrans_system_job',`
|
|
gen_require(`
|
|
type system_cronjob_t, anacron_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Use system cron job file descriptors.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_use_system_job_fds',`
|
|
gen_require(`
|
|
type system_cronjob_t;
|
|
')
|
|
|
|
allow $1 system_cronjob_t:fd use;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete the system spool.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_manage_system_spool',`
|
|
gen_require(`
|
|
type system_cron_spool_t;
|
|
')
|
|
|
|
files_search_spool($1)
|
|
manage_files_pattern($1, system_cron_spool_t, system_cron_spool_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read the system spool.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_read_system_spool',`
|
|
gen_require(`
|
|
type system_cron_spool_t;
|
|
')
|
|
|
|
cron_search_spool($1)
|
|
list_dirs_pattern($1, system_cron_spool_t, system_cron_spool_t)
|
|
read_files_pattern($1, system_cron_spool_t, system_cron_spool_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write crond temporary files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_rw_tmp_files',`
|
|
gen_require(`
|
|
type crond_tmp_t;
|
|
')
|
|
|
|
allow $1 crond_tmp_t:file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write inherited crond temporary files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_rw_inherited_tmp_files',`
|
|
gen_require(`
|
|
type crond_tmp_t;
|
|
')
|
|
|
|
allow $1 crond_tmp_t:file rw_inherited_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read system cron job lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_read_system_job_lib_files',`
|
|
gen_require(`
|
|
type system_cronjob_var_lib_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete
|
|
## system cron job lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_manage_system_job_lib_files',`
|
|
gen_require(`
|
|
type system_cronjob_var_lib_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Write system cron job unnamed pipes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_write_system_job_pipes',`
|
|
gen_require(`
|
|
type system_cronjob_t;
|
|
')
|
|
|
|
allow $1 system_cronjob_t:file write;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write system cron job
|
|
## unnamed pipes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_rw_system_job_pipes',`
|
|
gen_require(`
|
|
type system_cronjob_t;
|
|
')
|
|
|
|
allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write inherited system cron
|
|
## job unix domain stream sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_rw_system_job_stream_sockets',`
|
|
gen_require(`
|
|
type system_cronjob_t;
|
|
')
|
|
|
|
allow $1 system_cronjob_t:unix_stream_socket { read write };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read system cron job temporary files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_read_system_job_tmp_files',`
|
|
gen_require(`
|
|
type system_cronjob_tmp_t;
|
|
')
|
|
|
|
files_search_tmp($1)
|
|
allow $1 system_cronjob_tmp_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to append temporary
|
|
## system cron job files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_dontaudit_append_system_job_tmp_files',`
|
|
gen_require(`
|
|
type system_cronjob_tmp_t;
|
|
')
|
|
|
|
dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## allow appending temporary system cron job files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to allow.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_append_system_job_tmp_files',`
|
|
gen_require(`
|
|
type system_cronjob_tmp_t;
|
|
')
|
|
|
|
allow $1 system_cronjob_tmp_t:file append_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write to inherited system cron job temporary files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_rw_inherited_system_job_tmp_files',`
|
|
gen_require(`
|
|
type system_cronjob_tmp_t;
|
|
')
|
|
|
|
allow $1 system_cronjob_tmp_t:file rw_inherited_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to write temporary
|
|
## system cron job files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cron_dontaudit_write_system_job_tmp_files',`
|
|
gen_require(`
|
|
type system_cronjob_tmp_t;
|
|
')
|
|
|
|
dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute crontab in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`cron_exec_crontab',`
|
|
gen_require(`
|
|
type crontab_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
can_exec($1, crontab_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## All of the rules required to
|
|
## administrate a cron environment.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`cron_admin',`
|
|
gen_require(`
|
|
type crond_t, cronjob_t, crond_initrc_exec_t;
|
|
type cron_var_lib_t, system_cronjob_var_lib_t;
|
|
type crond_tmp_t, admin_crontab_tmp_t;
|
|
type crontab_tmp_t, system_cronjob_tmp_t;
|
|
type cron_runtime_t, system_cronjob_runtime_t, crond_runtime_t;
|
|
type cron_log_t, system_cronjob_lock_t, user_cron_spool_log_t;
|
|
attribute cron_spool_type;
|
|
')
|
|
|
|
allow $1 { crond_t cronjob_t }:process { ptrace signal_perms };
|
|
ps_process_pattern($1, { crond_t cronjob_t })
|
|
|
|
init_startstop_service($1, $2, crond_t, crond_initrc_exec_t)
|
|
|
|
files_search_var_lib($1)
|
|
admin_pattern($1, { cron_var_lib_t system_cronjob_var_lib_t })
|
|
|
|
files_search_tmp($1)
|
|
admin_pattern($1, { crond_tmp_t admin_crontab_tmp_t })
|
|
admin_pattern($1, { crontab_tmp_t system_cronjob_tmp_t })
|
|
|
|
files_search_runtime($1)
|
|
admin_pattern($1, { cron_runtime_t crond_runtime_t system_cronjob_runtime_t })
|
|
|
|
files_search_locks($1)
|
|
admin_pattern($1, system_cronjob_lock_t)
|
|
|
|
logging_search_logs($1)
|
|
admin_pattern($1, { cron_log_t user_cron_spool_log_t })
|
|
|
|
files_search_spool($1)
|
|
admin_pattern($1, cron_spool_type)
|
|
')
|