cron patch from dan.

3 files changed, 194 insertions, 47 deletions

diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
index 969629e3..2eefc08b 100644
--- a/policy/modules/services/cron.fc
+++ b/policy/modules/services/cron.fc
@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/atd		--	gen_context(system_u:object_r:crond_initrc_exec_t,s0)
 
 /etc/cron\.d(/.*)?			gen_context(system_u:object_r:system_cron_spool_t,s0)
 /etc/crontab			--	gen_context(system_u:object_r:system_cron_spool_t,s0)
@@ -17,9 +18,8 @@
 /var/run/fcron\.fifo		-s	gen_context(system_u:object_r:crond_var_run_t,s0)
 /var/run/fcron\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
 
-/var/spool/at			-d	gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/at/spool		-d	gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/at/[^/]*		--	<<none>>
+/var/spool/anacron(/.*)?		gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/at(/.*)?			gen_context(system_u:object_r:user_cron_spool_t,s0)
 
 /var/spool/cron			-d	gen_context(system_u:object_r:cron_spool_t,s0)
 #/var/spool/cron/root		--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
@@ -41,7 +41,7 @@ ifdef(`distro_suse', `
 #/var/spool/cron/crontabs/root	--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
 
 /var/spool/fcron		-d	gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/fcron/[^/]*			<<none>>
+/var/spool/fcron/.*			<<none>>
 /var/spool/fcron/systab\.orig	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
 /var/spool/fcron/systab		--	gen_context(system_u:object_r:system_cron_spool_t,s0)
 /var/spool/fcron/new\.systab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index 8933f6d6..44caccc3 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -31,16 +31,16 @@ template(`cron_common_crontab_template',`
 
 	# dac_override is to create the file in the directory under /tmp
 	allow $1_t self:capability { fowner setuid setgid chown dac_override };
-	allow $1_t self:process signal_perms;
+	allow $1_t self:process { setsched signal_perms };
+	allow $1_t self:fifo_file rw_fifo_file_perms;
 
 	allow $1_t $1_tmp_t:file manage_file_perms;
-	files_tmp_filetrans($1_t,$1_tmp_t, file)
+	files_tmp_filetrans($1_t, $1_tmp_t, file)
 
 	# create files in /var/spool/cron
-	# cjp: change this to a role transition
-	manage_files_pattern($1_t, cron_spool_t, user_cron_spool_t)
+	manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
 	filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file)
-	files_search_spool($1_t)
+	files_list_spool($1_t)
 
 	# crontab signals crond by updating the mtime on the spooldir
 	allow $1_t cron_spool_t:dir setattr;
@@ -55,9 +55,16 @@ template(`cron_common_crontab_template',`
 	domain_use_interactive_fds($1_t)
 
 	files_read_etc_files($1_t)
+	files_read_usr_files($1_t)
 	files_dontaudit_search_pids($1_t)
 
+	auth_domtrans_chk_passwd($1_t)
+
 	logging_send_syslog_msg($1_t)
+	logging_send_audit_msgs($1_t)
+
+	init_dontaudit_write_utmp($1_t)
+	init_read_utmp($1_t)
 
 	miscfiles_read_localization($1_t)
 
@@ -253,19 +260,64 @@ interface(`cron_system_entry',`
 		type crond_t, system_cronjob_t;
 	')
 
-	domain_auto_trans(system_cronjob_t, $2, $1)
+	domtrans_pattern(system_cronjob_t, $2, $1)
+	domtrans_pattern(crond_t, $2, $1)
 
-	# cjp: perhaps these four rules from the old
-	# domain_auto_trans are not needed?
-	allow $1 system_cronjob_t:fd use;
-	allow $1 system_cronjob_t:fifo_file rw_file_perms;
-	allow $1 system_cronjob_t:process sigchld;
+	role system_r types $1;
+')
 
-	allow $1 crond_t:fifo_file rw_file_perms;
-	allow $1 crond_t:fd use;
-	allow $1 crond_t:process sigchld;
+########################################
+## <summary>
+##	Execute cron in the cron system domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_domtrans',`
+	gen_require(`
+		type system_cronjob_t, crond_exec_t;
+	')
 
-	role system_r types $1;
+	domtrans_pattern($1, crond_exec_t, system_cronjob_t)
+')
+
+########################################
+## <summary>
+##	Execute crond_exec_t 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_exec',`
+	gen_require(`
+		type crond_exec_t;
+	')
+
+	can_exec($1, crond_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute crond server in the nscd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`cron_initrc_domtrans',`
+	gen_require(`
+		type crond_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, crond_initrc_exec_t)
 ')
 
 ########################################
@@ -379,6 +431,24 @@ interface(`cron_rw_tcp_sockets',`
 
 ########################################
 ## <summary>
+##	Dontaudit Read, and write cron daemon TCP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_dontaudit_rw_tcp_sockets',`
+	gen_require(`
+		type crond_t;
+	')
+
+	dontaudit $1 crond_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
 ##	Search the directory containing user cron tables.
 ## </summary>
 ## <param name="domain">
@@ -398,6 +468,24 @@ interface(`cron_search_spool',`
 
 ########################################
 ## <summary>
+##	Manage pid files used by cron
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_manage_pid_files',`
+	gen_require(`
+		type crond_var_run_t;
+	')
+
+	manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
+')
+
+########################################
+## <summary>
 ##	Execute anacron in the cron system domain.
 ## </summary>
 ## <param name="domain">
@@ -471,6 +559,24 @@ interface(`cron_rw_system_job_pipes',`
 
 ########################################
 ## <summary>
+##	Allow read/write unix stream sockets from the system cron jobs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cron_rw_system_job_stream_sockets',`
+	gen_require(`
+		type system_cronjob_t;
+	')
+
+	allow $1 system_cronjob_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
 ##	Read temporary files from the system cron jobs.
 ## </summary>
 ## <param name="domain">
@@ -504,5 +610,24 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
 		type system_cronjob_tmp_t;
 	')
 
-	dontaudit $1 system_cronjob_tmp_t:file append;
+	dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write temporary
+##	files from the system cron jobs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`cron_dontaudit_write_system_job_tmp_files',`
+	gen_require(`
+		type system_cronjob_tmp_t;
+	')
+
+	dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
 ')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index d73dc117..fe7c4496 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -1,5 +1,5 @@
 
-policy_module(cron, 2.1.1)
+policy_module(cron, 2.1.2)
 
 gen_require(`
 	class passwd rootok;
@@ -38,6 +38,9 @@ files_type(cron_spool_t)
 type cron_var_lib_t;
 files_type(cron_var_lib_t)
 
+type cron_var_run_t;
+files_type(cron_var_run_t)
+
 # var/log files
 type cron_log_t;
 logging_log_file(cron_log_t)
@@ -56,6 +59,9 @@ init_daemon_domain(crond_t, crond_exec_t)
 domain_interactive_fd(crond_t)
 domain_cron_exemption_source(crond_t)
 
+type crond_initrc_exec_t;
+init_script_file(crond_initrc_exec_t)
+
 type crond_tmp_t;
 files_tmp_file(crond_tmp_t)
 
@@ -99,7 +105,7 @@ domain_cron_exemption_target(unconfined_cronjob_t)
 
 # Type of user crontabs once moved to cron spool.
 type user_cron_spool_t, cron_spool_type;
-typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t };
+typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
 typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
 files_type(user_cron_spool_t)
 ubac_constrained(user_cron_spool_t)
@@ -131,7 +137,7 @@ tunable_policy(`fcron_crond', `
 # Cron daemon local policy
 #
 
-allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control };
+allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
 dontaudit crond_t self:capability { sys_resource sys_tty_config };
 allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow crond_t self:process { setexec setfscreate };
@@ -147,20 +153,23 @@ allow crond_t self:msgq create_msgq_perms;
 allow crond_t self:msg { send receive };
 allow crond_t self:key { search write link };
 
-allow crond_t crond_var_run_t:file manage_file_perms;
+manage_files_pattern(crond_t, cron_log_t, cron_log_t)
+logging_log_filetrans(crond_t, cron_log_t, file)
+
+manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
 files_pid_filetrans(crond_t, crond_var_run_t, file)
 
-allow crond_t cron_spool_t:dir rw_dir_perms;
-allow crond_t cron_spool_t:file read_file_perms;
+manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
 
 manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
 manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
 files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
 
-allow crond_t system_cron_spool_t:dir list_dir_perms;
-allow crond_t system_cron_spool_t:file read_file_perms;
+list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
 
 kernel_read_kernel_sysctls(crond_t)
+kernel_read_fs_sysctls(crond_t)
 kernel_search_key(crond_t)
 
 dev_read_sysfs(crond_t)
@@ -175,6 +184,7 @@ dev_read_urand(crond_t)
 
 fs_getattr_all_fs(crond_t)
 fs_search_auto_mountpoints(crond_t)
+fs_list_inotifyfs(crond_t)
 
 # need auth_chkpwd to check for locked accounts.
 auth_domtrans_chk_passwd(crond_t)
@@ -185,6 +195,8 @@ corecmd_read_bin_symlinks(crond_t)
 
 domain_use_interactive_fds(crond_t)
 
+files_read_usr_files(crond_t)
+files_read_etc_runtime_files(crond_t)
 files_read_etc_files(crond_t)
 files_read_generic_spool(crond_t)
 files_list_usr(crond_t)
@@ -193,6 +205,7 @@ files_search_var_lib(crond_t)
 files_search_default(crond_t)
 
 init_rw_utmp(crond_t)
+init_spec_domtrans_script(crond_t)
 
 auth_use_nsswitch(crond_t)
 
@@ -228,13 +241,17 @@ ifdef(`distro_redhat', `
 	')
 ')
 
+tunable_policy(`fcron_crond', `
+	allow crond_t system_cron_spool_t:file manage_file_perms;
+')
+
 optional_policy(`
 	locallogin_search_keys(crond_t)
 	locallogin_link_keys(crond_t)
 ')
 
-tunable_policy(`fcron_crond', `
-	allow crond_t system_cron_spool_t:file manage_file_perms;
+optional_policy(`
+	amanda_search_var_lib(crond_t)
 ')
 
 optional_policy(`
@@ -242,7 +259,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	hal_dbus_send(crond_t)
+	hal_dbus_chat(crond_t)
 ')
 
 optional_policy(`
@@ -251,6 +268,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	rpc_search_nfs_state_data(crond_t)
+')
+
+optional_policy(`
 	# Commonly used from postinst scripts
 	rpm_read_pipes(crond_t)
 ')
@@ -269,8 +290,8 @@ optional_policy(`
 # System cron process domain
 #
 
-allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
-allow system_cronjob_t self:process { signal_perms setsched };
+allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+allow system_cronjob_t self:process { signal_perms getsched setsched };
 allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
 allow system_cronjob_t self:passwd rootok;
 
@@ -371,7 +392,8 @@ init_use_script_fds(system_cronjob_t)
 init_read_utmp(system_cronjob_t)
 init_dontaudit_rw_utmp(system_cronjob_t)
 # prelink tells init to restart it self, we either need to allow or dontaudit
-init_write_initctl(system_cronjob_t)
+init_telinit(system_cronjob_t)
+init_domtrans_script(system_cronjob_t)
 
 auth_use_nsswitch(system_cronjob_t)
 
@@ -379,6 +401,7 @@ libs_exec_lib_files(system_cronjob_t)
 libs_exec_ld_so(system_cronjob_t)
 
 logging_read_generic_logs(system_cronjob_t)
+logging_send_audit_msgs(system_cronjob_t)
 logging_send_syslog_msg(system_cronjob_t)
 
 miscfiles_read_localization(system_cronjob_t)
@@ -429,6 +452,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	lpd_list_spool(system_cronjob_t)
+')
+
+optional_policy(`
 	mrtg_append_create_logs(system_cronjob_t)
 ')
 
@@ -445,9 +472,11 @@ optional_policy(`
 ')	
 
 optional_policy(`
-	prelink_read_cache(system_cronjob_t)
-	prelink_manage_log(system_cronjob_t)
 	prelink_delete_cache(system_cronjob_t)
+	prelink_manage_lib(system_cronjob_t)
+	prelink_manage_log(system_cronjob_t)
+	prelink_read_cache(system_cronjob_t)
+	prelink_relabelfrom_lib(system_cronjob_t)
 ')
 
 optional_policy(`
@@ -461,8 +490,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	# cjp: why?
-	squid_domtrans(system_cronjob_t)
+	spamassassin_manage_lib_files(system_cronjob_t)
 ')
 
 optional_policy(`
@@ -474,20 +502,11 @@ optional_policy(`
 	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
 ')
 
-ifdef(`TODO',`
-ifdef(`mta.te', `
-allow system_cronjob_t mail_spool_t:lnk_file read;
-allow mta_user_agent system_cronjob_t:fd use;
-r_dir_file(system_mail_t, crond_tmp_t)
-')
-') dnl end TODO
-
 ########################################
 #
 # User cronjobs local policy
 #
 
-allow cronjob_t self:capability dac_override;
 allow cronjob_t self:process { signal_perms setsched };
 allow cronjob_t self:fifo_file rw_fifo_file_perms;
 allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
@@ -571,6 +590,9 @@ userdom_manage_user_home_content_pipes(cronjob_t)
 userdom_manage_user_home_content_sockets(cronjob_t)
 #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
 
+list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+
 tunable_policy(`fcron_crond', `
 	allow crond_t user_cron_spool_t:file manage_file_perms;
 ')