summaryrefslogtreecommitdiff
path: root/policy/modules/services/cron.te
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/services/cron.te')
-rw-r--r--policy/modules/services/cron.te76
1 files changed, 49 insertions, 27 deletions
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index d73dc117..fe7c4496 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -1,5 +1,5 @@
-policy_module(cron, 2.1.1)
+policy_module(cron, 2.1.2)
gen_require(`
class passwd rootok;
@@ -38,6 +38,9 @@ files_type(cron_spool_t)
type cron_var_lib_t;
files_type(cron_var_lib_t)
+type cron_var_run_t;
+files_type(cron_var_run_t)
+
# var/log files
type cron_log_t;
logging_log_file(cron_log_t)
@@ -56,6 +59,9 @@ init_daemon_domain(crond_t, crond_exec_t)
domain_interactive_fd(crond_t)
domain_cron_exemption_source(crond_t)
+type crond_initrc_exec_t;
+init_script_file(crond_initrc_exec_t)
+
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
@@ -99,7 +105,7 @@ domain_cron_exemption_target(unconfined_cronjob_t)
# Type of user crontabs once moved to cron spool.
type user_cron_spool_t, cron_spool_type;
-typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t };
+typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
files_type(user_cron_spool_t)
ubac_constrained(user_cron_spool_t)
@@ -131,7 +137,7 @@ tunable_policy(`fcron_crond', `
# Cron daemon local policy
#
-allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control };
+allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
@@ -147,20 +153,23 @@ allow crond_t self:msgq create_msgq_perms;
allow crond_t self:msg { send receive };
allow crond_t self:key { search write link };
-allow crond_t crond_var_run_t:file manage_file_perms;
+manage_files_pattern(crond_t, cron_log_t, cron_log_t)
+logging_log_filetrans(crond_t, cron_log_t, file)
+
+manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
files_pid_filetrans(crond_t, crond_var_run_t, file)
-allow crond_t cron_spool_t:dir rw_dir_perms;
-allow crond_t cron_spool_t:file read_file_perms;
+manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
-allow crond_t system_cron_spool_t:dir list_dir_perms;
-allow crond_t system_cron_spool_t:file read_file_perms;
+list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
kernel_read_kernel_sysctls(crond_t)
+kernel_read_fs_sysctls(crond_t)
kernel_search_key(crond_t)
dev_read_sysfs(crond_t)
@@ -175,6 +184,7 @@ dev_read_urand(crond_t)
fs_getattr_all_fs(crond_t)
fs_search_auto_mountpoints(crond_t)
+fs_list_inotifyfs(crond_t)
# need auth_chkpwd to check for locked accounts.
auth_domtrans_chk_passwd(crond_t)
@@ -185,6 +195,8 @@ corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
+files_read_usr_files(crond_t)
+files_read_etc_runtime_files(crond_t)
files_read_etc_files(crond_t)
files_read_generic_spool(crond_t)
files_list_usr(crond_t)
@@ -193,6 +205,7 @@ files_search_var_lib(crond_t)
files_search_default(crond_t)
init_rw_utmp(crond_t)
+init_spec_domtrans_script(crond_t)
auth_use_nsswitch(crond_t)
@@ -228,13 +241,17 @@ ifdef(`distro_redhat', `
')
')
+tunable_policy(`fcron_crond', `
+ allow crond_t system_cron_spool_t:file manage_file_perms;
+')
+
optional_policy(`
locallogin_search_keys(crond_t)
locallogin_link_keys(crond_t)
')
-tunable_policy(`fcron_crond', `
- allow crond_t system_cron_spool_t:file manage_file_perms;
+optional_policy(`
+ amanda_search_var_lib(crond_t)
')
optional_policy(`
@@ -242,7 +259,7 @@ optional_policy(`
')
optional_policy(`
- hal_dbus_send(crond_t)
+ hal_dbus_chat(crond_t)
')
optional_policy(`
@@ -251,6 +268,10 @@ optional_policy(`
')
optional_policy(`
+ rpc_search_nfs_state_data(crond_t)
+')
+
+optional_policy(`
# Commonly used from postinst scripts
rpm_read_pipes(crond_t)
')
@@ -269,8 +290,8 @@ optional_policy(`
# System cron process domain
#
-allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
-allow system_cronjob_t self:process { signal_perms setsched };
+allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
@@ -371,7 +392,8 @@ init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
init_dontaudit_rw_utmp(system_cronjob_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
-init_write_initctl(system_cronjob_t)
+init_telinit(system_cronjob_t)
+init_domtrans_script(system_cronjob_t)
auth_use_nsswitch(system_cronjob_t)
@@ -379,6 +401,7 @@ libs_exec_lib_files(system_cronjob_t)
libs_exec_ld_so(system_cronjob_t)
logging_read_generic_logs(system_cronjob_t)
+logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
miscfiles_read_localization(system_cronjob_t)
@@ -429,6 +452,10 @@ optional_policy(`
')
optional_policy(`
+ lpd_list_spool(system_cronjob_t)
+')
+
+optional_policy(`
mrtg_append_create_logs(system_cronjob_t)
')
@@ -445,9 +472,11 @@ optional_policy(`
')
optional_policy(`
- prelink_read_cache(system_cronjob_t)
- prelink_manage_log(system_cronjob_t)
prelink_delete_cache(system_cronjob_t)
+ prelink_manage_lib(system_cronjob_t)
+ prelink_manage_log(system_cronjob_t)
+ prelink_read_cache(system_cronjob_t)
+ prelink_relabelfrom_lib(system_cronjob_t)
')
optional_policy(`
@@ -461,8 +490,7 @@ optional_policy(`
')
optional_policy(`
- # cjp: why?
- squid_domtrans(system_cronjob_t)
+ spamassassin_manage_lib_files(system_cronjob_t)
')
optional_policy(`
@@ -474,20 +502,11 @@ optional_policy(`
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-ifdef(`TODO',`
-ifdef(`mta.te', `
-allow system_cronjob_t mail_spool_t:lnk_file read;
-allow mta_user_agent system_cronjob_t:fd use;
-r_dir_file(system_mail_t, crond_tmp_t)
-')
-') dnl end TODO
-
########################################
#
# User cronjobs local policy
#
-allow cronjob_t self:capability dac_override;
allow cronjob_t self:process { signal_perms setsched };
allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
@@ -571,6 +590,9 @@ userdom_manage_user_home_content_pipes(cronjob_t)
userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
+list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+
tunable_policy(`fcron_crond', `
allow crond_t user_cron_spool_t:file manage_file_perms;
')
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-24 05:20:51 +0000