selinux-policy/mls/macros/program/crond_macros.te

127 lines
4.1 KiB
Plaintext
Raw Normal View History

2005-11-22 19:28:03 +00:00
#
# Macros for crond domains.
#
#
# Authors: Jonathan Crowley (MITRE) <jonathan@mitre.org>,
# Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# Russell Coker <rcoker@redhat.com>
#
#
# crond_domain(domain_prefix)
#
# Define a derived domain for cron jobs executed by crond on behalf
# of a user domain. These domains are separate from the top-level domain
# defined for the crond daemon and the domain defined for system cron jobs,
# which are specified in domains/program/crond.te.
#
undefine(`crond_domain')
define(`crond_domain',`
# Derived domain for user cron jobs, user user_crond_domain if not system
ifelse(`system', `$1', `
type $1_crond_t, domain, privlog, privmail, nscd_client_domain;
', `
type $1_crond_t, domain, user_crond_domain;
# Access user files and dirs.
allow $1_crond_t home_root_t:dir search;
file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t)
# Run scripts in user home directory and access shared libs.
can_exec($1_crond_t, $1_home_t)
file_type_auto_trans($1_crond_t, tmp_t, $1_tmp_t)
')
r_dir_file($1_crond_t, selinux_config_t)
# Type of user crontabs once moved to cron spool.
type $1_cron_spool_t, file_type, sysadmfile;
ifdef(`fcron.te', `
allow crond_t $1_cron_spool_t:file create_file_perms;
')
allow $1_crond_t urandom_device_t:chr_file { getattr read };
allow $1_crond_t usr_t:file { getattr ioctl read };
allow $1_crond_t usr_t:lnk_file read;
# Permit a transition from the crond_t domain to this domain.
# The transition is requested explicitly by the modified crond
# via execve_secure. There is no way to set up an automatic
# transition, since crontabs are configuration files, not executables.
domain_trans(crond_t, shell_exec_t, $1_crond_t)
ifdef(`mta.te', `
domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
allow $1_crond_t sendmail_exec_t:lnk_file { getattr read };
# $1_mail_t should only be reading from the cron fifo not needing to write
dontaudit $1_mail_t crond_t:fifo_file write;
allow mta_user_agent $1_crond_t:fd use;
')
# The user role is authorized for this domain.
role $1_r types $1_crond_t;
# This domain is granted permissions common to most domains.
can_network($1_crond_t)
allow $1_crond_t port_type:tcp_socket name_connect;
can_ypbind($1_crond_t)
r_dir_file($1_crond_t, self)
allow $1_crond_t self:fifo_file rw_file_perms;
allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
allow $1_crond_t self:unix_dgram_socket create_socket_perms;
allow $1_crond_t etc_runtime_t:file { getattr read };
allow $1_crond_t self:process { fork signal_perms setsched };
allow $1_crond_t proc_t:dir r_dir_perms;
allow $1_crond_t proc_t:file { getattr read ioctl };
read_locale($1_crond_t)
read_sysctl($1_crond_t)
allow $1_crond_t var_spool_t:dir search;
allow $1_crond_t fs_type:filesystem getattr;
allow $1_crond_t devtty_t:chr_file { read write };
allow $1_crond_t var_t:dir r_dir_perms;
allow $1_crond_t var_t:file { getattr read ioctl };
allow $1_crond_t var_log_t:dir search;
# Use capabilities.
allow $1_crond_t self:capability dac_override;
# Inherit and use descriptors from initrc - I think this is wrong
#allow $1_crond_t initrc_t:fd use;
#
# Since crontab files are not directly executed,
# crond must ensure that the crontab file has
# a type that is appropriate for the domain of
# the user cron job. It performs an entrypoint
# permission check for this purpose.
#
allow $1_crond_t $1_cron_spool_t:file entrypoint;
# Run helper programs.
can_exec_any($1_crond_t)
# ps does not need to access /boot when run from cron
dontaudit $1_crond_t boot_t:dir search;
# quiet other ps operations
dontaudit $1_crond_t domain:dir { getattr search };
# for nscd
dontaudit $1_crond_t var_run_t:dir search;
')
# When system_crond_t domain executes a type $1 executable then transition to
# domain $2, allow $2 to interact with crond_t as well.
define(`system_crond_entry', `
ifdef(`crond.te', `
domain_auto_trans(system_crond_t, $1, $2)
allow $2 crond_t:fifo_file { getattr read write ioctl };
# a rule for privfd may make this obsolete
allow $2 crond_t:fd use;
allow $2 crond_t:process sigchld;
')dnl end ifdef
')dnl end system_crond_entry