selinux-policy/policy/modules/services/cron.if

716 lines
14 KiB
Plaintext
Raw Normal View History

2005-06-24 13:36:57 +00:00
## <summary>Periodic execution of scheduled commands.</summary>
2005-05-11 19:05:50 +00:00
2005-06-24 20:37:09 +00:00
#######################################
## <summary>
2008-11-05 16:10:46 +00:00
## The common rules for a crontab domain.
2005-06-24 20:37:09 +00:00
## </summary>
## <param name="userdomain_prefix">
## <summary>
2005-06-24 20:37:09 +00:00
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
2005-06-24 20:37:09 +00:00
## </param>
2005-05-11 19:05:50 +00:00
#
2008-11-05 16:10:46 +00:00
template(`cron_common_crontab_template',`
2010-08-26 13:41:21 +00:00
gen_require(`
type crond_t, crond_var_run_t, crontab_exec_t;
type cron_spool_t, user_cron_spool_t;
2010-08-26 13:41:21 +00:00
')
2008-11-05 16:10:46 +00:00
##############################
#
# Declarations
#
2008-11-05 16:10:46 +00:00
type $1_t;
application_domain($1_t, crontab_exec_t)
ubac_constrained($1_t)
2008-11-05 16:10:46 +00:00
type $1_tmp_t;
files_tmp_file($1_tmp_t)
##############################
#
2008-11-05 16:10:46 +00:00
# Local policy
#
2008-11-05 16:10:46 +00:00
# dac_override is to create the file in the directory under /tmp
allow $1_t self:capability { fowner setuid setgid chown dac_override };
2009-09-09 13:28:04 +00:00
allow $1_t self:process { setsched signal_perms };
allow $1_t self:fifo_file rw_fifo_file_perms;
2010-08-26 13:41:21 +00:00
allow $1_t crond_t:process signal;
allow $1_t crond_var_run_t:file read_file_perms;
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
2008-11-05 16:10:46 +00:00
# create files in /var/spool/cron
2009-09-09 13:28:04 +00:00
manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
2008-11-05 16:10:46 +00:00
filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file)
2009-09-09 13:28:04 +00:00
files_list_spool($1_t)
2008-11-05 16:10:46 +00:00
# crontab signals crond by updating the mtime on the spooldir
allow $1_t cron_spool_t:dir setattr;
2008-11-05 16:10:46 +00:00
kernel_read_system_state($1_t)
2005-06-27 16:30:55 +00:00
2008-11-05 16:10:46 +00:00
# for the checks used by crontab -u
selinux_dontaudit_search_fs($1_t)
2008-11-05 16:10:46 +00:00
fs_getattr_xattr_fs($1_t)
2005-05-11 20:55:40 +00:00
2008-11-05 16:10:46 +00:00
domain_use_interactive_fds($1_t)
2005-05-11 20:55:40 +00:00
2008-11-05 16:10:46 +00:00
files_read_etc_files($1_t)
2009-09-09 13:28:04 +00:00
files_read_usr_files($1_t)
2008-11-05 16:10:46 +00:00
files_dontaudit_search_pids($1_t)
2005-05-12 20:50:09 +00:00
2009-09-09 13:28:04 +00:00
auth_domtrans_chk_passwd($1_t)
2008-11-05 16:10:46 +00:00
logging_send_syslog_msg($1_t)
2009-09-09 13:28:04 +00:00
logging_send_audit_msgs($1_t)
2010-08-26 13:41:21 +00:00
logging_set_loginuid($1_t)
2009-09-09 13:28:04 +00:00
init_dontaudit_write_utmp($1_t)
init_read_utmp($1_t)
2008-11-05 16:10:46 +00:00
miscfiles_read_localization($1_t)
2008-11-05 16:10:46 +00:00
seutil_read_config($1_t)
2005-09-20 20:48:17 +00:00
2008-11-05 16:10:46 +00:00
userdom_manage_user_tmp_dirs($1_t)
userdom_manage_user_tmp_files($1_t)
# Access terminals.
userdom_use_user_terminals($1_t)
# Read user crontabs
userdom_read_user_home_content_files($1_t)
2010-08-26 13:41:21 +00:00
userdom_read_user_home_content_symlinks($1_t)
2005-05-11 20:55:40 +00:00
2008-11-05 16:10:46 +00:00
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
# also crontab does a security check for crontab -u
dontaudit $1_t crond_t:process signal;
')
2005-05-11 20:55:40 +00:00
2008-11-05 16:10:46 +00:00
optional_policy(`
nscd_socket_use($1_t)
')
')
2005-05-11 20:55:40 +00:00
2008-11-05 16:10:46 +00:00
########################################
## <summary>
## Role access for cron
## </summary>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
interface(`cron_role',`
gen_require(`
type cronjob_t, crontab_t, crontab_exec_t;
2010-08-26 13:41:21 +00:00
type user_cron_spool_t;
type crond_t;
2008-11-05 16:10:46 +00:00
')
2005-05-11 20:55:40 +00:00
2008-11-05 16:10:46 +00:00
role $1 types { cronjob_t crontab_t };
2005-05-11 20:55:40 +00:00
2008-11-05 16:10:46 +00:00
# cronjob shows up in user ps
ps_process_pattern($2, cronjob_t)
2005-09-16 19:36:10 +00:00
2008-11-05 16:10:46 +00:00
# Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, crontab_t)
2010-08-26 13:41:21 +00:00
allow crond_t $2:process transition;
dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
allow $2 crond_t:process sigchld;
# needs to be authorized SELinux context for cron
allow $2 user_cron_spool_t:file entrypoint;
2008-11-05 16:10:46 +00:00
# crontab shows up in user ps
ps_process_pattern($2, crontab_t)
allow $2 crontab_t:process { ptrace signal_perms };
2005-05-11 20:55:40 +00:00
# Run helper programs as the user domain
2008-11-05 16:10:46 +00:00
#corecmd_bin_domtrans(crontab_t, $2)
#corecmd_shell_domtrans(crontab_t, $2)
corecmd_exec_bin(crontab_t)
corecmd_exec_shell(crontab_t)
optional_policy(`
gen_require(`
class dbus send_msg;
')
2008-11-05 16:10:46 +00:00
dbus_stub(cronjob_t)
allow cronjob_t $2:dbus send_msg;
')
2008-11-05 16:10:46 +00:00
')
2005-05-11 20:55:40 +00:00
2008-11-05 16:10:46 +00:00
########################################
## <summary>
## Role access for unconfined cronjobs
## </summary>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
interface(`cron_unconfined_role',`
gen_require(`
2010-08-26 13:41:21 +00:00
type unconfined_cronjob_t;
2008-11-05 16:10:46 +00:00
')
2005-05-11 20:55:40 +00:00
2010-08-26 13:41:21 +00:00
role $1 types unconfined_cronjob_t;
2005-05-11 20:55:40 +00:00
2008-11-05 16:10:46 +00:00
# cronjob shows up in user ps
ps_process_pattern($2, unconfined_cronjob_t)
allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
2005-05-11 20:55:40 +00:00
optional_policy(`
2008-11-05 16:10:46 +00:00
gen_require(`
class dbus send_msg;
')
2008-11-05 16:10:46 +00:00
dbus_stub(unconfined_cronjob_t)
allow unconfined_cronjob_t $2:dbus send_msg;
')
2005-05-11 19:05:50 +00:00
')
2008-11-05 16:10:46 +00:00
########################################
2005-06-24 20:37:09 +00:00
## <summary>
2008-11-05 16:10:46 +00:00
## Role access for cron
2005-06-24 20:37:09 +00:00
## </summary>
2008-11-05 16:10:46 +00:00
## <param name="role">
## <summary>
2008-11-05 16:10:46 +00:00
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
2005-06-24 20:37:09 +00:00
## </param>
#
2008-11-05 16:10:46 +00:00
interface(`cron_admin_role',`
2005-10-19 14:36:04 +00:00
gen_require(`
2008-11-05 16:10:46 +00:00
type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t;
class passwd crontab;
2005-10-19 14:36:04 +00:00
')
2008-11-05 16:10:46 +00:00
role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t };
2008-11-05 16:10:46 +00:00
# cronjob shows up in user ps
ps_process_pattern($2, cronjob_t)
# Manipulate other users crontab.
2008-11-05 16:10:46 +00:00
allow $2 self:passwd crontab;
# Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
# crontab shows up in user ps
ps_process_pattern($2, admin_crontab_t)
allow $2 admin_crontab_t:process { ptrace signal_perms };
2008-11-05 16:10:46 +00:00
# Run helper programs as the user domain
#corecmd_bin_domtrans(admin_crontab_t, $2)
#corecmd_shell_domtrans(admin_crontab_t, $2)
corecmd_exec_bin(admin_crontab_t)
corecmd_exec_shell(admin_crontab_t)
optional_policy(`
gen_require(`
class dbus send_msg;
')
dbus_stub(admin_cronjob_t)
allow cronjob_t $2:dbus send_msg;
')
')
########################################
2005-06-28 17:32:57 +00:00
## <summary>
## Make the specified program domain accessable
## from the system cron jobs.
## </summary>
## <param name="domain">
## <summary>
2005-06-28 17:32:57 +00:00
## The type of the process to transition to.
## </summary>
2005-06-28 17:32:57 +00:00
## </param>
## <param name="entrypoint">
## <summary>
2005-06-28 17:32:57 +00:00
## The type of the file used as an entrypoint to this domain.
## </summary>
2005-06-28 17:32:57 +00:00
## </param>
#
2005-06-28 17:32:57 +00:00
interface(`cron_system_entry',`
gen_require(`
2008-11-05 16:10:46 +00:00
type crond_t, system_cronjob_t;
2005-06-28 17:32:57 +00:00
')
2009-09-09 13:28:04 +00:00
domtrans_pattern(system_cronjob_t, $2, $1)
domtrans_pattern(crond_t, $2, $1)
2005-06-28 17:32:57 +00:00
2009-09-09 13:28:04 +00:00
role system_r types $1;
')
2005-06-28 17:32:57 +00:00
2009-09-09 13:28:04 +00:00
########################################
## <summary>
## Execute cron in the cron system domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
2009-09-09 13:28:04 +00:00
## </summary>
## </param>
#
interface(`cron_domtrans',`
gen_require(`
type system_cronjob_t, crond_exec_t;
')
2006-08-16 13:52:18 +00:00
2009-09-09 13:28:04 +00:00
domtrans_pattern($1, crond_exec_t, system_cronjob_t)
')
########################################
## <summary>
## Execute crond_exec_t
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cron_exec',`
gen_require(`
type crond_exec_t;
')
can_exec($1, crond_exec_t)
')
########################################
## <summary>
## Execute crond server in the nscd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
2009-09-09 13:28:04 +00:00
## </summary>
## </param>
#
interface(`cron_initrc_domtrans',`
gen_require(`
type crond_initrc_exec_t;
')
init_labeled_script_domtrans($1, crond_initrc_exec_t)
2005-06-28 17:32:57 +00:00
')
2005-09-02 19:11:07 +00:00
########################################
## <summary>
## Inherit and use a file descriptor
## from the cron daemon.
## </summary>
## <param name="domain">
## <summary>
2005-09-02 19:11:07 +00:00
## Domain allowed access.
## </summary>
2005-09-02 19:11:07 +00:00
## </param>
#
interface(`cron_use_fds',`
2005-09-02 19:11:07 +00:00
gen_require(`
type crond_t;
')
allow $1 crond_t:fd use;
')
2005-08-30 20:47:41 +00:00
########################################
## <summary>
## Send a SIGCHLD signal to the cron daemon.
## </summary>
## <param name="domain">
## <summary>
2005-08-30 20:47:41 +00:00
## Domain allowed access.
## </summary>
2005-08-30 20:47:41 +00:00
## </param>
#
interface(`cron_sigchld',`
gen_require(`
type crond_t;
')
allow $1 crond_t:process sigchld;
')
2005-06-30 18:54:08 +00:00
########################################
## <summary>
2005-09-02 19:11:07 +00:00
## Read a cron daemon unnamed pipe.
2005-06-30 18:54:08 +00:00
## </summary>
## <param name="domain">
## <summary>
2005-09-02 19:11:07 +00:00
## Domain allowed access.
## </summary>
2005-06-30 18:54:08 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`cron_read_pipes',`
2005-06-30 18:54:08 +00:00
gen_require(`
type crond_t;
')
2006-12-12 20:08:08 +00:00
allow $1 crond_t:fifo_file read_fifo_file_perms;
2005-06-30 18:54:08 +00:00
')
2006-01-11 15:28:14 +00:00
########################################
## <summary>
## Do not audit attempts to write cron daemon unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2006-01-11 15:28:14 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`cron_dontaudit_write_pipes',`
2006-01-11 15:28:14 +00:00
gen_require(`
type crond_t;
')
dontaudit $1 crond_t:fifo_file write;
')
2005-09-02 19:11:07 +00:00
########################################
## <summary>
## Read and write a cron daemon unnamed pipe.
## </summary>
## <param name="domain">
## <summary>
2005-09-02 19:11:07 +00:00
## Domain allowed access.
## </summary>
2005-09-02 19:11:07 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`cron_rw_pipes',`
2005-09-02 19:11:07 +00:00
gen_require(`
type crond_t;
')
2010-08-26 13:41:21 +00:00
allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
## <summary>
## Read and write inherited user spool files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cron_rw_inherited_user_spool_files',`
gen_require(`
type user_cron_spool_t;
')
allow $1 user_cron_spool_t:file rw_inherited_file_perms;
')
########################################
## <summary>
## Read and write inherited spool files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cron_rw_inherited_spool_files',`
gen_require(`
type cron_spool_t;
')
allow $1 cron_spool_t:file rw_inherited_file_perms;
2005-10-23 20:18:36 +00:00
')
########################################
## <summary>
2006-02-20 14:31:45 +00:00
## Read, and write cron daemon TCP sockets.
2005-10-23 20:18:36 +00:00
## </summary>
## <param name="domain">
## <summary>
2005-10-23 20:18:36 +00:00
## Domain allowed access.
## </summary>
2005-10-23 20:18:36 +00:00
## </param>
#
2006-02-20 14:31:45 +00:00
interface(`cron_rw_tcp_sockets',`
2005-10-23 20:18:36 +00:00
gen_require(`
type crond_t;
')
2006-02-20 14:31:45 +00:00
allow $1 crond_t:tcp_socket { read write };
2005-09-02 19:11:07 +00:00
')
2009-09-09 13:28:04 +00:00
########################################
## <summary>
## Dontaudit Read, and write cron daemon TCP sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
2009-09-09 13:28:04 +00:00
## </summary>
## </param>
#
interface(`cron_dontaudit_rw_tcp_sockets',`
gen_require(`
type crond_t;
')
dontaudit $1 crond_t:tcp_socket { read write };
')
2005-06-28 20:54:49 +00:00
########################################
## <summary>
## Search the directory containing user cron tables.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-06-28 20:54:49 +00:00
## </param>
#
interface(`cron_search_spool',`
gen_require(`
type cron_spool_t;
')
files_search_spool($1)
2006-12-12 20:08:08 +00:00
allow $1 cron_spool_t:dir search_dir_perms;
2005-06-28 20:54:49 +00:00
')
2005-08-30 20:47:41 +00:00
2009-09-09 13:28:04 +00:00
########################################
## <summary>
## Manage pid files used by cron
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cron_manage_pid_files',`
gen_require(`
type crond_var_run_t;
')
manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
')
2005-09-02 19:11:07 +00:00
########################################
2005-10-21 19:36:49 +00:00
## <summary>
## Execute anacron in the cron system domain.
2005-10-21 19:36:49 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
2005-10-21 19:36:49 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`cron_anacron_domtrans_system_job',`
2005-10-21 19:36:49 +00:00
gen_require(`
2008-11-05 16:10:46 +00:00
type system_cronjob_t, anacron_exec_t;
2005-10-21 19:36:49 +00:00
')
2009-06-26 14:40:13 +00:00
domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
2005-10-21 19:36:49 +00:00
')
########################################
2005-09-02 19:11:07 +00:00
## <summary>
## Inherit and use a file descriptor
## from system cron jobs.
## </summary>
## <param name="domain">
## <summary>
2005-09-02 19:11:07 +00:00
## Domain allowed access.
## </summary>
2005-09-02 19:11:07 +00:00
## </param>
#
2006-02-20 21:33:25 +00:00
interface(`cron_use_system_job_fds',`
2005-09-02 19:11:07 +00:00
gen_require(`
2008-11-05 16:10:46 +00:00
type system_cronjob_t;
2005-09-02 19:11:07 +00:00
')
2008-11-05 16:10:46 +00:00
allow $1 system_cronjob_t:fd use;
2005-09-02 19:11:07 +00:00
')
########################################
## <summary>
2005-10-23 20:18:36 +00:00
## Write a system cron job unnamed pipe.
2005-09-02 19:11:07 +00:00
## </summary>
## <param name="domain">
## <summary>
2005-09-02 19:11:07 +00:00
## Domain allowed access.
## </summary>
2005-09-02 19:11:07 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`cron_write_system_job_pipes',`
2005-09-02 19:11:07 +00:00
gen_require(`
2008-11-05 16:10:46 +00:00
type system_cronjob_t;
2005-09-02 19:11:07 +00:00
')
allow $1 system_cronjob_t:fifo_file write;
2005-09-02 19:11:07 +00:00
')
2005-10-23 20:18:36 +00:00
########################################
## <summary>
## Read and write a system cron job unnamed pipe.
## </summary>
## <param name="domain">
## <summary>
2005-10-23 20:18:36 +00:00
## Domain allowed access.
## </summary>
2005-10-23 20:18:36 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`cron_rw_system_job_pipes',`
2005-10-23 20:18:36 +00:00
gen_require(`
2008-11-05 16:10:46 +00:00
type system_cronjob_t;
2005-10-23 20:18:36 +00:00
')
2010-08-26 13:41:21 +00:00
allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
2005-10-23 20:18:36 +00:00
')
2009-09-09 13:28:04 +00:00
########################################
## <summary>
## Allow read/write unix stream sockets from the system cron jobs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cron_rw_system_job_stream_sockets',`
gen_require(`
type system_cronjob_t;
')
allow $1 system_cronjob_t:unix_stream_socket { read write };
')
2005-08-30 20:47:41 +00:00
########################################
## <summary>
## Read temporary files from the system cron jobs.
## </summary>
## <param name="domain">
## <summary>
2005-08-30 20:47:41 +00:00
## Domain allowed access.
## </summary>
2005-08-30 20:47:41 +00:00
## </param>
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
2010-08-26 13:41:21 +00:00
type system_cronjob_tmp_t, cron_var_run_t;
2005-08-30 20:47:41 +00:00
')
files_search_tmp($1)
2008-11-05 16:10:46 +00:00
allow $1 system_cronjob_tmp_t:file read_file_perms;
2010-08-26 13:41:21 +00:00
files_search_pids($1)
allow $1 cron_var_run_t:file read_file_perms;
2005-08-30 20:47:41 +00:00
')
2005-11-28 22:19:08 +00:00
########################################
## <summary>
## Do not audit attempts to append temporary
## files from the system cron jobs.
## </summary>
## <param name="domain">
## <summary>
2005-11-28 22:19:08 +00:00
## Domain to not audit.
## </summary>
2005-11-28 22:19:08 +00:00
## </param>
#
interface(`cron_dontaudit_append_system_job_tmp_files',`
gen_require(`
2008-11-05 16:10:46 +00:00
type system_cronjob_tmp_t;
2005-11-28 22:19:08 +00:00
')
2009-09-09 13:28:04 +00:00
dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
')
########################################
## <summary>
## Do not audit attempts to write temporary
## files from the system cron jobs.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
2010-08-26 13:41:21 +00:00
type cron_var_run_t;
2009-09-09 13:28:04 +00:00
')
dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
2010-08-26 13:41:21 +00:00
dontaudit $1 cron_var_run_t:file write_file_perms;
')
########################################
## <summary>
## Read temporary files from the system cron jobs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cron_read_system_job_lib_files',`
gen_require(`
type system_cronjob_var_lib_t;
')
read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
2010-08-26 13:41:21 +00:00
')
########################################
## <summary>
## Manage files from the system cron jobs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cron_manage_system_job_lib_files',`
gen_require(`
type system_cronjob_var_lib_t;
')
manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
2005-11-28 22:19:08 +00:00
')