selinux-policy/strict/domains/program/crond.te

#DESC Crond - Crond daemon
#
# Domains for the top-level crond daemon process and
# for system cron jobs.  The domains for user cron jobs
# are in macros/program/crond_macros.te.
#
# X-Debian-Packages: cron
# Authors:  Jonathan Crowley (MITRE) <jonathan@mitre.org>,
#	    Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
#

# NB The constraints file has some entries for crond_t, this makes it
# different from all other domains...

# Domain for crond.  It needs auth_chkpwd to check for locked accounts.
daemon_domain(crond, `, privmail, auth_chkpwd, privfd, nscd_client_domain')

# This domain is granted permissions common to most domains (including can_net)
general_domain_access(crond_t)

# Type for the anacron executable.
type anacron_exec_t, file_type, sysadmfile, exec_type;

# Type for temporary files.
tmp_domain(crond)

crond_domain(system)

allow system_crond_t proc_mdstat_t:file { getattr read };
allow system_crond_t proc_t:lnk_file read;
allow system_crond_t proc_t:filesystem getattr;
allow system_crond_t usbdevfs_t:filesystem getattr;

ifdef(`mta.te', `
allow mta_user_agent system_crond_t:fd use;
')

# read files in /etc
allow system_crond_t etc_t:file r_file_perms;
allow system_crond_t etc_runtime_t:file { getattr read };

allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;

read_locale(crond_t)

# Use capabilities.
allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };
dontaudit crond_t self:capability sys_resource;

# Get security policy decisions.
can_getsecurity(crond_t)

# for finding binaries and /bin/sh
allow crond_t { bin_t sbin_t }:dir search;
allow crond_t { bin_t sbin_t }:lnk_file read;

# Read from /var/spool/cron.
allow crond_t var_lib_t:dir search;
allow crond_t var_spool_t:dir r_dir_perms;
allow crond_t cron_spool_t:dir r_dir_perms;
allow crond_t cron_spool_t:file r_file_perms;

# Read /etc/security/default_contexts.
r_dir_file(crond_t, default_context_t)

allow crond_t etc_t:file { getattr read };
allow crond_t etc_t:lnk_file read;

allow crond_t default_t:dir search;

# crond tries to search /root.  Not sure why.
allow crond_t sysadm_home_dir_t:dir r_dir_perms;

# to search /home
allow crond_t home_root_t:dir { getattr search };
allow crond_t user_home_dir_type:dir r_dir_perms;

# Run a shell.
can_exec(crond_t, shell_exec_t)

ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
ifdef(`rpm.te', `
allow crond_t rpm_log_t: file create_file_perms;

system_crond_entry(rpm_exec_t, rpm_t)
allow system_crond_t rpm_log_t:file create_file_perms;
#read ahead wants to read this
allow initrc_t system_cron_spool_t:file { getattr read };
')
')

allow system_crond_t var_log_t:file r_file_perms;


# Set exec context.
can_setexec(crond_t)

# Transition to this domain for anacron as well.
# Still need to study anacron.
domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t)

# Inherit and use descriptors from init for anacron.
allow system_crond_t init_t:fd use;

# Inherit and use descriptors from initrc for anacron.
allow system_crond_t initrc_t:fd use;
allow system_crond_t initrc_devpts_t:chr_file { read write };

# Use capabilities.
allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };

allow crond_t urandom_device_t:chr_file { getattr read };

# Read the system crontabs.
allow system_crond_t system_cron_spool_t:file r_file_perms;

allow crond_t system_cron_spool_t:dir r_dir_perms;
allow crond_t system_cron_spool_t:file r_file_perms;

# Read from /var/spool/cron.
allow system_crond_t cron_spool_t:dir r_dir_perms;
allow system_crond_t cron_spool_t:file r_file_perms;

# Write to /var/lib/slocate.db.
allow system_crond_t var_lib_t:dir rw_dir_perms;
allow system_crond_t var_lib_t:file create_file_perms;

# Update whatis files.
allow system_crond_t man_t:dir create_dir_perms;
allow system_crond_t man_t:file create_file_perms;
allow system_crond_t man_t:lnk_file read;

# Write /var/lock/makewhatis.lock.
lock_domain(system_crond)

# for if /var/mail is a symlink
allow { system_crond_t crond_t } mail_spool_t:lnk_file read;
allow crond_t mail_spool_t:dir search;

ifdef(`mta.te', `
r_dir_file(system_mail_t, crond_tmp_t)
')

# Stat any file and search any directory for find.
allow system_crond_t { file_type fs_type }:notdevfile_class_set getattr;
allow system_crond_t device_type:{ chr_file blk_file } getattr;
allow system_crond_t file_type:dir { read search getattr };

# Create temporary files.
type system_crond_tmp_t, file_type, sysadmfile, tmpfile;
file_type_auto_trans(system_crond_t, { tmp_t crond_tmp_t }, system_crond_tmp_t)

# /sbin/runlevel ask for w access to utmp, but will operate
# correctly without it.  Do not audit write denials to utmp.
# /sbin/runlevel needs lock access however
dontaudit system_crond_t initrc_var_run_t:file write;
allow system_crond_t initrc_var_run_t:file { getattr read lock };

# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
allow system_crond_t var_spool_t:file create_file_perms;
allow system_crond_t var_spool_t:dir rw_dir_perms;

# Do not audit attempts to search unlabeled directories (e.g. slocate).
dontaudit system_crond_t unlabeled_t:dir r_dir_perms;
dontaudit system_crond_t unlabeled_t:file r_file_perms;

#
# reading /var/spool/cron/mailman
#
allow crond_t var_spool_t:file { getattr read };
allow system_crond_t devpts_t:filesystem getattr;
allow system_crond_t sysfs_t:filesystem getattr;
allow system_crond_t tmpfs_t:filesystem getattr;
allow system_crond_t rpc_pipefs_t:filesystem getattr;

#
#  These rules are here to allow system cron jobs to su
#
ifdef(`su.te', `
su_restricted_domain(system_crond,system)
role system_r types system_crond_su_t;
allow system_crond_su_t crond_t:fifo_file ioctl;
')
allow system_crond_t self:passwd rootok;
#
# prelink tells init to restart it self, we either need to allow or dontaudit
#
allow system_crond_t initctl_t:fifo_file write;
dontaudit userdomain system_crond_t:fd use;

r_dir_file(crond_t, selinux_config_t)

# Allow system cron jobs to relabel filesystem for restoring file contexts.
bool cron_can_relabel false;
if (cron_can_relabel) {
domain_auto_trans(system_crond_t, setfiles_exec_t, setfiles_t)
} else {
r_dir_file(system_crond_t, file_context_t)
can_getsecurity(system_crond_t)
}
dontaudit system_crond_t removable_t:filesystem getattr;
#
# Required for webalizer
#
ifdef(`apache.te', `
allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read };
')
dontaudit crond_t self:capability sys_tty_config;
initial commit 2005-04-29 17:45:15 +00:00			`#DESC Crond - Crond daemon`
			`#`
			`# Domains for the top-level crond daemon process and`
			`# for system cron jobs. The domains for user cron jobs`
			`# are in macros/program/crond_macros.te.`
			`#`
			`# X-Debian-Packages: cron`
			`# Authors: Jonathan Crowley (MITRE) <jonathan@mitre.org>,`
			`# Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser`
			`#`

			`# NB The constraints file has some entries for crond_t, this makes it`
			`# different from all other domains...`

			`# Domain for crond. It needs auth_chkpwd to check for locked accounts.`
			daemon_domain(crond, `, privmail, auth_chkpwd, privfd, nscd_client_domain')

			`# This domain is granted permissions common to most domains (including can_net)`
			`general_domain_access(crond_t)`

			`# Type for the anacron executable.`
			`type anacron_exec_t, file_type, sysadmfile, exec_type;`

			`# Type for temporary files.`
			`tmp_domain(crond)`

			`crond_domain(system)`

			`allow system_crond_t proc_mdstat_t:file { getattr read };`
			`allow system_crond_t proc_t:lnk_file read;`
			`allow system_crond_t proc_t:filesystem getattr;`
			`allow system_crond_t usbdevfs_t:filesystem getattr;`

			ifdef(`mta.te', `
			`allow mta_user_agent system_crond_t:fd use;`
			`')`

			`# read files in /etc`
			`allow system_crond_t etc_t:file r_file_perms;`
more merging of NSA CVS policy 2005-09-13 13:06:07 +00:00			`allow system_crond_t etc_runtime_t:file { getattr read };`
initial commit 2005-04-29 17:45:15 +00:00
			`allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;`

			`read_locale(crond_t)`

			`# Use capabilities.`
			`allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };`
			`dontaudit crond_t self:capability sys_resource;`

			`# Get security policy decisions.`
			`can_getsecurity(crond_t)`

			`# for finding binaries and /bin/sh`
			`allow crond_t { bin_t sbin_t }:dir search;`
			`allow crond_t { bin_t sbin_t }:lnk_file read;`

			`# Read from /var/spool/cron.`
			`allow crond_t var_lib_t:dir search;`
			`allow crond_t var_spool_t:dir r_dir_perms;`
			`allow crond_t cron_spool_t:dir r_dir_perms;`
			`allow crond_t cron_spool_t:file r_file_perms;`

			`# Read /etc/security/default_contexts.`
			`r_dir_file(crond_t, default_context_t)`

			`allow crond_t etc_t:file { getattr read };`
			`allow crond_t etc_t:lnk_file read;`

			`allow crond_t default_t:dir search;`

			`# crond tries to search /root. Not sure why.`
			`allow crond_t sysadm_home_dir_t:dir r_dir_perms;`

			`# to search /home`
			`allow crond_t home_root_t:dir { getattr search };`
			`allow crond_t user_home_dir_type:dir r_dir_perms;`

			`# Run a shell.`
			`can_exec(crond_t, shell_exec_t)`

			ifdef(`distro_redhat', `
			`# Run the rpm program in the rpm_t domain. Allow creation of RPM log files`
			`# via redirection of standard out.`
			ifdef(`rpm.te', `
			`allow crond_t rpm_log_t: file create_file_perms;`

			`system_crond_entry(rpm_exec_t, rpm_t)`
			`allow system_crond_t rpm_log_t:file create_file_perms;`
more updates 2005-09-15 21:03:45 +00:00			`#read ahead wants to read this`
			`allow initrc_t system_cron_spool_t:file { getattr read };`
initial commit 2005-04-29 17:45:15 +00:00			`')`
			`')`

			`allow system_crond_t var_log_t:file r_file_perms;`


			`# Set exec context.`
			`can_setexec(crond_t)`

			`# Transition to this domain for anacron as well.`
			`# Still need to study anacron.`
			`domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t)`

			`# Inherit and use descriptors from init for anacron.`
			`allow system_crond_t init_t:fd use;`

			`# Inherit and use descriptors from initrc for anacron.`
			`allow system_crond_t initrc_t:fd use;`
			`allow system_crond_t initrc_devpts_t:chr_file { read write };`

			`# Use capabilities.`
			`allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };`

			`allow crond_t urandom_device_t:chr_file { getattr read };`

			`# Read the system crontabs.`
			`allow system_crond_t system_cron_spool_t:file r_file_perms;`

			`allow crond_t system_cron_spool_t:dir r_dir_perms;`
			`allow crond_t system_cron_spool_t:file r_file_perms;`

			`# Read from /var/spool/cron.`
			`allow system_crond_t cron_spool_t:dir r_dir_perms;`
			`allow system_crond_t cron_spool_t:file r_file_perms;`

			`# Write to /var/lib/slocate.db.`
			`allow system_crond_t var_lib_t:dir rw_dir_perms;`
			`allow system_crond_t var_lib_t:file create_file_perms;`

			`# Update whatis files.`
more upstream merging 2005-09-16 21:20:37 +00:00			`allow system_crond_t man_t:dir create_dir_perms;`
			`allow system_crond_t man_t:file create_file_perms;`
initial commit 2005-04-29 17:45:15 +00:00			`allow system_crond_t man_t:lnk_file read;`

			`# Write /var/lock/makewhatis.lock.`
			`lock_domain(system_crond)`

			`# for if /var/mail is a symlink`
			`allow { system_crond_t crond_t } mail_spool_t:lnk_file read;`
			`allow crond_t mail_spool_t:dir search;`

			ifdef(`mta.te', `
			`r_dir_file(system_mail_t, crond_tmp_t)`
			`')`

			`# Stat any file and search any directory for find.`
			`allow system_crond_t { file_type fs_type }:notdevfile_class_set getattr;`
			`allow system_crond_t device_type:{ chr_file blk_file } getattr;`
			`allow system_crond_t file_type:dir { read search getattr };`

			`# Create temporary files.`
			`type system_crond_tmp_t, file_type, sysadmfile, tmpfile;`
			`file_type_auto_trans(system_crond_t, { tmp_t crond_tmp_t }, system_crond_tmp_t)`

			`# /sbin/runlevel ask for w access to utmp, but will operate`
			`# correctly without it. Do not audit write denials to utmp.`
			`# /sbin/runlevel needs lock access however`
			`dontaudit system_crond_t initrc_var_run_t:file write;`
			`allow system_crond_t initrc_var_run_t:file { getattr read lock };`

			`# Access other spool directories like`
			`# /var/spool/anacron and /var/spool/slrnpull.`
			`allow system_crond_t var_spool_t:file create_file_perms;`
			`allow system_crond_t var_spool_t:dir rw_dir_perms;`

			`# Do not audit attempts to search unlabeled directories (e.g. slocate).`
			`dontaudit system_crond_t unlabeled_t:dir r_dir_perms;`
			`dontaudit system_crond_t unlabeled_t:file r_file_perms;`

			`#`
			`# reading /var/spool/cron/mailman`
			`#`
			`allow crond_t var_spool_t:file { getattr read };`
			`allow system_crond_t devpts_t:filesystem getattr;`
			`allow system_crond_t sysfs_t:filesystem getattr;`
			`allow system_crond_t tmpfs_t:filesystem getattr;`
			`allow system_crond_t rpc_pipefs_t:filesystem getattr;`

			`#`
			`# These rules are here to allow system cron jobs to su`
			`#`
			ifdef(`su.te', `
			`su_restricted_domain(system_crond,system)`
			`role system_r types system_crond_su_t;`
			`allow system_crond_su_t crond_t:fifo_file ioctl;`
			`')`
			`allow system_crond_t self:passwd rootok;`
			`#`
			`# prelink tells init to restart it self, we either need to allow or dontaudit`
			`#`
			`allow system_crond_t initctl_t:fifo_file write;`
			`dontaudit userdomain system_crond_t:fd use;`

			`r_dir_file(crond_t, selinux_config_t)`

			`# Allow system cron jobs to relabel filesystem for restoring file contexts.`
			`bool cron_can_relabel false;`
			`if (cron_can_relabel) {`
			`domain_auto_trans(system_crond_t, setfiles_exec_t, setfiles_t)`
			`} else {`
			`r_dir_file(system_crond_t, file_context_t)`
			`can_getsecurity(system_crond_t)`
			`}`
more merging from nsa cvs 2005-09-15 15:34:31 +00:00			`dontaudit system_crond_t removable_t:filesystem getattr;`
initial commit 2005-04-29 17:45:15 +00:00			`#`
			`# Required for webalizer`
			`#`
			ifdef(`apache.te', `
more merging from nsa cvs 2005-09-15 15:34:31 +00:00			`allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read };`
initial commit 2005-04-29 17:45:15 +00:00			`')`
more merging from nsa cvs 2005-09-15 15:34:31 +00:00			`dontaudit crond_t self:capability sys_tty_config;`