From 9778406fdc8869e0d385a48e91f09427b41541a9 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 10 Feb 2006 14:41:08 +0000 Subject: [PATCH] patch from Serge Hallyn Thu, 09 Feb 2006 13:42:36 -0600, plus fix the rules in the TODO. --- refpolicy/policy/modules/services/cron.te | 24 ++++++------------- refpolicy/policy/modules/system/userdomain.if | 17 +++++++++++++ 2 files changed, 24 insertions(+), 17 deletions(-) diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 773a27bd..e910bc0b 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -134,6 +134,8 @@ seutil_sigchld_newrole(crond_t) miscfiles_read_localization(crond_t) userdom_use_unpriv_users_fd(crond_t) +# Not sure why this is needed +userdom_list_all_users_home_dir(crond_t) ifdef(`distro_redhat', ` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files @@ -201,23 +203,6 @@ optional_policy(`udev',` udev_read_db(crond_t) ') -ifdef(`TODO',` -# NB The constraints file has some entries for crond_t, this makes it -# different from all other domains... - -# crond tries to search /root. Not sure why. -allow crond_t sysadm_home_dir_t:dir r_dir_perms; - -ifdef(`apache.te',` -allow system_crond_t httpd_modules_t:lnk_file read; -# Needed for certwatch -can_exec(system_crond_t, httpd_modules_t) -') - -# to search /home -allow crond_t user_home_dir_type:dir r_dir_perms; -') dnl endif TODO - ######################################## # # System cron process domain @@ -371,6 +356,11 @@ ifdef(`targeted_policy',` seutil_read_file_contexts(system_crond_t) ') + optional_policy(`apache',` + # Needed for certwatch + apache_exec_modules(system_crond_t) + ') + optional_policy(`cyrus',` cyrus_manage_data(system_crond_t) ') diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index b66833ef..7513b245 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -3236,6 +3236,23 @@ interface(`userdom_read_sysadm_home_files',` allow $1 sysadm_home_t:{ file lnk_file } r_file_perms; ') +######################################## +## +## List all users home directories. +## +## +## Domain allowed access. +## +# +interface(`userdom_list_all_users_home_dir',` + gen_require(` + attribute home_dir_type; + ') + + files_list_home($1) + allow $1 home_dir_type:dir list_dir_perms; +') + ######################################## ## ## Search all users home directories.