#DESC Crond - Crond daemon # # Domains for the top-level crond daemon process and # for system cron jobs. The domains for user cron jobs # are in macros/program/crond_macros.te. # # X-Debian-Packages: cron # Authors: Jonathan Crowley (MITRE) , # Stephen Smalley and Timothy Fraser # # NB The constraints file has some entries for crond_t, this makes it # different from all other domains... # Domain for crond. It needs auth_chkpwd to check for locked accounts. daemon_domain(crond, `, privmail, auth_chkpwd, privfd, nscd_client_domain') # This domain is granted permissions common to most domains (including can_net) general_domain_access(crond_t) # Type for the anacron executable. type anacron_exec_t, file_type, sysadmfile, exec_type; # Type for temporary files. tmp_domain(crond) crond_domain(system) allow system_crond_t proc_mdstat_t:file { getattr read }; allow system_crond_t proc_t:lnk_file read; allow system_crond_t proc_t:filesystem getattr; allow system_crond_t usbdevfs_t:filesystem getattr; ifdef(`mta.te', ` allow mta_user_agent system_crond_t:fd use; ') # read files in /etc allow system_crond_t etc_t:file r_file_perms; allow system_crond_t etc_runtime_t:file { getattr read }; allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr; read_locale(crond_t) # Use capabilities. allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice }; dontaudit crond_t self:capability sys_resource; # Get security policy decisions. can_getsecurity(crond_t) # for finding binaries and /bin/sh allow crond_t { bin_t sbin_t }:dir search; allow crond_t { bin_t sbin_t }:lnk_file read; # Read from /var/spool/cron. allow crond_t var_lib_t:dir search; allow crond_t var_spool_t:dir r_dir_perms; allow crond_t cron_spool_t:dir r_dir_perms; allow crond_t cron_spool_t:file r_file_perms; # Read /etc/security/default_contexts. r_dir_file(crond_t, default_context_t) allow crond_t etc_t:file { getattr read }; allow crond_t etc_t:lnk_file read; allow crond_t default_t:dir search; # crond tries to search /root. Not sure why. allow crond_t sysadm_home_dir_t:dir r_dir_perms; # to search /home allow crond_t home_root_t:dir { getattr search }; allow crond_t user_home_dir_type:dir r_dir_perms; # Run a shell. can_exec(crond_t, shell_exec_t) ifdef(`distro_redhat', ` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. ifdef(`rpm.te', ` allow crond_t rpm_log_t: file create_file_perms; system_crond_entry(rpm_exec_t, rpm_t) allow system_crond_t rpm_log_t:file create_file_perms; ') ') allow system_crond_t var_log_t:file r_file_perms; # Set exec context. can_setexec(crond_t) # Transition to this domain for anacron as well. # Still need to study anacron. domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t) # Inherit and use descriptors from init for anacron. allow system_crond_t init_t:fd use; # Inherit and use descriptors from initrc for anacron. allow system_crond_t initrc_t:fd use; allow system_crond_t initrc_devpts_t:chr_file { read write }; # Use capabilities. allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid }; allow crond_t urandom_device_t:chr_file { getattr read }; # Read the system crontabs. allow system_crond_t system_cron_spool_t:file r_file_perms; allow crond_t system_cron_spool_t:dir r_dir_perms; allow crond_t system_cron_spool_t:file r_file_perms; # Read from /var/spool/cron. allow system_crond_t cron_spool_t:dir r_dir_perms; allow system_crond_t cron_spool_t:file r_file_perms; # Write to /var/lib/slocate.db. allow system_crond_t var_lib_t:dir rw_dir_perms; allow system_crond_t var_lib_t:file create_file_perms; # Update whatis files. allow system_crond_t catman_t:dir create_dir_perms; allow system_crond_t catman_t:file create_file_perms; allow system_crond_t man_t:file r_file_perms; allow system_crond_t man_t:lnk_file read; # Write /var/lock/makewhatis.lock. lock_domain(system_crond) # for if /var/mail is a symlink allow { system_crond_t crond_t } mail_spool_t:lnk_file read; allow crond_t mail_spool_t:dir search; ifdef(`mta.te', ` r_dir_file(system_mail_t, crond_tmp_t) ') # Stat any file and search any directory for find. allow system_crond_t { file_type fs_type }:notdevfile_class_set getattr; allow system_crond_t device_type:{ chr_file blk_file } getattr; allow system_crond_t file_type:dir { read search getattr }; # Create temporary files. type system_crond_tmp_t, file_type, sysadmfile, tmpfile; file_type_auto_trans(system_crond_t, { tmp_t crond_tmp_t }, system_crond_tmp_t) # /sbin/runlevel ask for w access to utmp, but will operate # correctly without it. Do not audit write denials to utmp. # /sbin/runlevel needs lock access however dontaudit system_crond_t initrc_var_run_t:file write; allow system_crond_t initrc_var_run_t:file { getattr read lock }; # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. allow system_crond_t var_spool_t:file create_file_perms; allow system_crond_t var_spool_t:dir rw_dir_perms; # Do not audit attempts to search unlabeled directories (e.g. slocate). dontaudit system_crond_t unlabeled_t:dir r_dir_perms; dontaudit system_crond_t unlabeled_t:file r_file_perms; # # reading /var/spool/cron/mailman # allow crond_t var_spool_t:file { getattr read }; allow system_crond_t devpts_t:filesystem getattr; allow system_crond_t sysfs_t:filesystem getattr; allow system_crond_t tmpfs_t:filesystem getattr; allow system_crond_t rpc_pipefs_t:filesystem getattr; # # These rules are here to allow system cron jobs to su # ifdef(`su.te', ` su_restricted_domain(system_crond,system) role system_r types system_crond_su_t; allow system_crond_su_t crond_t:fifo_file ioctl; ') allow system_crond_t self:passwd rootok; # # prelink tells init to restart it self, we either need to allow or dontaudit # allow system_crond_t initctl_t:fifo_file write; dontaudit userdomain system_crond_t:fd use; r_dir_file(crond_t, selinux_config_t) # Allow system cron jobs to relabel filesystem for restoring file contexts. bool cron_can_relabel false; if (cron_can_relabel) { domain_auto_trans(system_crond_t, setfiles_exec_t, setfiles_t) } else { r_dir_file(system_crond_t, file_context_t) can_getsecurity(system_crond_t) } dontaudit system_crond_t removable_t:filesystem getattr; # # Required for webalizer # ifdef(`apache.te', ` allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read }; ') dontaudit crond_t self:capability sys_tty_config;