policy_module(cron, 2.1.0) gen_require(` class passwd rootok; ') ######################################## # # Declarations # ## ##

## Allow system cron jobs to relabel filesystem ## for restoring file contexts. ##

##
gen_tunable(cron_can_relabel, false) ## ##

## Enable extra rules in the cron domain ## to support fcron. ##

##
gen_tunable(fcron_crond, false) attribute cron_spool_type; type anacron_exec_t; application_executable_file(anacron_exec_t) type cron_spool_t; files_type(cron_spool_t) # var/lib files type cron_var_lib_t; files_type(cron_var_lib_t) # var/log files type cron_log_t; logging_log_file(cron_log_t) type cronjob_t; typealias cronjob_t alias { user_crond_t staff_crond_t sysadm_crond_t }; typealias cronjob_t alias { auditadm_crond_t secadm_crond_t }; domain_type(cronjob_t) domain_cron_exemption_target(cronjob_t) corecmd_shell_entry_type(cronjob_t) ubac_constrained(cronjob_t) type crond_t; type crond_exec_t; init_daemon_domain(crond_t, crond_exec_t) domain_interactive_fd(crond_t) domain_cron_exemption_source(crond_t) type crond_tmp_t; files_tmp_file(crond_tmp_t) type crond_var_run_t; files_pid_file(crond_var_run_t) type crontab_exec_t; application_executable_file(crontab_exec_t) cron_common_crontab_template(admin_crontab) typealias admin_crontab_t alias sysadm_crontab_t; typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t; cron_common_crontab_template(crontab) typealias crontab_t alias { user_crontab_t staff_crontab_t }; typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; type system_cron_spool_t, cron_spool_type; files_type(system_cron_spool_t) type system_cronjob_t alias system_crond_t; init_daemon_domain(system_cronjob_t, anacron_exec_t) corecmd_shell_entry_type(system_cronjob_t) role system_r types system_cronjob_t; type system_cronjob_lock_t alias system_crond_lock_t; files_lock_file(system_cronjob_lock_t) type system_cronjob_tmp_t alias system_crond_tmp_t; files_tmp_file(system_cronjob_tmp_t) ifdef(`enable_mcs',` init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) ') type unconfined_cronjob_t; domain_type(unconfined_cronjob_t) # Type of user crontabs once moved to cron spool. type user_cron_spool_t, cron_spool_type; typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t }; typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; files_type(user_cron_spool_t) ubac_constrained(user_cron_spool_t) ######################################## # # Admin crontab local policy # # Allow our crontab domain to unlink a user cron spool file. allow admin_crontab_t user_cron_spool_t:file { getattr read unlink }; # Manipulate other users crontab. selinux_get_fs_mount(admin_crontab_t) selinux_validate_context(admin_crontab_t) selinux_compute_access_vector(admin_crontab_t) selinux_compute_create_context(admin_crontab_t) selinux_compute_relabel_context(admin_crontab_t) selinux_compute_user_contexts(admin_crontab_t) tunable_policy(`fcron_crond', ` # fcron wants an instant update of a crontab change for the administrator # also crontab does a security check for crontab -u allow admin_crontab_t self:process setfscreate; ') ######################################## # # Cron daemon local policy # allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control }; dontaudit crond_t self:capability { sys_resource sys_tty_config }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; allow crond_t self:fd use; allow crond_t self:fifo_file rw_fifo_file_perms; allow crond_t self:unix_dgram_socket create_socket_perms; allow crond_t self:unix_stream_socket create_stream_socket_perms; allow crond_t self:unix_dgram_socket sendto; allow crond_t self:unix_stream_socket connectto; allow crond_t self:shm create_shm_perms; allow crond_t self:sem create_sem_perms; allow crond_t self:msgq create_msgq_perms; allow crond_t self:msg { send receive }; allow crond_t self:key { search write link }; allow crond_t crond_var_run_t:file manage_file_perms; files_pid_filetrans(crond_t, crond_var_run_t, file) allow crond_t cron_spool_t:dir rw_dir_perms; allow crond_t cron_spool_t:file read_file_perms; manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) files_tmp_filetrans(crond_t, crond_tmp_t, { file dir }) allow crond_t system_cron_spool_t:dir list_dir_perms; allow crond_t system_cron_spool_t:file read_file_perms; kernel_read_kernel_sysctls(crond_t) kernel_search_key(crond_t) dev_read_sysfs(crond_t) selinux_get_fs_mount(crond_t) selinux_validate_context(crond_t) selinux_compute_access_vector(crond_t) selinux_compute_create_context(crond_t) selinux_compute_relabel_context(crond_t) selinux_compute_user_contexts(crond_t) dev_read_urand(crond_t) fs_getattr_all_fs(crond_t) fs_search_auto_mountpoints(crond_t) # need auth_chkpwd to check for locked accounts. auth_domtrans_chk_passwd(crond_t) corecmd_exec_shell(crond_t) corecmd_list_bin(crond_t) corecmd_read_bin_symlinks(crond_t) domain_use_interactive_fds(crond_t) files_read_etc_files(crond_t) files_read_generic_spool(crond_t) files_list_usr(crond_t) # Read from /var/spool/cron. files_search_var_lib(crond_t) files_search_default(crond_t) init_rw_utmp(crond_t) auth_use_nsswitch(crond_t) logging_send_syslog_msg(crond_t) seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) seutil_sigchld_newrole(crond_t) miscfiles_read_localization(crond_t) userdom_use_unpriv_users_fds(crond_t) # Not sure why this is needed userdom_list_user_home_dirs(crond_t) mta_send_mail(crond_t) ifdef(`distro_debian',` # pam_limits is used allow crond_t self:process setrlimit; optional_policy(` # Debian logcheck has the home dir set to its cache logwatch_search_cache_dir(crond_t) ') ') ifdef(`distro_redhat', ` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. optional_policy(` rpm_manage_log(crond_t) ') ') optional_policy(` locallogin_search_keys(crond_t) locallogin_link_keys(crond_t) ') tunable_policy(`fcron_crond', ` allow crond_t system_cron_spool_t:file manage_file_perms; ') optional_policy(` amavis_search_lib(crond_t) ') optional_policy(` hal_dbus_send(crond_t) ') optional_policy(` # cjp: why? munin_search_lib(crond_t) ') optional_policy(` # Commonly used from postinst scripts rpm_read_pipes(crond_t) ') optional_policy(` # allow crond to find /usr/lib/postgresql/bin/do.maintenance postgresql_search_db(crond_t) ') optional_policy(` udev_read_db(crond_t) ') ######################################## # # System cron process domain # allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid }; allow system_cronjob_t self:process { signal_perms setsched }; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; # This is to handle creation of files in /var/log directory. # Used currently by rpm script log files allow system_cronjob_t cron_log_t:file manage_file_perms; logging_log_filetrans(system_cronjob_t, cron_log_t, file) # This is to handle /var/lib/misc directory. Used currently # by prelink var/lib files for cron allow system_cronjob_t cron_var_lib_t:file manage_file_perms; files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) allow system_cronjob_t system_cron_spool_t:file read_file_perms; # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that # the crontab file has a type that is appropriate # for the domain of the user cron job. It # performs an entrypoint permission check # for this purpose. allow system_cronjob_t system_cron_spool_t:file entrypoint; # Permit a transition from the crond_t domain to this domain. # The transition is requested explicitly by the modified crond # via setexeccon. There is no way to set up an automatic # transition, since crontabs are configuration files, not executables. allow crond_t system_cronjob_t:process transition; dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh }; allow crond_t system_cronjob_t:fd use; allow system_cronjob_t crond_t:fd use; allow system_cronjob_t crond_t:fifo_file rw_file_perms; allow system_cronjob_t crond_t:process sigchld; # Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file) # write temporary files manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) # Read from /var/spool/cron. allow system_cronjob_t cron_spool_t:dir list_dir_perms; allow system_cronjob_t cron_spool_t:file read_file_perms; kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) kernel_read_software_raid_state(system_cronjob_t) # ps does not need to access /boot when run from cron files_dontaudit_search_boot(system_cronjob_t) corecmd_exec_all_executables(system_cronjob_t) corenet_all_recvfrom_unlabeled(system_cronjob_t) corenet_all_recvfrom_netlabel(system_cronjob_t) corenet_tcp_sendrecv_generic_if(system_cronjob_t) corenet_udp_sendrecv_generic_if(system_cronjob_t) corenet_tcp_sendrecv_generic_node(system_cronjob_t) corenet_udp_sendrecv_generic_node(system_cronjob_t) corenet_tcp_sendrecv_all_ports(system_cronjob_t) corenet_udp_sendrecv_all_ports(system_cronjob_t) dev_getattr_all_blk_files(system_cronjob_t) dev_getattr_all_chr_files(system_cronjob_t) dev_read_urand(system_cronjob_t) fs_getattr_all_fs(system_cronjob_t) fs_getattr_all_files(system_cronjob_t) fs_getattr_all_symlinks(system_cronjob_t) fs_getattr_all_pipes(system_cronjob_t) fs_getattr_all_sockets(system_cronjob_t) # quiet other ps operations domain_dontaudit_read_all_domains_state(system_cronjob_t) files_exec_etc_files(system_cronjob_t) files_read_etc_files(system_cronjob_t) files_read_etc_runtime_files(system_cronjob_t) files_list_all(system_cronjob_t) files_getattr_all_dirs(system_cronjob_t) files_getattr_all_files(system_cronjob_t) files_getattr_all_symlinks(system_cronjob_t) files_getattr_all_pipes(system_cronjob_t) files_getattr_all_sockets(system_cronjob_t) files_read_usr_files(system_cronjob_t) files_read_var_files(system_cronjob_t) # for nscd: files_dontaudit_search_pids(system_cronjob_t) # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. files_manage_generic_spool(system_cronjob_t) init_use_script_fds(system_cronjob_t) init_read_utmp(system_cronjob_t) init_dontaudit_rw_utmp(system_cronjob_t) # prelink tells init to restart it self, we either need to allow or dontaudit init_write_initctl(system_cronjob_t) auth_use_nsswitch(system_cronjob_t) libs_exec_lib_files(system_cronjob_t) libs_exec_ld_so(system_cronjob_t) logging_read_generic_logs(system_cronjob_t) logging_send_syslog_msg(system_cronjob_t) miscfiles_read_localization(system_cronjob_t) miscfiles_manage_man_pages(system_cronjob_t) seutil_read_config(system_cronjob_t) ifdef(`distro_redhat', ` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. optional_policy(` rpm_manage_log(system_cronjob_t) ') ') tunable_policy(`cron_can_relabel',` seutil_domtrans_setfiles(system_cronjob_t) ',` selinux_get_fs_mount(system_cronjob_t) selinux_validate_context(system_cronjob_t) selinux_compute_access_vector(system_cronjob_t) selinux_compute_create_context(system_cronjob_t) selinux_compute_relabel_context(system_cronjob_t) selinux_compute_user_contexts(system_cronjob_t) seutil_read_file_contexts(system_cronjob_t) ') optional_policy(` # Needed for certwatch apache_exec_modules(system_cronjob_t) apache_read_config(system_cronjob_t) apache_read_log(system_cronjob_t) apache_read_sys_content(system_cronjob_t) ') optional_policy(` cyrus_manage_data(system_cronjob_t) ') optional_policy(` ftp_read_log(system_cronjob_t) ') optional_policy(` inn_manage_log(system_cronjob_t) inn_manage_pid(system_cronjob_t) inn_read_config(system_cronjob_t) ') optional_policy(` mrtg_append_create_logs(system_cronjob_t) ') optional_policy(` mta_send_mail(system_cronjob_t) ') optional_policy(` mysql_read_config(system_cronjob_t) ') optional_policy(` postfix_read_config(system_cronjob_t) ') optional_policy(` prelink_read_cache(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_delete_cache(system_cronjob_t) ') optional_policy(` samba_read_config(system_cronjob_t) samba_read_log(system_cronjob_t) #samba_read_secrets(system_cronjob_t) ') optional_policy(` slocate_create_append_log(system_cronjob_t) ') optional_policy(` # cjp: why? squid_domtrans(system_cronjob_t) ') optional_policy(` sysstat_manage_log(system_cronjob_t) ') optional_policy(` unconfined_domain(system_cronjob_t) userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') ifdef(`TODO',` ifdef(`mta.te', ` allow system_cronjob_t mail_spool_t:lnk_file read; allow mta_user_agent system_cronjob_t:fd use; r_dir_file(system_mail_t, crond_tmp_t) ') ') dnl end TODO ######################################## # # User cronjobs local policy # allow cronjob_t self:capability dac_override; allow cronjob_t self:process { signal_perms setsched }; allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that # the crontab file has a type that is appropriate # for the domain of the user cron job. It # performs an entrypoint permission check # for this purpose. allow cronjob_t user_cron_spool_t:file entrypoint; # Permit a transition from the crond_t domain to this domain. # The transition is requested explicitly by the modified crond # via setexeccon. There is no way to set up an automatic # transition, since crontabs are configuration files, not executables. allow crond_t cronjob_t:process transition; dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh }; allow crond_t cronjob_t:fd use; allow cronjob_t crond_t:fd use; allow cronjob_t crond_t:fifo_file rw_file_perms; allow cronjob_t crond_t:process sigchld; kernel_read_system_state(cronjob_t) kernel_read_kernel_sysctls(cronjob_t) # ps does not need to access /boot when run from cron files_dontaudit_search_boot(cronjob_t) corenet_all_recvfrom_unlabeled(cronjob_t) corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) corenet_tcp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t) corenet_tcp_connect_all_ports(cronjob_t) corenet_sendrecv_all_client_packets(cronjob_t) dev_read_urand(cronjob_t) fs_getattr_all_fs(cronjob_t) corecmd_exec_all_executables(cronjob_t) # quiet other ps operations domain_dontaudit_read_all_domains_state(cronjob_t) domain_dontaudit_getattr_all_domains(cronjob_t) files_read_usr_files(cronjob_t) files_exec_etc_files(cronjob_t) # for nscd: files_dontaudit_search_pids(cronjob_t) libs_exec_lib_files(cronjob_t) libs_exec_ld_so(cronjob_t) files_read_etc_runtime_files(cronjob_t) files_read_var_files(cronjob_t) files_search_spool(cronjob_t) logging_search_logs(cronjob_t) seutil_read_config(cronjob_t) miscfiles_read_localization(cronjob_t) userdom_manage_user_tmp_files(cronjob_t) userdom_manage_user_tmp_symlinks(cronjob_t) userdom_manage_user_tmp_pipes(cronjob_t) userdom_manage_user_tmp_sockets(cronjob_t) # Run scripts in user home directory and access shared libs. userdom_exec_user_home_content_files(cronjob_t) # Access user files and dirs. userdom_manage_user_home_content_files(cronjob_t) userdom_manage_user_home_content_symlinks(cronjob_t) userdom_manage_user_home_content_pipes(cronjob_t) userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) tunable_policy(`fcron_crond', ` allow crond_t user_cron_spool_t:file manage_file_perms; ') # need a per-role version of this: #optional_policy(` # mono_domtrans(cronjob_t) #') optional_policy(` nis_use_ypbind(cronjob_t) ') ######################################## # # Unconfined cronjobs local policy # optional_policy(` unconfined_domain(unconfined_cronjob_t) ')