dd14d0d892
permission is checked when using shared libs to execute code in them, which is not the same as just reading the shared libs.
368 lines
12 KiB
Plaintext
368 lines
12 KiB
Plaintext
# Copyright (C) 2005 Tresys Technology, LLC
|
|
|
|
policy_module(consoletype, 1.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type anacron_exec_t;
|
|
files_make_file(anacron_exec_t)
|
|
|
|
# Allow system cron jobs to relabel filesystem for restoring file contexts.
|
|
bool cron_can_relabel false;
|
|
|
|
type cron_spool_t;
|
|
files_make_file(cron_spool_t)
|
|
|
|
type crond_t; #, privmail, nscd_client_domain
|
|
type crond_exec_t;
|
|
init_make_daemon_domain(crond_t,crond_exec_t)
|
|
domain_make_file_descriptors_widely_inheritable(crond_t)
|
|
|
|
type crond_log_t;
|
|
logging_make_log_file(crond_log_t)
|
|
|
|
type crond_tmp_t;
|
|
files_make_temporary_file(crond_tmp_t)
|
|
|
|
type crond_var_run_t;
|
|
files_make_daemon_runtime_file(crond_var_run_t)
|
|
|
|
type crontab_exec_t;
|
|
files_make_file(crontab_exec_t)
|
|
|
|
type system_cron_spool_t;
|
|
type system_crond_t; #, privmail, nscd_client_domain;
|
|
init_make_daemon_domain(system_crond_t,anacron_exec_t)
|
|
corecommands_make_shell_entrypoint(system_crond_t)
|
|
role system_r types system_crond_t;
|
|
|
|
type system_crond_lock_t;
|
|
files_make_lock_file(system_crond_lock_t)
|
|
|
|
type system_crond_tmp_t;
|
|
files_make_temporary_file(system_crond_tmp_t)
|
|
|
|
########################################
|
|
#
|
|
# Cron Local policy
|
|
#
|
|
|
|
allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };
|
|
dontaudit crond_t self:capability { sys_resource sys_tty_config };
|
|
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
|
allow crond_t self:process setexec;
|
|
allow crond_t self:fd use;
|
|
allow crond_t self:fifo_file { read getattr lock ioctl write append };
|
|
allow crond_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
|
allow crond_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
|
allow crond_t self:unix_dgram_socket sendto;
|
|
allow crond_t self:unix_stream_socket connectto;
|
|
allow crond_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
|
|
allow crond_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
|
|
allow crond_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
|
|
allow crond_t self:msg { send receive };
|
|
|
|
allow crond_t crond_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
|
|
allow crond_t crond_var_run_t:file { getattr create read write append setattr unlink };
|
|
files_create_daemon_runtime_data(crond_t,crond_var_run_t)
|
|
|
|
allow crond_t crond_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
|
allow crond_t crond_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
files_create_private_tmp_data(crond_t, crond_tmp_t, { file dir })
|
|
|
|
allow crond_t cron_spool_t:dir { getattr search read };
|
|
allow crond_t cron_spool_t:file { getattr read };
|
|
allow crond_t system_cron_spool_t:dir { getattr search read };
|
|
allow crond_t system_cron_spool_t:file { getattr read };
|
|
|
|
kernel_read_kernel_sysctl(crond_t)
|
|
kernel_read_hardware_state(crond_t)
|
|
kernel_get_selinuxfs_mount_point(crond_t)
|
|
kernel_validate_selinux_context(crond_t)
|
|
kernel_compute_selinux_av(crond_t)
|
|
kernel_compute_create(crond_t)
|
|
kernel_compute_relabel(crond_t)
|
|
kernel_compute_reachable_user_contexts(crond_t)
|
|
|
|
devices_get_pseudorandom_data(crond_t)
|
|
|
|
filesystem_get_all_filesystems_attributes(crond_t)
|
|
|
|
terminal_ignore_use_console(crond_t)
|
|
|
|
init_use_file_descriptors(crond_t)
|
|
init_script_use_pseudoterminal(crond_t)
|
|
|
|
domain_use_widely_inheritable_file_descriptors(crond_t)
|
|
|
|
files_read_general_system_config(crond_t)
|
|
|
|
corecommands_execute_shell(crond_t)
|
|
corecommands_read_system_programs_directory(crond_t)
|
|
|
|
libraries_use_dynamic_loader(crond_t)
|
|
libraries_use_shared_libraries(crond_t)
|
|
|
|
logging_send_system_log_message(crond_t)
|
|
|
|
selinux_read_config(crond_t)
|
|
selinux_read_default_contexts(crond_t)
|
|
selinux_newrole_sigchld(crond_t)
|
|
|
|
miscfiles_read_localization(crond_t)
|
|
|
|
# need auth_chkpwd to check for locked accounts.
|
|
authlogin_check_password_transition(crond_t)
|
|
|
|
tunable_policy(`fcron_crond', `
|
|
allow crond_t system_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
')
|
|
|
|
tunable_policy(`targeted_policy', `
|
|
terminal_ignore_use_general_physical_terminal(crond_t)
|
|
terminal_ignore_use_general_pseudoterminal(crond_t)
|
|
files_ignore_read_rootfs_file(crond_t)
|
|
')
|
|
|
|
optional_policy(`udev.te', `
|
|
udev_read_database(crond_t)
|
|
')
|
|
|
|
ifdef(`TODO',`
|
|
# NB The constraints file has some entries for crond_t, this makes it
|
|
# different from all other domains...
|
|
|
|
allow crond_t unpriv_userdomain:fd use;
|
|
allow crond_t autofs_t:dir { search getattr };
|
|
dontaudit crond_t sysadm_home_dir_t:dir search;
|
|
|
|
optional_policy(`rhgb.te', `
|
|
allow crond_t rhgb_t:process sigchld;
|
|
allow crond_t rhgb_t:fd use;
|
|
allow crond_t rhgb_t:fifo_file { read write };
|
|
')
|
|
|
|
can_ypbind(crond_t)
|
|
ifdef(`automount.te', `
|
|
allow crond_t autofs_t:dir { search getattr };
|
|
')
|
|
|
|
# Read from /var/spool/cron.
|
|
allow crond_t var_lib_t:dir search;
|
|
allow crond_t var_spool_t:dir r_dir_perms;
|
|
allow crond_t var_spool_t:file { getattr read };
|
|
allow crond_t mail_spool_t:dir search;
|
|
|
|
allow crond_t default_t:dir search;
|
|
|
|
# crond tries to search /root. Not sure why.
|
|
allow crond_t sysadm_home_dir_t:dir r_dir_perms;
|
|
|
|
# for if /var/mail is a symlink
|
|
allow crond_t mail_spool_t:lnk_file read;
|
|
|
|
# to search /home
|
|
allow crond_t user_home_dir_type:dir r_dir_perms;
|
|
|
|
ifdef(`distro_redhat', `
|
|
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
|
|
# via redirection of standard out.
|
|
ifdef(`rpm.te', `
|
|
allow crond_t rpm_log_t: file create_file_perms;
|
|
|
|
system_crond_entry(rpm_exec_t, rpm_t)
|
|
allow system_crond_t rpm_log_t:file create_file_perms;
|
|
')
|
|
')
|
|
') dnl endif TODO
|
|
|
|
########################################
|
|
#
|
|
# System cron process domain
|
|
#
|
|
|
|
allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
|
|
allow system_crond_t self:process { sigkill sigstop signull signal setsched };
|
|
allow system_crond_t self:fifo_file { read getattr write append };
|
|
allow system_crond_t self:passwd rootok;
|
|
|
|
# The entrypoint interface is not used as this is not
|
|
# a regular entrypoint. Since crontab files are
|
|
# not directly executed, crond must ensure that
|
|
# the crontab file has a type that is appropriate
|
|
# for the domain of the user cron job. It
|
|
# performs an entrypoint permission check
|
|
# for this purpose.
|
|
allow system_crond_t system_cron_spool_t:file entrypoint;
|
|
|
|
allow system_crond_t system_cron_spool_t:file { getattr read };
|
|
|
|
# Permit a transition from the crond_t domain to this domain.
|
|
# The transition is requested explicitly by the modified crond
|
|
# via setexeccon. There is no way to set up an automatic
|
|
# transition, since crontabs are configuration files, not executables.
|
|
allow crond_t system_crond_t:process transition;
|
|
dontaudit crond_t system_crond_t:process { noatsecure siginh rlimitinh };
|
|
|
|
# Write /var/lock/makewhatis.lock.
|
|
allow system_crond_t system_crond_lock_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
files_create_private_lock_file(system_crond_t,system_crond_lock_t)
|
|
|
|
# write temporary files
|
|
allow system_crond_t system_crond_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
files_create_private_tmp_data(system_crond_t,system_crond_tmp_t)
|
|
|
|
# write temporary files in crond tmp dir:
|
|
allow system_crond_t crond_tmp_t:dir { getattr search read write add_name remove_name };
|
|
type_transition system_crond_t crond_tmp_t:file system_crond_tmp_t;
|
|
|
|
# Read from /var/spool/cron.
|
|
allow system_crond_t cron_spool_t:dir { getattr search read };
|
|
allow system_crond_t cron_spool_t:file { getattr read };
|
|
|
|
# Access crond log files
|
|
allow system_crond_t crond_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
logging_create_private_log(system_crond_t,crond_log_t)
|
|
|
|
kernel_read_kernel_sysctl(system_crond_t)
|
|
kernel_read_system_state(system_crond_t)
|
|
kernel_read_software_raid_state(system_crond_t)
|
|
|
|
# ps does not need to access /boot when run from cron
|
|
bootloader_ignore_search_bootloader_data_directory(system_crond_t)
|
|
|
|
corenetwork_network_tcp_on_all_interfaces(system_crond_t)
|
|
corenetwork_network_raw_on_all_interfaces(system_crond_t)
|
|
corenetwork_network_udp_on_all_interfaces(system_crond_t)
|
|
corenetwork_network_tcp_on_all_nodes(system_crond_t)
|
|
corenetwork_network_raw_on_all_nodes(system_crond_t)
|
|
corenetwork_network_udp_on_all_nodes(system_crond_t)
|
|
corenetwork_network_tcp_on_all_ports(system_crond_t)
|
|
corenetwork_network_udp_on_all_ports(system_crond_t)
|
|
corenetwork_bind_tcp_on_all_nodes(system_crond_t)
|
|
corenetwork_bind_udp_on_all_nodes(system_crond_t)
|
|
|
|
devices_get_all_block_device_attributes(system_crond_t)
|
|
devices_get_all_character_device_attributes(system_crond_t)
|
|
devices_get_pseudorandom_data(system_crond_t)
|
|
|
|
filesystem_get_all_filesystems_attributes(system_crond_t)
|
|
filesystem_get_all_file_attributes(system_crond_t)
|
|
|
|
init_use_file_descriptors(system_crond_t)
|
|
init_script_use_file_descriptors(system_crond_t)
|
|
init_script_use_pseudoterminal(system_crond_t)
|
|
init_script_read_runtime_data(system_crond_t)
|
|
init_script_ignore_modify_runtime_data(system_crond_t)
|
|
|
|
domain_execute_all_entrypoint_programs(system_crond_t)
|
|
|
|
files_execute_system_config_script(system_crond_t)
|
|
files_read_general_system_config(system_crond_t)
|
|
files_read_runtime_system_config(system_crond_t)
|
|
files_read_all_directories(system_crond_t)
|
|
files_get_all_file_attributes(system_crond_t)
|
|
files_read_general_application_resources(system_crond_t)
|
|
# for nscd:
|
|
files_ignore_search_runtime_data_directory(system_crond_t)
|
|
|
|
corecommands_execute_general_programs(system_crond_t)
|
|
corecommands_execute_system_programs(system_crond_t)
|
|
|
|
libraries_use_dynamic_loader(system_crond_t)
|
|
libraries_use_shared_libraries(system_crond_t)
|
|
libraries_execute_library_scripts(system_crond_t)
|
|
libraries_execute_dynamic_loader(system_crond_t)
|
|
|
|
logging_read_system_logs(system_crond_t)
|
|
logging_send_system_log_message(system_crond_t)
|
|
|
|
miscfiles_read_localization(system_crond_t)
|
|
miscfiles_read_man_pages(system_crond_t)
|
|
miscfiles_manage_man_page_cache(system_crond_t)
|
|
|
|
selinux_read_config(system_crond_t)
|
|
|
|
if (cron_can_relabel) {
|
|
selinux_setfiles_transition(system_crond_t)
|
|
} else {
|
|
kernel_get_selinuxfs_mount_point(system_crond_t)
|
|
kernel_validate_selinux_context(system_crond_t)
|
|
kernel_compute_selinux_av(system_crond_t)
|
|
kernel_compute_create(system_crond_t)
|
|
kernel_compute_relabel(system_crond_t)
|
|
kernel_compute_reachable_user_contexts(system_crond_t)
|
|
selinux_read_file_contexts(system_crond_t)
|
|
}
|
|
|
|
ifdef(`TODO',`
|
|
|
|
can_ypbind(system_crond_t)
|
|
|
|
dontaudit userdomain system_crond_t:fd use;
|
|
|
|
# quiet other ps operations
|
|
dontaudit system_crond_t domain:dir { getattr search };
|
|
|
|
# Do not audit attempts to search unlabeled directories (e.g. slocate).
|
|
dontaudit system_crond_t unlabeled_t:dir r_dir_perms;
|
|
dontaudit system_crond_t unlabeled_t:file r_file_perms;
|
|
|
|
allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
|
|
|
|
# prelink tells init to restart it self, we either need to allow or dontaudit
|
|
allow system_crond_t initctl_t:fifo_file write;
|
|
|
|
allow system_crond_t var_t:dir r_dir_perms;
|
|
allow system_crond_t var_t:file { getattr read ioctl };
|
|
|
|
# Write to /var/lib/slocate.db.
|
|
allow system_crond_t var_lib_t:dir rw_dir_perms;
|
|
allow system_crond_t var_lib_t:file create_file_perms;
|
|
|
|
# Access other spool directories like
|
|
# /var/spool/anacron and /var/spool/slrnpull.
|
|
allow system_crond_t var_spool_t:file create_file_perms;
|
|
allow system_crond_t var_spool_t:dir rw_dir_perms;
|
|
# for if /var/mail is a symlink
|
|
allow system_crond_t mail_spool_t:lnk_file read;
|
|
|
|
|
|
#
|
|
# These rules are here to allow system cron jobs to su
|
|
#
|
|
ifdef(`su.te', `
|
|
su_restricted_domain(system_crond,system)
|
|
role system_r types system_crond_su_t;
|
|
allow system_crond_su_t crond_t:fifo_file ioctl;
|
|
')
|
|
|
|
#
|
|
# Required for webalizer
|
|
#
|
|
ifdef(`apache.te', `
|
|
allow system_crond_t httpd_log_t:file { getattr read };
|
|
')
|
|
|
|
tunable_policy(`distro_redhat', `
|
|
optional_policy(`rpm.te', `
|
|
allow system_crond_t rpm_log_t:file create_file_perms;
|
|
')
|
|
')
|
|
|
|
ifdef(`mta.te', `
|
|
mta_send_mail_transition(system_crond_t)
|
|
|
|
# system_mail_t should only be reading from the cron fifo not needing to write
|
|
dontaudit system_mail_t crond_t:fifo_file write;
|
|
allow mta_user_agent system_crond_t:fd use;
|
|
allow mta_user_agent system_crond_t:fd use;
|
|
r_dir_file(system_mail_t, crond_tmp_t)
|
|
')
|
|
|
|
') dnl end TODO
|