selinux-policy/policy/modules/services/cron.te
Dominick Grift ef521e9919 Tunable, optional and if(n)def blocks go below.
Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.
2010-09-22 15:41:43 +02:00

719 lines
20 KiB
Plaintext

policy_module(cron, 2.2.0)
gen_require(`
class passwd rootok;
')
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow system cron jobs to relabel filesystem
## for restoring file contexts.
## </p>
## </desc>
gen_tunable(cron_can_relabel, false)
## <desc>
## <p>
## Enable extra rules in the cron domain
## to support fcron.
## </p>
## </desc>
gen_tunable(fcron_crond, false)
attribute cron_spool_type;
type anacron_exec_t;
application_executable_file(anacron_exec_t)
type cron_spool_t;
files_type(cron_spool_t)
# var/lib files
type cron_var_lib_t;
files_type(cron_var_lib_t)
type cron_var_run_t;
files_type(cron_var_run_t)
# var/log files
type cron_log_t;
logging_log_file(cron_log_t)
type cronjob_t;
typealias cronjob_t alias { user_crond_t staff_crond_t sysadm_crond_t };
typealias cronjob_t alias { auditadm_crond_t secadm_crond_t };
domain_type(cronjob_t)
domain_cron_exemption_target(cronjob_t)
corecmd_shell_entry_type(cronjob_t)
ubac_constrained(cronjob_t)
type crond_t;
type crond_exec_t;
init_daemon_domain(crond_t, crond_exec_t)
domain_interactive_fd(crond_t)
domain_cron_exemption_source(crond_t)
type crond_initrc_exec_t;
init_script_file(crond_initrc_exec_t)
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
files_poly_parent(crond_tmp_t)
mta_system_content(crond_tmp_t)
type crond_var_run_t;
files_pid_file(crond_var_run_t)
mta_system_content(crond_var_run_t)
type crontab_exec_t;
application_executable_file(crontab_exec_t)
cron_common_crontab_template(admin_crontab)
typealias admin_crontab_t alias sysadm_crontab_t;
typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t;
cron_common_crontab_template(crontab)
typealias crontab_t alias { user_crontab_t staff_crontab_t };
typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
allow admin_crontab_t crond_t:process signal;
type system_cron_spool_t, cron_spool_type;
files_type(system_cron_spool_t)
type system_cronjob_t alias system_crond_t;
init_daemon_domain(system_cronjob_t, anacron_exec_t)
corecmd_shell_entry_type(system_cronjob_t)
role system_r types system_cronjob_t;
domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
type system_cronjob_lock_t alias system_crond_lock_t;
files_lock_file(system_cronjob_lock_t)
type system_cronjob_tmp_t alias system_crond_tmp_t;
files_tmp_file(system_cronjob_tmp_t)
type unconfined_cronjob_t;
domain_type(unconfined_cronjob_t)
domain_cron_exemption_target(unconfined_cronjob_t)
# Type of user crontabs once moved to cron spool.
type user_cron_spool_t, cron_spool_type;
typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
files_type(user_cron_spool_t)
ubac_constrained(user_cron_spool_t)
mta_system_content(user_cron_spool_t)
type system_cronjob_var_lib_t;
files_type(system_cronjob_var_lib_t)
typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
type system_cronjob_var_run_t;
files_pid_file(system_cronjob_var_run_t)
ifdef(`enable_mcs',`
init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
')
########################################
#
# Admin crontab local policy
#
# Allow our crontab domain to unlink a user cron spool file.
allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
# Manipulate other users crontab.
selinux_get_fs_mount(admin_crontab_t)
selinux_validate_context(admin_crontab_t)
selinux_compute_access_vector(admin_crontab_t)
selinux_compute_create_context(admin_crontab_t)
selinux_compute_relabel_context(admin_crontab_t)
selinux_compute_user_contexts(admin_crontab_t)
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
# also crontab does a security check for crontab -u
allow admin_crontab_t self:process setfscreate;
')
########################################
#
# Cron daemon local policy
#
allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_fifo_file_perms;
allow crond_t self:unix_dgram_socket create_socket_perms;
allow crond_t self:unix_stream_socket create_stream_socket_perms;
allow crond_t self:unix_dgram_socket sendto;
allow crond_t self:unix_stream_socket connectto;
allow crond_t self:shm create_shm_perms;
allow crond_t self:sem create_sem_perms;
allow crond_t self:msgq create_msgq_perms;
allow crond_t self:msg { send receive };
allow crond_t self:key { search write link };
manage_files_pattern(crond_t, cron_log_t, cron_log_t)
logging_log_filetrans(crond_t, cron_log_t, file)
manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
files_pid_filetrans(crond_t, crond_var_run_t, file)
manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
kernel_read_kernel_sysctls(crond_t)
kernel_read_fs_sysctls(crond_t)
kernel_search_key(crond_t)
dev_read_sysfs(crond_t)
selinux_get_fs_mount(crond_t)
selinux_validate_context(crond_t)
selinux_compute_access_vector(crond_t)
selinux_compute_create_context(crond_t)
selinux_compute_relabel_context(crond_t)
selinux_compute_user_contexts(crond_t)
dev_read_urand(crond_t)
fs_getattr_all_fs(crond_t)
fs_search_auto_mountpoints(crond_t)
fs_list_inotifyfs(crond_t)
# need auth_chkpwd to check for locked accounts.
auth_domtrans_chk_passwd(crond_t)
corecmd_exec_shell(crond_t)
corecmd_list_bin(crond_t)
corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
domain_subj_id_change_exemption(crond_t)
domain_role_change_exemption(crond_t)
files_read_usr_files(crond_t)
files_read_etc_runtime_files(crond_t)
files_read_etc_files(crond_t)
files_read_generic_spool(crond_t)
files_list_usr(crond_t)
# Read from /var/spool/cron.
files_search_var_lib(crond_t)
files_search_default(crond_t)
init_rw_utmp(crond_t)
init_spec_domtrans_script(crond_t)
auth_use_nsswitch(crond_t)
logging_send_audit_msgs(crond_t)
logging_send_syslog_msg(crond_t)
logging_set_loginuid(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
seutil_sigchld_newrole(crond_t)
miscfiles_read_localization(crond_t)
userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
userdom_create_all_users_keys(crond_t)
mta_send_mail(crond_t)
mta_system_content(cron_spool_t)
ifdef(`distro_debian',`
# pam_limits is used
allow crond_t self:process setrlimit;
optional_policy(`
# Debian logcheck has the home dir set to its cache
logwatch_search_cache_dir(crond_t)
')
')
ifdef(`distro_redhat',`
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`
rpm_manage_log(crond_t)
')
')
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all(crond_t)
')
tunable_policy(`fcron_crond',`
allow crond_t system_cron_spool_t:file manage_file_perms;
')
optional_policy(`
apache_search_sys_content(crond_t)
')
optional_policy(`
djbdns_search_tinydns_keys(crond_t)
djbdns_link_tinydns_keys(crond_t)
')
optional_policy(`
locallogin_search_keys(crond_t)
locallogin_link_keys(crond_t)
')
optional_policy(`
# these should probably be unconfined_crond_t
dbus_system_bus_client(crond_t)
init_dbus_send_script(crond_t)
')
optional_policy(`
mono_domtrans(crond_t)
')
optional_policy(`
amanda_search_var_lib(crond_t)
')
optional_policy(`
amavis_search_lib(crond_t)
')
optional_policy(`
hal_dbus_chat(crond_t)
hal_write_log(crond_t)
hal_dbus_chat(system_cronjob_t)
')
optional_policy(`
# cjp: why?
munin_search_lib(crond_t)
')
optional_policy(`
rpc_search_nfs_state_data(crond_t)
')
optional_policy(`
# Commonly used from postinst scripts
rpm_read_pipes(crond_t)
')
optional_policy(`
# allow crond to find /usr/lib/postgresql/bin/do.maintenance
postgresql_search_db(crond_t)
')
optional_policy(`
udev_read_db(crond_t)
')
optional_policy(`
vnstatd_search_lib(crond_t)
')
########################################
#
# System cron process domain
#
allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
dontaudit system_cronjob_t self:capability sys_ptrace;
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
# This is to handle creation of files in /var/log directory.
# Used currently by rpm script log files
allow system_cronjob_t cron_log_t:file manage_file_perms;
logging_log_filetrans(system_cronjob_t, cron_log_t, file)
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
allow system_cronjob_t cron_var_run_t:file manage_file_perms;
files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
allow system_cronjob_t system_cron_spool_t:file read_file_perms;
# anacron forces the following
manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
# the crontab file has a type that is appropriate
# for the domain of the user cron job. It
# performs an entrypoint permission check
# for this purpose.
allow system_cronjob_t system_cron_spool_t:file entrypoint;
# Permit a transition from the crond_t domain to this domain.
# The transition is requested explicitly by the modified crond
# via setexeccon. There is no way to set up an automatic
# transition, since crontabs are configuration files, not executables.
allow crond_t system_cronjob_t:process transition;
dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh };
allow crond_t system_cronjob_t:fd use;
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
allow crond_t system_cronjob_t:key manage_key_perms;
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
# write temporary files
manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
# var/lib files for system_crond
files_search_var_lib(system_cronjob_t)
manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
# Read from /var/spool/cron.
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms;
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
kernel_read_software_raid_state(system_cronjob_t)
# ps does not need to access /boot when run from cron
files_dontaudit_search_boot(system_cronjob_t)
corecmd_exec_all_executables(system_cronjob_t)
corenet_all_recvfrom_unlabeled(system_cronjob_t)
corenet_all_recvfrom_netlabel(system_cronjob_t)
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
corenet_udp_sendrecv_generic_if(system_cronjob_t)
corenet_tcp_sendrecv_generic_node(system_cronjob_t)
corenet_udp_sendrecv_generic_node(system_cronjob_t)
corenet_tcp_sendrecv_all_ports(system_cronjob_t)
corenet_udp_sendrecv_all_ports(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
dev_read_sysfs(system_cronjob_t)
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
fs_getattr_all_symlinks(system_cronjob_t)
fs_getattr_all_pipes(system_cronjob_t)
fs_getattr_all_sockets(system_cronjob_t)
# quiet other ps operations
domain_dontaudit_read_all_domains_state(system_cronjob_t)
files_exec_etc_files(system_cronjob_t)
files_read_etc_files(system_cronjob_t)
files_read_etc_runtime_files(system_cronjob_t)
files_list_all(system_cronjob_t)
files_getattr_all_dirs(system_cronjob_t)
files_getattr_all_files(system_cronjob_t)
files_getattr_all_symlinks(system_cronjob_t)
files_getattr_all_pipes(system_cronjob_t)
files_getattr_all_sockets(system_cronjob_t)
files_read_usr_files(system_cronjob_t)
files_read_var_files(system_cronjob_t)
# for nscd:
files_dontaudit_search_pids(system_cronjob_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
files_create_boot_flag(system_cronjob_t)
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
init_dontaudit_rw_utmp(system_cronjob_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
init_telinit(system_cronjob_t)
init_domtrans_script(system_cronjob_t)
auth_use_nsswitch(system_cronjob_t)
libs_exec_lib_files(system_cronjob_t)
libs_exec_ld_so(system_cronjob_t)
logging_read_generic_logs(system_cronjob_t)
logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
miscfiles_read_localization(system_cronjob_t)
miscfiles_manage_man_pages(system_cronjob_t)
seutil_read_config(system_cronjob_t)
ifdef(`distro_redhat',`
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
allow crond_t system_cron_spool_t:file manage_file_perms;
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
')
')
tunable_policy(`cron_can_relabel',`
seutil_domtrans_setfiles(system_cronjob_t)
',`
selinux_get_fs_mount(system_cronjob_t)
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
selinux_compute_relabel_context(system_cronjob_t)
selinux_compute_user_contexts(system_cronjob_t)
seutil_read_file_contexts(system_cronjob_t)
')
optional_policy(`
# Needed for certwatch
apache_exec_modules(system_cronjob_t)
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
apache_delete_cache_dirs(system_cronjob_t)
apache_delete_cache_files(system_cronjob_t)
')
optional_policy(`
cyrus_manage_data(system_cronjob_t)
')
optional_policy(`
dbus_system_bus_client(system_cronjob_t)
')
optional_policy(`
exim_read_spool_files(system_cronjob_t)
')
optional_policy(`
ftp_read_log(system_cronjob_t)
')
optional_policy(`
inn_manage_log(system_cronjob_t)
inn_manage_pid(system_cronjob_t)
inn_read_config(system_cronjob_t)
')
optional_policy(`
livecd_read_tmp_files(system_cronjob_t)
')
optional_policy(`
lpd_list_spool(system_cronjob_t)
')
optional_policy(`
mono_domtrans(system_cronjob_t)
')
optional_policy(`
mrtg_append_create_logs(system_cronjob_t)
')
optional_policy(`
mta_send_mail(system_cronjob_t)
mta_system_content(system_cron_spool_t)
')
optional_policy(`
mysql_read_config(system_cronjob_t)
')
optional_policy(`
postfix_read_config(system_cronjob_t)
')
optional_policy(`
prelink_delete_cache(system_cronjob_t)
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
prelink_relabel_lib(system_cronjob_t)
')
optional_policy(`
samba_read_config(system_cronjob_t)
samba_read_log(system_cronjob_t)
#samba_read_secrets(system_cronjob_t)
')
optional_policy(`
slocate_create_append_log(system_cronjob_t)
')
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
spamassassin_manage_home_client(system_cronjob_t)
')
optional_policy(`
sysstat_manage_log(system_cronjob_t)
')
optional_policy(`
unconfined_domain(crond_t)
unconfined_domain(system_cronjob_t)
')
optional_policy(`
unconfined_shell_domtrans(crond_t)
unconfined_dbus_send(crond_t)
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
########################################
#
# User cronjobs local policy
#
allow cronjob_t self:process { signal_perms setsched };
allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
# the crontab file has a type that is appropriate
# for the domain of the user cron job. It
# performs an entrypoint permission check
# for this purpose.
allow cronjob_t user_cron_spool_t:file entrypoint;
# Permit a transition from the crond_t domain to this domain.
# The transition is requested explicitly by the modified crond
# via setexeccon. There is no way to set up an automatic
# transition, since crontabs are configuration files, not executables.
allow crond_t cronjob_t:process transition;
dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh };
allow crond_t cronjob_t:fd use;
allow cronjob_t crond_t:fd use;
allow cronjob_t crond_t:fifo_file rw_file_perms;
allow cronjob_t crond_t:process sigchld;
kernel_read_system_state(cronjob_t)
kernel_read_kernel_sysctls(cronjob_t)
# ps does not need to access /boot when run from cron
files_dontaudit_search_boot(cronjob_t)
corenet_all_recvfrom_unlabeled(cronjob_t)
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
corenet_tcp_connect_all_ports(cronjob_t)
corenet_sendrecv_all_client_packets(cronjob_t)
dev_read_urand(cronjob_t)
fs_getattr_all_fs(cronjob_t)
corecmd_exec_all_executables(cronjob_t)
# quiet other ps operations
domain_dontaudit_read_all_domains_state(cronjob_t)
domain_dontaudit_getattr_all_domains(cronjob_t)
files_read_usr_files(cronjob_t)
files_exec_etc_files(cronjob_t)
# for nscd:
files_dontaudit_search_pids(cronjob_t)
libs_exec_lib_files(cronjob_t)
libs_exec_ld_so(cronjob_t)
files_read_etc_runtime_files(cronjob_t)
files_read_var_files(cronjob_t)
files_search_spool(cronjob_t)
logging_search_logs(cronjob_t)
seutil_read_config(cronjob_t)
miscfiles_read_localization(cronjob_t)
userdom_manage_user_tmp_files(cronjob_t)
userdom_manage_user_tmp_symlinks(cronjob_t)
userdom_manage_user_tmp_pipes(cronjob_t)
userdom_manage_user_tmp_sockets(cronjob_t)
# Run scripts in user home directory and access shared libs.
userdom_exec_user_home_content_files(cronjob_t)
# Access user files and dirs.
userdom_manage_user_home_content_files(cronjob_t)
userdom_manage_user_home_content_symlinks(cronjob_t)
userdom_manage_user_home_content_pipes(cronjob_t)
userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
tunable_policy(`fcron_crond',`
allow crond_t user_cron_spool_t:file manage_file_perms;
')
# need a per-role version of this:
#optional_policy(`
# mono_domtrans(cronjob_t)
#')
optional_policy(`
nis_use_ypbind(cronjob_t)
')
########################################
#
# Unconfined cronjobs local policy
#
optional_policy(`
# Permit a transition from the crond_t domain to this domain.
# The transition is requested explicitly by the modified crond
# via setexeccon. There is no way to set up an automatic
# transition, since crontabs are configuration files, not executables.
allow crond_t unconfined_cronjob_t:process transition;
dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
allow crond_t unconfined_cronjob_t:fd use;
unconfined_domain(unconfined_cronjob_t)
')