psss / rpms / selinux-policy

Forked from rpms/selinux-policy 5 years ago
Clone
Source Code
GIT

Files

  1.   152369d462a2067879ab693478c0843b44228a2d
  2.   cron.if
Blob Blame History Raw 
## <summary>Periodic execution of scheduled commands.</summary>

#######################################
## <summary>
##	The template to define a crontab domain.
## </summary>
## <param name="domain_prefix">
##	<summary>
##	Domain prefix to be used.
##	</summary>
## </param>
#
template(`cron_common_crontab_template',`
	gen_require(`
		attribute crontab_domain;
		type crontab_exec_t;
	')

	##############################
	#
	# Declarations
	#

	type $1_t, crontab_domain;
	userdom_user_application_domain($1_t, crontab_exec_t)

	type $1_tmp_t;
	userdom_user_tmp_file($1_tmp_t)

	##############################
	#
	# Local policy
	#

	manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
	files_tmp_filetrans($1_t, $1_tmp_t, { dir file })

	auth_domtrans_chk_passwd($1_t)
	auth_use_nsswitch($1_t)
')

########################################
## <summary>
##	Role access for cron.
## </summary>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	User domain for the role.
##	</summary>
## </param>
## <rolecap/>
#
interface(`cron_role',`
	gen_require(`
		type cronjob_t, crontab_t, crontab_exec_t;
		type user_cron_spool_t, crond_t;
		bool cron_userdomain_transition;
	')

	##############################
	#
	# Declarations
	#

	role $1 types { cronjob_t crontab_t };

	##############################
	#
	# Local policy
	#

	domtrans_pattern($2, crontab_exec_t, crontab_t)

	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
	allow $2 crond_t:process sigchld;

	allow $2 user_cron_spool_t:file { getattr read write ioctl };

	allow $2 crontab_t:process { ptrace signal_perms };
	ps_process_pattern($2, crontab_t)

	corecmd_exec_bin(crontab_t)
	corecmd_exec_shell(crontab_t)

	tunable_policy(`cron_userdomain_transition',`
		allow crond_t $2:process transition;
		allow crond_t $2:fd use;
		allow crond_t $2:key manage_key_perms;

		allow $2 user_cron_spool_t:file entrypoint;

		allow $2 crond_t:fifo_file rw_fifo_file_perms;

		allow $2 cronjob_t:process { ptrace signal_perms };
		ps_process_pattern($2, cronjob_t)
	',`
		dontaudit crond_t $2:process transition;
		dontaudit crond_t $2:fd use;
		dontaudit crond_t $2:key manage_key_perms;

		dontaudit $2 user_cron_spool_t:file entrypoint;

		dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;

		dontaudit $2 cronjob_t:process { ptrace signal_perms };
	')

	optional_policy(`
		gen_require(`
			class dbus send_msg;
		')

		dbus_stub(cronjob_t)

		allow cronjob_t $2:dbus send_msg;
	')
')

########################################
## <summary>
##	Role access for unconfined cron.
## </summary>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	User domain for the role.
##	</summary>
## </param>
#
interface(`cron_unconfined_role',`
	gen_require(`
		type unconfined_cronjob_t, crontab_t, crontab_exec_t;
		type crond_t, user_cron_spool_t;
		bool cron_userdomain_transition;
	')

	##############################
	#
	# Declarations
	#

	role $1 types { unconfined_cronjob_t crontab_t };

	##############################
	#
	# Local policy
	#

	domtrans_pattern($2, crontab_exec_t, crontab_t)

	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
	allow $2 crond_t:process sigchld;

	allow $2 user_cron_spool_t:file { getattr read write ioctl };

	allow $2 crontab_t:process { ptrace signal_perms };
	ps_process_pattern($2, crontab_t)

	corecmd_exec_bin(crontab_t)
	corecmd_exec_shell(crontab_t)

	tunable_policy(`cron_userdomain_transition',`
		allow crond_t $2:process transition;
		allow crond_t $2:fd use;
		allow crond_t $2:key manage_key_perms;

		allow $2 user_cron_spool_t:file entrypoint;

		allow $2 crond_t:fifo_file rw_fifo_file_perms;

		allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
		ps_process_pattern($2, unconfined_cronjob_t)
	',`
		dontaudit crond_t $2:process transition;
		dontaudit crond_t $2:fd use;
		dontaudit crond_t $2:key manage_key_perms;

		dontaudit $2 user_cron_spool_t:file entrypoint;

		dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;

		dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms };
')

	optional_policy(`
		gen_require(`
			class dbus send_msg;
		')

		dbus_stub(unconfined_cronjob_t)

		allow unconfined_cronjob_t $2:dbus send_msg;
	')
')

########################################
## <summary>
##	Role access for admin cron.
## </summary>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	User domain for the role.
##	</summary>
## </param>
#
interface(`cron_admin_role',`
	gen_require(`
		type cronjob_t, crontab_exec_t, admin_crontab_t;
		class passwd crontab;
		type crond_t, user_cron_spool_t;
		bool cron_userdomain_transition;
	')

	##############################
	#
	# Declarations
	#

	role $1 types { cronjob_t admin_crontab_t };

	##############################
	#
	# Local policy
	#

	domtrans_pattern($2, crontab_exec_t, admin_crontab_t)

	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
	allow $2 crond_t:process sigchld;

	allow $2 user_cron_spool_t:file { getattr read write ioctl };

	allow $2 admin_crontab_t:process { ptrace signal_perms };
	ps_process_pattern($2, admin_crontab_t)

	# Manipulate other users crontab.
	allow $2 self:passwd crontab;

	corecmd_exec_bin(admin_crontab_t)
	corecmd_exec_shell(admin_crontab_t)

	tunable_policy(`cron_userdomain_transition',`
		allow crond_t $2:process transition;
		allow crond_t $2:fd use;
		allow crond_t $2:key manage_key_perms;

		allow $2 user_cron_spool_t:file entrypoint;

		allow $2 crond_t:fifo_file rw_fifo_file_perms;

		allow $2 cronjob_t:process { ptrace signal_perms };
		ps_process_pattern($2, cronjob_t)
	',`
		dontaudit crond_t $2:process transition;
		dontaudit crond_t $2:fd use;
		dontaudit crond_t $2:key manage_key_perms;

		dontaudit $2 user_cron_spool_t:file entrypoint;

		dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;

		dontaudit $2 cronjob_t:process { ptrace signal_perms };
	')

	optional_policy(`
		gen_require(`
			class dbus send_msg;
		')

		dbus_stub(admin_cronjob_t)

		allow cronjob_t $2:dbus send_msg;
	')
')

########################################
## <summary>
##	Make the specified program domain
##	accessable from the system cron jobs.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process to transition to.
##	</summary>
## </param>
## <param name="entrypoint">
##	<summary>
##	The type of the file used as an entrypoint to this domain.
##	</summary>
## </param>
#
interface(`cron_system_entry',`
	gen_require(`
		type crond_t, system_cronjob_t;
	')

	domtrans_pattern(system_cronjob_t, $2, $1)
	domtrans_pattern(crond_t, $2, $1)

	role system_r types $1;
')

########################################
## <summary>
##	Execute cron in the cron system domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`cron_domtrans',`
	gen_require(`
		type system_cronjob_t, crond_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, crond_exec_t, system_cronjob_t)
')

########################################
## <summary>
##	Execute crond in the caller domain. 
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`cron_exec',`
	gen_require(`
		type crond_exec_t;
	')

	corecmd_search_bin($1)
	can_exec($1, crond_exec_t)
')

########################################
## <summary>
##	Execute crond server in the crond domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`cron_initrc_domtrans',`
	gen_require(`
		type crond_initrc_exec_t;
	')

	init_labeled_script_domtrans($1, crond_initrc_exec_t)
')

########################################
## <summary>
##	Use crond file descriptors.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`cron_use_fds',`
	gen_require(`
		type crond_t;
	')

	allow $1 crond_t:fd use;
')

########################################
## <summary>
##	Send child terminated signals to crond.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`cron_sigchld',`
	gen_require(`
		type crond_t;
	')

	allow $1 crond_t:process sigchld;
')

########################################
## <summary>
##	Set the attributes of cron log files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`cron_setattr_log_files',`
	gen_require(`
		type cron_log_t;
	')

	allow $1 cron_log_t:file setattr_file_perms;
')

########################################
## <summary>
##	Create cron log files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`cron_create_log_files',`
	gen_require(`
		type cron_log_t;
	')

	create_files_pattern($1, cron_log_t, cron_log_t)
')

########################################
## <summary>
##	Write to cron log files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`cron_write_log_files',`
	gen_require(`
		type cron_log_t;
	')

	allow $1 cron_log_t:file write_file_perms;
')

########################################
## <summary>
##	Create specified objects in generic
##	log directories with the cron log file type.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="object_class">
##	<summary>
##	Class of the object being created.
##	</summary>
## </param>
## <param name="name" optional="true">
##	<summary>
##	The name of the object being created.
##	</summary>
## </param>
#
interface(`cron_generic_log_filetrans_log',`
	gen_require(`
		type cron_log_t;
	')

	logging_log_filetrans($1, cron_log_t, $2, $3)
')

########################################
## <summary>
##	Read cron daemon unnamed pipes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`cron_read_pipes',`
	gen_require(`
		type crond_t;
	')

	allow $1 crond_t:fifo_file read_fifo_file_perms;
')

########################################
## <summary>
##	Do not audit attempts to write
##	cron daemon unnamed pipes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`cron_dontaudit_write_pipes',`
	gen_require(`
		type crond_t;
	')

	dontaudit $1 crond_t:fifo_file write;
')

########################################
## <summary>
##	Read and write crond unnamed pipes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`cron_rw_pipes',`
	gen_require(`
		type crond_t;
	')

	allow $1 crond_t:fifo_file { getattr read write };
')

########################################
## <summary>
##	Read and write crond TCP sockets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`cron_rw_tcp_sockets',`
	gen_require(`
		type crond_t;
	')

	allow $1 crond_t:tcp_socket { read write };
')

########################################
## <summary>
##	Do not audit attempts to read and
##	write cron daemon TCP sockets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`cron_dontaudit_rw_tcp_sockets',`
	gen_require(`
		type crond_t;
	')

	dontaudit $1 crond_t:tcp_socket { read write };
')

########################################
## <summary>
##	Search cron spool directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`cron_search_spool',`
	gen_require(`
		type cron_spool_t;
	')

	files_search_spool($1)
	allow $1 cron_spool_t:dir search_dir_perms;
')

########################################
## <summary>
##	Create, read, write, and delete
##	crond pid files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`cron_manage_pid_files',`
	gen_require(`
		type crond_var_run_t;
	')

	manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
')

########################################
## <summary>
##	Execute anacron in the cron
##	system domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`cron_anacron_domtrans_system_job',`
	gen_require(`
		type system_cronjob_t, anacron_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
')

########################################
## <summary>
##	Use system cron job file descriptors.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`cron_use_system_job_fds',`
	gen_require(`
		type system_cronjob_t;
	')

	allow $1 system_cronjob_t:fd use;
')

########################################
## <summary>
##	Read system cron job lib files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`cron_read_system_job_lib_files',`
	gen_require(`
		type system_cronjob_var_lib_t;
	')

	files_search_var_lib($1)
	read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')

########################################
## <summary>
##	Create, read, write, and delete
##	system cron job lib files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`cron_manage_system_job_lib_files',`
	gen_require(`
		type system_cronjob_var_lib_t;
	')

	files_search_var_lib($1)
	manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')

########################################
## <summary>
##	Write system cron job unnamed pipes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`cron_write_system_job_pipes',`
	gen_require(`
		type system_cronjob_t;
	')

	allow $1 system_cronjob_t:file write;
')

########################################
## <summary>
##	Read and write system cron job
##	unnamed pipes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`cron_rw_system_job_pipes',`
	gen_require(`
		type system_cronjob_t;
	')

	allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
')

########################################
## <summary>
##	Read and write inherited system cron
##	job unix domain stream sockets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`cron_rw_system_job_stream_sockets',`
	gen_require(`
		type system_cronjob_t;
	')

	allow $1 system_cronjob_t:unix_stream_socket { read write };
')

########################################
## <summary>
##	Read system cron job temporary files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`cron_read_system_job_tmp_files',`
	gen_require(`
		type system_cronjob_tmp_t;
	')

	files_search_tmp($1)
	allow $1 system_cronjob_tmp_t:file read_file_perms;
')

########################################
## <summary>
##	Do not audit attempts to append temporary
##	system cron job files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`cron_dontaudit_append_system_job_tmp_files',`
	gen_require(`
		type system_cronjob_tmp_t;
	')

	dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
')

########################################
## <summary>
##	Do not audit attempts to write temporary
##	system cron job files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`cron_dontaudit_write_system_job_tmp_files',`
	gen_require(`
		type system_cronjob_tmp_t;
	')

	dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
')
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.