diff --git a/cron.if b/cron.if
index ddc323e..384fda7 100644
--- a/cron.if
+++ b/cron.if
@@ -42,7 +42,7 @@ template(`cron_common_crontab_template',`
########################################
##
-## Role access for cron
+## Role access for cron.
##
##
##
@@ -60,6 +60,7 @@ interface(`cron_role',`
gen_require(`
type cronjob_t, crontab_t, crontab_exec_t;
type user_cron_spool_t, crond_t;
+ bool cron_userdomain_transition;
')
##############################
@@ -82,14 +83,32 @@ interface(`cron_role',`
allow $2 user_cron_spool_t:file { getattr read write ioctl };
allow $2 crontab_t:process { ptrace signal_perms };
- ps_process_pattern($2, { cronjob_t crontab_t })
+ ps_process_pattern($2, crontab_t)
corecmd_exec_bin(crontab_t)
corecmd_exec_shell(crontab_t)
tunable_policy(`cron_userdomain_transition',`
allow crond_t $2:process transition;
+ allow crond_t $2:fd use;
+ allow crond_t $2:key manage_key_perms;
+
allow $2 user_cron_spool_t:file entrypoint;
+
+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
+
+ allow $2 cronjob_t:process { ptrace signal_perms };
+ ps_process_pattern($2, cronjob_t)
+ ',`
+ dontaudit crond_t $2:process transition;
+ dontaudit crond_t $2:fd use;
+ dontaudit crond_t $2:key manage_key_perms;
+
+ dontaudit $2 user_cron_spool_t:file entrypoint;
+
+ dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+
+ dontaudit $2 cronjob_t:process { ptrace signal_perms };
')
optional_policy(`
@@ -105,22 +124,24 @@ interface(`cron_role',`
########################################
##
-## Role access for unconfined cronjobs
+## Role access for unconfined cron.
##
##
##
-## Role allowed access
+## Role allowed access.
##
##
##
##
-## User domain for the role
+## User domain for the role.
##
##
#
interface(`cron_unconfined_role',`
gen_require(`
type unconfined_cronjob_t, crontab_t, crontab_exec_t;
+ type crond_t, user_cron_spool_t;
+ bool cron_userdomain_transition;
')
##############################
@@ -135,9 +156,12 @@ interface(`cron_unconfined_role',`
# Local policy
#
- ps_process_pattern($2, unconfined_cronjob_t)
+ domtrans_pattern($2, crontab_exec_t, crontab_t)
- # domtrans_pattern($2, crontab_exec_t, crontab_t)
+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+ allow $2 crond_t:process sigchld;
+
+ allow $2 user_cron_spool_t:file { getattr read write ioctl };
allow $2 crontab_t:process { ptrace signal_perms };
ps_process_pattern($2, crontab_t)
@@ -145,6 +169,29 @@ interface(`cron_unconfined_role',`
corecmd_exec_bin(crontab_t)
corecmd_exec_shell(crontab_t)
+ tunable_policy(`cron_userdomain_transition',`
+ allow crond_t $2:process transition;
+ allow crond_t $2:fd use;
+ allow crond_t $2:key manage_key_perms;
+
+ allow $2 user_cron_spool_t:file entrypoint;
+
+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
+
+ allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
+ ps_process_pattern($2, unconfined_cronjob_t)
+ ',`
+ dontaudit crond_t $2:process transition;
+ dontaudit crond_t $2:fd use;
+ dontaudit crond_t $2:key manage_key_perms;
+
+ dontaudit $2 user_cron_spool_t:file entrypoint;
+
+ dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+
+ dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms };
+')
+
optional_policy(`
gen_require(`
class dbus send_msg;
@@ -158,16 +205,16 @@ interface(`cron_unconfined_role',`
########################################
##
-## Role access for cron
+## Role access for admin cron.
##
##
##
-## Role allowed access
+## Role allowed access.
##
##
##
##
-## User domain for the role
+## User domain for the role.
##
##
#
@@ -175,23 +222,61 @@ interface(`cron_admin_role',`
gen_require(`
type cronjob_t, crontab_exec_t, admin_crontab_t;
class passwd crontab;
+ type crond_t, user_cron_spool_t;
+ bool cron_userdomain_transition;
')
- role $1 types { cronjob_t admin_crontab_t };
+ ##############################
+ #
+ # Declarations
+ #
- ps_process_pattern($2, cronjob_t)
+ role $1 types { cronjob_t admin_crontab_t };
- # Manipulate other users crontab.
- allow $2 self:passwd crontab;
+ ##############################
+ #
+ # Local policy
+ #
domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+ allow $2 crond_t:process sigchld;
+
+ allow $2 user_cron_spool_t:file { getattr read write ioctl };
+
allow $2 admin_crontab_t:process { ptrace signal_perms };
ps_process_pattern($2, admin_crontab_t)
+ # Manipulate other users crontab.
+ allow $2 self:passwd crontab;
+
corecmd_exec_bin(admin_crontab_t)
corecmd_exec_shell(admin_crontab_t)
+ tunable_policy(`cron_userdomain_transition',`
+ allow crond_t $2:process transition;
+ allow crond_t $2:fd use;
+ allow crond_t $2:key manage_key_perms;
+
+ allow $2 user_cron_spool_t:file entrypoint;
+
+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
+
+ allow $2 cronjob_t:process { ptrace signal_perms };
+ ps_process_pattern($2, cronjob_t)
+ ',`
+ dontaudit crond_t $2:process transition;
+ dontaudit crond_t $2:fd use;
+ dontaudit crond_t $2:key manage_key_perms;
+
+ dontaudit $2 user_cron_spool_t:file entrypoint;
+
+ dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+
+ dontaudit $2 cronjob_t:process { ptrace signal_perms };
+')
+
optional_policy(`
gen_require(`
class dbus send_msg;
diff --git a/cron.te b/cron.te
index ca4db91..f46f15a 100644
--- a/cron.te
+++ b/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.5.0)
+policy_module(cron, 2.5.1)
gen_require(`
class passwd rootok;
@@ -130,7 +130,7 @@ ifdef(`enable_mcs',`
##############################
#
-# Common local policy
+# Common crontab local policy
#
allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
@@ -152,7 +152,7 @@ selinux_dontaudit_search_fs(crontab_domain)
files_list_spool(crontab_domain)
files_read_etc_files(crontab_domain)
files_read_usr_files(crontab_domain)
-files_dontaudit_search_pids(crontab_domain)
+files_search_pids(crontab_domain)
fs_getattr_xattr_fs(crontab_domain)
fs_manage_cgroup_dirs(crontab_domain)
@@ -166,6 +166,7 @@ auth_rw_var_auth(crontab_domain)
logging_send_syslog_msg(crontab_domain)
logging_send_audit_msgs(crontab_domain)
+logging_set_loginuid(crontab_domain)
init_dontaudit_write_utmp(crontab_domain)
init_read_utmp(crontab_domain)
@@ -181,10 +182,6 @@ userdom_use_user_terminals(crontab_domain)
userdom_read_user_home_content_files(crontab_domain)
userdom_read_user_home_content_symlinks(crontab_domain)
-tunable_policy(`cron_userdomain_transition',`
- logging_set_loginuid(crontab_domain)
-')
-
tunable_policy(`fcron_crond',`
dontaudit crontab_domain crond_t:process signal;
')
@@ -248,9 +245,10 @@ read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
-allow crond_t { cronjob_t system_cronjob_t unconfined_cronjob_t }:process transition;
-allow crond_t { cronjob_t system_cronjob_t unconfined_cronjob_t }:fd use;
-allow crond_t { cronjob_t system_cronjob_t unconfined_cronjob_t }:key manage_key_perms;
+allow crond_t system_cronjob_t:process transition;
+allow crond_t system_cronjob_t:fd use;
+allow crond_t system_cronjob_t:key manage_key_perms;
+
dontaudit crond_t { cronjob_t system_cronjob_t unconfined_cronjob_t }:process { noatsecure siginh rlimitinh };
domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
@@ -284,7 +282,6 @@ files_search_var_lib(crond_t)
files_search_default(crond_t)
mls_fd_share_all_levels(crond_t)
-# crontab -e and kernel check of transition
mls_file_read_all_levels(crond_t)
mls_file_write_all_levels(crond_t)
mls_process_set_level(crond_t)
@@ -314,16 +311,24 @@ seutil_read_default_contexts(crond_t)
miscfiles_read_localization(crond_t)
-userdom_use_unpriv_users_fds(crond_t)
userdom_list_user_home_dirs(crond_t)
mta_send_mail(crond_t)
+tunable_policy(`cron_userdomain_transition',`
+ dontaudit crond_t { cronjob_t unconfined_cronjob_t }:process transition;
+ dontaudit crond_t { cronjob_t unconfined_cronjob_t }:fd use;
+ dontaudit crond_t { cronjob_t unconfined_cronjob_t }:key manage_key_perms;
+',`
+ allow crond_t { cronjob_t unconfined_cronjob_t }:process transition;
+ allow crond_t { cronjob_t unconfined_cronjob_t }:fd use;
+ allow crond_t { cronjob_t unconfined_cronjob_t }:key manage_key_perms;
+')
+
ifdef(`distro_debian',`
allow crond_t self:process setrlimit;
optional_policy(`
- # Debian logcheck has the home dir set to its cache
logwatch_search_cache_dir(crond_t)
')
')
@@ -338,8 +343,8 @@ tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all(crond_t)
')
-tunable_policy(`fcron_crond', `
- allow crond_t system_cron_spool_t:file manage_file_perms;
+tunable_policy(`fcron_crond',`
+ allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms;
')
optional_policy(`
@@ -438,7 +443,7 @@ files_search_var_lib(system_cronjob_t)
manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
allow system_cronjob_t crond_t:fd use;
-allow system_cronjob_t crond_t:fifo_file rw_file_perms;
+allow system_cronjob_t crond_t:fifo_file rw_fifo_file_perms;
allow system_cronjob_t crond_t:process sigchld;
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
@@ -584,7 +589,7 @@ optional_policy(`
optional_policy(`
postfix_read_config(system_cronjob_t)
-')
+')
optional_policy(`
prelink_delete_cache(system_cronjob_t)
@@ -625,12 +630,6 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
-allow cronjob_t user_cron_spool_t:file entrypoint;
-
-allow cronjob_t crond_t:fd use;
-allow cronjob_t crond_t:fifo_file rw_file_perms;
-allow cronjob_t crond_t:process sigchld;
-
kernel_read_system_state(cronjob_t)
kernel_read_kernel_sysctls(cronjob_t)
@@ -683,8 +682,18 @@ userdom_manage_user_home_content_symlinks(cronjob_t)
userdom_manage_user_home_content_pipes(cronjob_t)
userdom_manage_user_home_content_sockets(cronjob_t)
-tunable_policy(`fcron_crond',`
- allow crond_t user_cron_spool_t:file manage_file_perms;
+tunable_policy(`cron_userdomain_transition',`
+ dontaudit cronjob_t crond_t:fd use;
+ dontaudit cronjob_t crond_t:fifo_file rw_fifo_file_perms;
+ dontaudit cronjob_t crond_t:process sigchld;
+
+ dontaudit cronjob_t user_cron_spool_t:file entrypoint;
+',`
+ allow cronjob_t crond_t:fd use;
+ allow cronjob_t crond_t:fifo_file rw_fifo_file_perms;
+ allow cronjob_t crond_t:process sigchld;
+
+ allow cronjob_t user_cron_spool_t:file entrypoint;
')
optional_policy(`