915 lines
25 KiB
Text
915 lines
25 KiB
Text
|
policy_module(cron, 2.6.3)
|
||
|
|
||
|
gen_require(`
|
||
|
class passwd rootok;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# Declarations
|
||
|
#
|
||
|
|
||
|
## <desc>
|
||
|
## <p>
|
||
|
## Allow system cron jobs to relabel filesystem
|
||
|
## for restoring file contexts.
|
||
|
## </p>
|
||
|
## </desc>
|
||
|
gen_tunable(cron_can_relabel, false)
|
||
|
|
||
|
## <desc>
|
||
|
## <p>
|
||
|
## Determine whether crond can execute jobs
|
||
|
## in the user domain as opposed to the
|
||
|
## the generic cronjob domain.
|
||
|
## </p>
|
||
|
## </desc>
|
||
|
gen_tunable(cron_userdomain_transition, true)
|
||
|
|
||
|
## <desc>
|
||
|
## <p>
|
||
|
## Allow system cronjob to be executed on
|
||
|
## on NFS, CIFS or FUSE filesystem.
|
||
|
## </p>
|
||
|
## </desc>
|
||
|
gen_tunable(cron_system_cronjob_use_shares, false)
|
||
|
|
||
|
## <desc>
|
||
|
## <p>
|
||
|
## Enable extra rules in the cron domain
|
||
|
## to support fcron.
|
||
|
## </p>
|
||
|
## </desc>
|
||
|
gen_tunable(fcron_crond, false)
|
||
|
|
||
|
attribute crontab_domain;
|
||
|
attribute cron_spool_type;
|
||
|
|
||
|
type anacron_exec_t;
|
||
|
application_executable_file(anacron_exec_t)
|
||
|
|
||
|
type cron_spool_t;
|
||
|
files_spool_file(cron_spool_t)
|
||
|
|
||
|
# var/lib files
|
||
|
type cron_var_lib_t;
|
||
|
files_type(cron_var_lib_t)
|
||
|
|
||
|
type cron_var_run_t;
|
||
|
files_pid_file(cron_var_run_t)
|
||
|
|
||
|
# var/log files
|
||
|
type cron_log_t;
|
||
|
logging_log_file(cron_log_t)
|
||
|
|
||
|
type cronjob_t;
|
||
|
typealias cronjob_t alias { user_crond_t staff_crond_t sysadm_crond_t };
|
||
|
typealias cronjob_t alias { auditadm_crond_t secadm_crond_t };
|
||
|
domain_type(cronjob_t)
|
||
|
domain_cron_exemption_target(cronjob_t)
|
||
|
corecmd_shell_entry_type(cronjob_t)
|
||
|
ubac_constrained(cronjob_t)
|
||
|
|
||
|
type crond_t;
|
||
|
type crond_exec_t;
|
||
|
init_daemon_domain(crond_t, crond_exec_t)
|
||
|
domain_interactive_fd(crond_t)
|
||
|
domain_cron_exemption_source(crond_t)
|
||
|
|
||
|
type crond_initrc_exec_t;
|
||
|
init_script_file(crond_initrc_exec_t)
|
||
|
|
||
|
type crond_unit_file_t;
|
||
|
systemd_unit_file(crond_unit_file_t)
|
||
|
|
||
|
type crond_tmp_t;
|
||
|
files_tmp_file(crond_tmp_t)
|
||
|
files_poly_parent(crond_tmp_t)
|
||
|
mta_system_content(crond_tmp_t)
|
||
|
|
||
|
type crond_var_run_t;
|
||
|
files_pid_file(crond_var_run_t)
|
||
|
mta_system_content(crond_var_run_t)
|
||
|
|
||
|
type crontab_exec_t;
|
||
|
application_executable_file(crontab_exec_t)
|
||
|
|
||
|
type admin_crontab_tmp_t;
|
||
|
files_tmp_file(admin_crontab_tmp_t)
|
||
|
|
||
|
type admin_crontab_t, crontab_domain;
|
||
|
cron_common_crontab_template(admin_crontab)
|
||
|
typealias admin_crontab_t alias sysadm_crontab_t;
|
||
|
typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t;
|
||
|
|
||
|
type crontab_tmp_t;
|
||
|
files_tmp_file(crontab_tmp_t)
|
||
|
|
||
|
type crontab_t, crontab_domain;
|
||
|
cron_common_crontab_template(crontab)
|
||
|
typealias crontab_t alias { user_crontab_t staff_crontab_t };
|
||
|
typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
|
||
|
typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
|
||
|
typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
|
||
|
allow admin_crontab_t crond_t:process signal;
|
||
|
|
||
|
type system_cron_spool_t, cron_spool_type;
|
||
|
files_spool_file(system_cron_spool_t)
|
||
|
|
||
|
type system_cronjob_t alias system_crond_t;
|
||
|
init_daemon_domain(system_cronjob_t, anacron_exec_t)
|
||
|
corecmd_shell_entry_type(system_cronjob_t)
|
||
|
corecmd_bin_entry_type(system_cronjob_t)
|
||
|
role system_r types system_cronjob_t;
|
||
|
domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
|
||
|
|
||
|
type system_cronjob_lock_t alias system_crond_lock_t;
|
||
|
files_lock_file(system_cronjob_lock_t)
|
||
|
|
||
|
type system_cronjob_tmp_t alias system_crond_tmp_t;
|
||
|
files_tmp_file(system_cronjob_tmp_t)
|
||
|
|
||
|
# Type of user crontabs once moved to cron spool.
|
||
|
type user_cron_spool_t, cron_spool_type;
|
||
|
typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
|
||
|
typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
|
||
|
files_spool_file(user_cron_spool_t)
|
||
|
ubac_constrained(user_cron_spool_t)
|
||
|
mta_system_content(user_cron_spool_t)
|
||
|
|
||
|
type system_cronjob_var_lib_t;
|
||
|
files_type(system_cronjob_var_lib_t)
|
||
|
typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
|
||
|
|
||
|
type system_cronjob_var_run_t;
|
||
|
files_pid_file(system_cronjob_var_run_t)
|
||
|
|
||
|
ifdef(`enable_mcs',`
|
||
|
init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# Admin crontab local policy
|
||
|
#
|
||
|
|
||
|
# Allow our crontab domain to unlink a user cron spool file.
|
||
|
allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
|
||
|
|
||
|
manage_dirs_pattern(admin_crontab_t, admin_crontab_tmp_t, admin_crontab_tmp_t)
|
||
|
manage_files_pattern(admin_crontab_t, admin_crontab_tmp_t, admin_crontab_tmp_t)
|
||
|
files_tmp_filetrans(admin_crontab_t, admin_crontab_tmp_t, { dir file })
|
||
|
|
||
|
# Manipulate other users crontab.
|
||
|
selinux_get_fs_mount(admin_crontab_t)
|
||
|
selinux_validate_context(admin_crontab_t)
|
||
|
selinux_compute_access_vector(admin_crontab_t)
|
||
|
selinux_compute_create_context(admin_crontab_t)
|
||
|
selinux_compute_relabel_context(admin_crontab_t)
|
||
|
selinux_compute_user_contexts(admin_crontab_t)
|
||
|
|
||
|
tunable_policy(`fcron_crond',`
|
||
|
# fcron wants an instant update of a crontab change for the administrator
|
||
|
# also crontab does a security check for crontab -u
|
||
|
allow admin_crontab_t self:process setfscreate;
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# Cron daemon local policy
|
||
|
#
|
||
|
|
||
|
allow crond_t self:capability { chown fowner setgid setuid sys_nice dac_read_search dac_override };
|
||
|
dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config };
|
||
|
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
|
||
|
allow crond_t self:process { setexec setfscreate };
|
||
|
allow crond_t self:fd use;
|
||
|
allow crond_t self:fifo_file rw_fifo_file_perms;
|
||
|
allow crond_t self:unix_dgram_socket create_socket_perms;
|
||
|
allow crond_t self:unix_stream_socket create_stream_socket_perms;
|
||
|
allow crond_t self:unix_dgram_socket sendto;
|
||
|
allow crond_t self:unix_stream_socket connectto;
|
||
|
allow crond_t self:shm create_shm_perms;
|
||
|
allow crond_t self:sem create_sem_perms;
|
||
|
allow crond_t self:msgq create_msgq_perms;
|
||
|
allow crond_t self:msg { send receive };
|
||
|
allow crond_t self:key { search write link };
|
||
|
allow crond_t self:netlink_selinux_socket create_socket_perms;
|
||
|
dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
|
||
|
|
||
|
manage_files_pattern(crond_t, cron_log_t, cron_log_t)
|
||
|
logging_log_filetrans(crond_t, cron_log_t, file)
|
||
|
|
||
|
manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
|
||
|
files_pid_filetrans(crond_t, crond_var_run_t, file)
|
||
|
|
||
|
manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
|
||
|
|
||
|
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
|
||
|
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
|
||
|
files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
|
||
|
|
||
|
list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
|
||
|
read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
|
||
|
allow crond_t system_cron_spool_t:dir watch_dir_perms;
|
||
|
|
||
|
kernel_read_kernel_sysctls(crond_t)
|
||
|
kernel_read_fs_sysctls(crond_t)
|
||
|
kernel_search_key(crond_t)
|
||
|
|
||
|
dev_read_sysfs(crond_t)
|
||
|
selinux_get_fs_mount(crond_t)
|
||
|
selinux_validate_context(crond_t)
|
||
|
selinux_compute_access_vector(crond_t)
|
||
|
selinux_compute_create_context(crond_t)
|
||
|
selinux_compute_relabel_context(crond_t)
|
||
|
selinux_compute_user_contexts(crond_t)
|
||
|
|
||
|
dev_read_urand(crond_t)
|
||
|
|
||
|
fs_getattr_all_fs(crond_t)
|
||
|
fs_search_auto_mountpoints(crond_t)
|
||
|
|
||
|
# need auth_chkpwd to check for locked accounts.
|
||
|
auth_domtrans_chk_passwd(crond_t)
|
||
|
auth_manage_var_auth(crond_t)
|
||
|
|
||
|
corecmd_exec_shell(crond_t)
|
||
|
corecmd_list_bin(crond_t)
|
||
|
corecmd_exec_bin(crond_t)
|
||
|
corecmd_read_bin_symlinks(crond_t)
|
||
|
|
||
|
domain_use_interactive_fds(crond_t)
|
||
|
domain_subj_id_change_exemption(crond_t)
|
||
|
domain_role_change_exemption(crond_t)
|
||
|
|
||
|
files_read_etc_runtime_files(crond_t)
|
||
|
files_read_generic_spool(crond_t)
|
||
|
files_list_usr(crond_t)
|
||
|
# Read from /var/spool/cron.
|
||
|
files_search_var_lib(crond_t)
|
||
|
files_search_default(crond_t)
|
||
|
files_read_all_locks(crond_t)
|
||
|
|
||
|
fs_manage_cgroup_dirs(crond_t)
|
||
|
fs_manage_cgroup_files(crond_t)
|
||
|
|
||
|
# needed by "crontab -e"
|
||
|
mls_file_read_all_levels(crond_t)
|
||
|
mls_file_write_all_levels(crond_t)
|
||
|
|
||
|
# needed because of kernel check of transition
|
||
|
mls_process_set_level(crond_t)
|
||
|
|
||
|
# to make cronjob working
|
||
|
mls_fd_share_all_levels(crond_t)
|
||
|
mls_trusted_object(crond_t)
|
||
|
|
||
|
init_read_state(crond_t)
|
||
|
init_rw_utmp(crond_t)
|
||
|
init_spec_domtrans_script(crond_t)
|
||
|
|
||
|
auth_use_nsswitch(crond_t)
|
||
|
|
||
|
logging_send_audit_msgs(crond_t)
|
||
|
logging_send_syslog_msg(crond_t)
|
||
|
logging_set_loginuid(crond_t)
|
||
|
|
||
|
seutil_read_config(crond_t)
|
||
|
seutil_read_default_contexts(crond_t)
|
||
|
seutil_sigchld_newrole(crond_t)
|
||
|
|
||
|
|
||
|
userdom_use_unpriv_users_fds(crond_t)
|
||
|
# Not sure why this is needed
|
||
|
userdom_list_user_home_dirs(crond_t)
|
||
|
userdom_list_admin_dir(crond_t)
|
||
|
userdom_manage_all_users_keys(crond_t)
|
||
|
|
||
|
optional_policy(`
|
||
|
mta_send_mail(crond_t)
|
||
|
mta_filetrans_admin_home_content(crond_t)
|
||
|
mta_system_content(cron_spool_t)
|
||
|
')
|
||
|
|
||
|
ifdef(`distro_debian',`
|
||
|
# pam_limits is used
|
||
|
allow crond_t self:process setrlimit;
|
||
|
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
logwatch_search_cache_dir(crond_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
bind_read_config(crond_t)
|
||
|
')
|
||
|
|
||
|
ifdef(`distro_redhat',`
|
||
|
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
|
||
|
# via redirection of standard out.
|
||
|
optional_policy(`
|
||
|
rpm_manage_log(crond_t)
|
||
|
')
|
||
|
')
|
||
|
|
||
|
tunable_policy(`polyinstantiation_enabled',`
|
||
|
files_polyinstantiate_all(crond_t)
|
||
|
')
|
||
|
|
||
|
tunable_policy(`fcron_crond', `
|
||
|
allow crond_t system_cron_spool_t:file manage_file_perms;
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
apache_search_sys_content(crond_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
djbdns_search_tinydns_keys(crond_t)
|
||
|
djbdns_link_tinydns_keys(crond_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
locallogin_search_keys(crond_t)
|
||
|
locallogin_link_keys(crond_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
# these should probably be unconfined_crond_t
|
||
|
dbus_system_bus_client(crond_t)
|
||
|
init_dbus_send_script(crond_t)
|
||
|
init_dbus_chat(crond_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
amanda_search_var_lib(crond_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
antivirus_search_db(crond_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
# cjp: why?
|
||
|
munin_search_lib(crond_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
pcp_read_lib_files(crond_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
rpc_search_nfs_state_data(crond_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
# Commonly used from postinst scripts
|
||
|
rpm_read_pipes(crond_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
# allow crond to find /usr/lib/postgresql/bin/do.maintenance
|
||
|
postgresql_search_db(crond_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
systemd_use_fds_logind(crond_t)
|
||
|
systemd_write_inherited_logind_sessions_pipes(crond_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
udev_read_db(crond_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
vnstatd_search_lib(crond_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# System cron process domain
|
||
|
#
|
||
|
|
||
|
allow system_cronjob_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
|
||
|
|
||
|
allow system_cronjob_t self:process { signal_perms getsched setsched };
|
||
|
allow system_cronjob_t self:fd use;
|
||
|
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
|
||
|
allow system_cronjob_t self:passwd rootok;
|
||
|
|
||
|
# This is to handle creation of files in /var/log directory.
|
||
|
# Used currently by rpm script log files
|
||
|
allow system_cronjob_t cron_log_t:file manage_file_perms;
|
||
|
logging_log_filetrans(system_cronjob_t, cron_log_t, file)
|
||
|
|
||
|
# This is to handle /var/lib/misc directory. Used currently
|
||
|
# by prelink var/lib files for cron
|
||
|
allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
|
||
|
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
|
||
|
|
||
|
allow system_cronjob_t cron_var_run_t:file manage_file_perms;
|
||
|
files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
|
||
|
|
||
|
allow system_cronjob_t system_cron_spool_t:file read_file_perms;
|
||
|
|
||
|
# anacron forces the following
|
||
|
manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
|
||
|
|
||
|
# The entrypoint interface is not used as this is not
|
||
|
# a regular entrypoint. Since crontab files are
|
||
|
# not directly executed, crond must ensure that
|
||
|
# the crontab file has a type that is appropriate
|
||
|
# for the domain of the user cron job. It
|
||
|
# performs an entrypoint permission check
|
||
|
# for this purpose.
|
||
|
allow system_cronjob_t system_cron_spool_t:file entrypoint;
|
||
|
|
||
|
tunable_policy(`cron_system_cronjob_use_shares',`
|
||
|
fs_fusefs_entrypoint(system_cronjob_t)
|
||
|
fs_nfs_entrypoint(system_cronjob_t)
|
||
|
fs_cifs_entrypoint(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
# Permit a transition from the crond_t domain to this domain.
|
||
|
# The transition is requested explicitly by the modified crond
|
||
|
# via setexeccon. There is no way to set up an automatic
|
||
|
# transition, since crontabs are configuration files, not executables.
|
||
|
allow crond_t system_cronjob_t:process transition;
|
||
|
dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh };
|
||
|
allow crond_t system_cronjob_t:fd use;
|
||
|
allow system_cronjob_t crond_t:fd use;
|
||
|
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
|
||
|
allow system_cronjob_t crond_t:process sigchld;
|
||
|
allow crond_t system_cronjob_t:key manage_key_perms;
|
||
|
|
||
|
# Write /var/lock/makewhatis.lock.
|
||
|
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
|
||
|
files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
|
||
|
|
||
|
# write temporary files
|
||
|
manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
|
||
|
manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
|
||
|
manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
|
||
|
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { dir file lnk_file })
|
||
|
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { dir file })
|
||
|
|
||
|
# var/lib files for system_crond
|
||
|
files_search_var_lib(system_cronjob_t)
|
||
|
manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
|
||
|
|
||
|
# Read from /var/spool/cron.
|
||
|
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
|
||
|
allow system_cronjob_t cron_spool_t:file rw_file_perms;
|
||
|
|
||
|
allow system_cronjob_t crond_tmp_t:file { read write };
|
||
|
|
||
|
kernel_read_kernel_sysctls(system_cronjob_t)
|
||
|
kernel_read_network_state(system_cronjob_t)
|
||
|
kernel_read_system_state(system_cronjob_t)
|
||
|
kernel_read_software_raid_state(system_cronjob_t)
|
||
|
|
||
|
# ps does not need to access /boot when run from cron
|
||
|
files_dontaudit_search_boot(system_cronjob_t)
|
||
|
|
||
|
corecmd_exec_all_executables(system_cronjob_t)
|
||
|
|
||
|
corenet_all_recvfrom_netlabel(system_cronjob_t)
|
||
|
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
|
||
|
corenet_udp_sendrecv_generic_if(system_cronjob_t)
|
||
|
corenet_tcp_sendrecv_generic_node(system_cronjob_t)
|
||
|
corenet_udp_sendrecv_generic_node(system_cronjob_t)
|
||
|
corenet_tcp_sendrecv_all_ports(system_cronjob_t)
|
||
|
corenet_udp_sendrecv_all_ports(system_cronjob_t)
|
||
|
|
||
|
dev_getattr_all_blk_files(system_cronjob_t)
|
||
|
dev_getattr_all_chr_files(system_cronjob_t)
|
||
|
dev_read_urand(system_cronjob_t)
|
||
|
dev_read_sysfs(system_cronjob_t)
|
||
|
|
||
|
fs_getattr_all_fs(system_cronjob_t)
|
||
|
fs_getattr_all_files(system_cronjob_t)
|
||
|
fs_getattr_all_symlinks(system_cronjob_t)
|
||
|
fs_getattr_all_pipes(system_cronjob_t)
|
||
|
fs_getattr_all_sockets(system_cronjob_t)
|
||
|
|
||
|
# quiet other ps operations
|
||
|
domain_dontaudit_read_all_domains_state(system_cronjob_t)
|
||
|
|
||
|
files_exec_etc_files(system_cronjob_t)
|
||
|
files_read_etc_runtime_files(system_cronjob_t)
|
||
|
files_list_all(system_cronjob_t)
|
||
|
files_getattr_all_dirs(system_cronjob_t)
|
||
|
files_getattr_all_files(system_cronjob_t)
|
||
|
files_getattr_all_symlinks(system_cronjob_t)
|
||
|
files_getattr_all_pipes(system_cronjob_t)
|
||
|
files_getattr_all_sockets(system_cronjob_t)
|
||
|
files_read_var_files(system_cronjob_t)
|
||
|
# for nscd:
|
||
|
files_dontaudit_search_pids(system_cronjob_t)
|
||
|
# Access other spool directories like
|
||
|
# /var/spool/anacron and /var/spool/slrnpull.
|
||
|
files_manage_generic_spool(system_cronjob_t)
|
||
|
files_create_boot_flag(system_cronjob_t)
|
||
|
|
||
|
mls_file_read_to_clearance(system_cronjob_t)
|
||
|
|
||
|
init_domtrans_script(system_cronjob_t)
|
||
|
init_use_script_fds(system_cronjob_t)
|
||
|
init_read_utmp(system_cronjob_t)
|
||
|
init_dontaudit_rw_utmp(system_cronjob_t)
|
||
|
# prelink tells init to restart it self, we either need to allow or dontaudit
|
||
|
init_telinit(system_cronjob_t)
|
||
|
|
||
|
auth_use_nsswitch(system_cronjob_t)
|
||
|
|
||
|
libs_exec_lib_files(system_cronjob_t)
|
||
|
libs_exec_ld_so(system_cronjob_t)
|
||
|
|
||
|
logging_read_generic_logs(system_cronjob_t)
|
||
|
logging_send_audit_msgs(system_cronjob_t)
|
||
|
logging_send_syslog_msg(system_cronjob_t)
|
||
|
|
||
|
miscfiles_filetrans_named_content_letsencrypt(system_cronjob_t)
|
||
|
|
||
|
seutil_read_config(system_cronjob_t)
|
||
|
|
||
|
userdom_manage_tmpfs_files(system_cronjob_t, file)
|
||
|
userdom_tmpfs_filetrans(system_cronjob_t, file)
|
||
|
|
||
|
ifdef(`distro_redhat',`
|
||
|
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
|
||
|
allow crond_t system_cron_spool_t:file manage_file_perms;
|
||
|
|
||
|
# via redirection of standard out.
|
||
|
optional_policy(`
|
||
|
rpm_manage_log(system_cronjob_t)
|
||
|
rpm_transition_script(system_cronjob_t, system_r)
|
||
|
')
|
||
|
')
|
||
|
|
||
|
selinux_get_fs_mount(system_cronjob_t)
|
||
|
|
||
|
tunable_policy(`cron_can_relabel',`
|
||
|
seutil_domtrans_setfiles(system_cronjob_t)
|
||
|
',`
|
||
|
selinux_validate_context(system_cronjob_t)
|
||
|
selinux_compute_access_vector(system_cronjob_t)
|
||
|
selinux_compute_create_context(system_cronjob_t)
|
||
|
selinux_compute_relabel_context(system_cronjob_t)
|
||
|
selinux_compute_user_contexts(system_cronjob_t)
|
||
|
seutil_read_file_contexts(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
# Needed for certwatch
|
||
|
apache_exec_modules(system_cronjob_t)
|
||
|
apache_read_config(system_cronjob_t)
|
||
|
apache_read_log(system_cronjob_t)
|
||
|
apache_read_sys_content(system_cronjob_t)
|
||
|
apache_manage_lib(system_cronjob_t)
|
||
|
apache_delete_cache_dirs(system_cronjob_t)
|
||
|
apache_delete_cache_files(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
bind_read_config(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
chronyd_run_chronyc(system_cronjob_t,system_r)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
cyrus_manage_data(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
dbus_system_bus_client(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
devicekit_read_pid_files(system_cronjob_t)
|
||
|
devicekit_append_inherited_log_files(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
exim_read_spool_files(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
firewalld_dbus_chat(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
ftp_read_log(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
inn_manage_log(system_cronjob_t)
|
||
|
inn_manage_pid(system_cronjob_t)
|
||
|
inn_read_config(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
insights_client_filetrans_run(system_cronjob_t)
|
||
|
insights_client_filetrans_tmp(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
livecd_read_tmp_files(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
lpd_list_spool(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
mrtg_append_create_logs(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
mta_read_config(system_cronjob_t)
|
||
|
mta_send_mail(system_cronjob_t)
|
||
|
mta_filetrans_admin_home_content(system_cronjob_t)
|
||
|
mta_system_content(system_cron_spool_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
mysql_read_config(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
networkmanager_dbus_chat(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
pcp_filetrans_named_content(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
postfix_read_config(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
prelink_delete_cache(system_cronjob_t)
|
||
|
prelink_manage_lib(system_cronjob_t)
|
||
|
prelink_manage_log(system_cronjob_t)
|
||
|
prelink_read_cache(system_cronjob_t)
|
||
|
prelink_relabel_lib(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
rkhunter_manage_lib_files(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
rhsmcertd_dbus_chat(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
samba_read_config(system_cronjob_t)
|
||
|
samba_read_log(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
setroubleshoot_dbus_chat(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
snapper_dbus_chat(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
spamassassin_manage_lib_files(system_cronjob_t)
|
||
|
spamassassin_manage_home_client(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
sysstat_manage_log(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
systemd_dbus_chat_logind(system_cronjob_t)
|
||
|
systemd_dbus_chat_timedated(system_cronjob_t)
|
||
|
systemd_dbus_chat_hostnamed(system_cronjob_t)
|
||
|
systemd_dbus_chat_localed(system_cronjob_t)
|
||
|
systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
unconfined_domain(crond_t)
|
||
|
unconfined_domain(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
unconfined_shell_domtrans(crond_t)
|
||
|
unconfined_dbus_send(crond_t)
|
||
|
userdom_filetrans_home_content(crond_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# User cronjobs local policy
|
||
|
#
|
||
|
|
||
|
allow cronjob_t self:process { signal_perms setsched };
|
||
|
allow cronjob_t self:fifo_file rw_fifo_file_perms;
|
||
|
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
|
||
|
allow cronjob_t self:unix_dgram_socket create_socket_perms;
|
||
|
|
||
|
# The entrypoint interface is not used as this is not
|
||
|
# a regular entrypoint. Since crontab files are
|
||
|
# not directly executed, crond must ensure that
|
||
|
# the crontab file has a type that is appropriate
|
||
|
# for the domain of the user cron job. It
|
||
|
# performs an entrypoint permission check
|
||
|
# for this purpose.
|
||
|
allow cronjob_t user_cron_spool_t:file entrypoint;
|
||
|
|
||
|
# Permit a transition from the crond_t domain to this domain.
|
||
|
# The transition is requested explicitly by the modified crond
|
||
|
# via setexeccon. There is no way to set up an automatic
|
||
|
# transition, since crontabs are configuration files, not executables.
|
||
|
allow crond_t cronjob_t:process transition;
|
||
|
dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh };
|
||
|
allow crond_t cronjob_t:fd use;
|
||
|
allow cronjob_t crond_t:fd use;
|
||
|
allow cronjob_t crond_t:fifo_file rw_file_perms;
|
||
|
allow cronjob_t crond_t:process sigchld;
|
||
|
|
||
|
kernel_read_system_state(cronjob_t)
|
||
|
kernel_read_kernel_sysctls(cronjob_t)
|
||
|
|
||
|
# ps does not need to access /boot when run from cron
|
||
|
files_dontaudit_search_boot(cronjob_t)
|
||
|
|
||
|
corenet_all_recvfrom_netlabel(cronjob_t)
|
||
|
corenet_tcp_sendrecv_generic_if(cronjob_t)
|
||
|
corenet_udp_sendrecv_generic_if(cronjob_t)
|
||
|
corenet_tcp_sendrecv_generic_node(cronjob_t)
|
||
|
corenet_udp_sendrecv_generic_node(cronjob_t)
|
||
|
corenet_tcp_sendrecv_all_ports(cronjob_t)
|
||
|
corenet_udp_sendrecv_all_ports(cronjob_t)
|
||
|
corenet_tcp_connect_all_ports(cronjob_t)
|
||
|
corenet_sendrecv_all_client_packets(cronjob_t)
|
||
|
|
||
|
dev_read_urand(cronjob_t)
|
||
|
|
||
|
fs_getattr_all_fs(cronjob_t)
|
||
|
|
||
|
corecmd_exec_all_executables(cronjob_t)
|
||
|
|
||
|
# quiet other ps operations
|
||
|
domain_dontaudit_read_all_domains_state(cronjob_t)
|
||
|
domain_dontaudit_getattr_all_domains(cronjob_t)
|
||
|
|
||
|
files_exec_etc_files(cronjob_t)
|
||
|
# for nscd:
|
||
|
files_dontaudit_search_pids(cronjob_t)
|
||
|
|
||
|
libs_exec_lib_files(cronjob_t)
|
||
|
libs_exec_ld_so(cronjob_t)
|
||
|
|
||
|
files_read_etc_runtime_files(cronjob_t)
|
||
|
files_read_var_files(cronjob_t)
|
||
|
files_search_spool(cronjob_t)
|
||
|
|
||
|
logging_search_logs(cronjob_t)
|
||
|
|
||
|
seutil_read_config(cronjob_t)
|
||
|
|
||
|
|
||
|
userdom_manage_user_tmp_files(cronjob_t)
|
||
|
userdom_manage_user_tmp_symlinks(cronjob_t)
|
||
|
userdom_manage_user_tmp_pipes(cronjob_t)
|
||
|
userdom_manage_user_tmp_sockets(cronjob_t)
|
||
|
# Run scripts in user home directory and access shared libs.
|
||
|
userdom_exec_user_home_content_files(cronjob_t)
|
||
|
# Access user files and dirs.
|
||
|
userdom_manage_user_home_content_files(cronjob_t)
|
||
|
userdom_manage_user_home_content_symlinks(cronjob_t)
|
||
|
userdom_manage_user_home_content_pipes(cronjob_t)
|
||
|
userdom_manage_user_home_content_sockets(cronjob_t)
|
||
|
|
||
|
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
|
||
|
rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
|
||
|
watch_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
|
||
|
read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
|
||
|
read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
|
||
|
allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
|
||
|
|
||
|
tunable_policy(`fcron_crond',`
|
||
|
allow crond_t user_cron_spool_t:file manage_file_perms;
|
||
|
')
|
||
|
|
||
|
# need a per-role version of this:
|
||
|
#optional_policy(`
|
||
|
# mono_domtrans(cronjob_t)
|
||
|
#')
|
||
|
|
||
|
optional_policy(`
|
||
|
nis_use_ypbind(cronjob_t)
|
||
|
')
|
||
|
|
||
|
##############################
|
||
|
#
|
||
|
# crontab common policy
|
||
|
#
|
||
|
|
||
|
# is to create the file in the directory under /tmp
|
||
|
allow crontab_domain self:capability { fowner setuid setgid chown dac_read_search dac_override };
|
||
|
allow crontab_domain self:process { getcap setsched signal_perms };
|
||
|
allow crontab_domain self:fifo_file rw_fifo_file_perms;
|
||
|
|
||
|
allow crontab_domain crond_t:process signal;
|
||
|
allow crontab_domain crond_var_run_t:file read_file_perms;
|
||
|
|
||
|
manage_dirs_pattern(crontab_t, crontab_tmp_t, crontab_tmp_t)
|
||
|
manage_files_pattern(crontab_t, crontab_tmp_t, crontab_tmp_t)
|
||
|
files_tmp_filetrans(crontab_t, crontab_tmp_t, { dir file })
|
||
|
|
||
|
corecmd_exec_bin(crontab_domain)
|
||
|
corecmd_exec_shell(crontab_domain)
|
||
|
|
||
|
# create files in /var/spool/cron
|
||
|
manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
|
||
|
filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
|
||
|
files_list_spool(crontab_domain)
|
||
|
|
||
|
# crontab signals crond by updating the mtime on the spooldir
|
||
|
allow crontab_domain cron_spool_t:dir setattr_dir_perms;
|
||
|
|
||
|
# for the checks used by crontab -u
|
||
|
selinux_dontaudit_search_fs(crontab_domain)
|
||
|
|
||
|
fs_getattr_xattr_fs(crontab_domain)
|
||
|
fs_manage_cgroup_dirs(crontab_domain)
|
||
|
fs_manage_cgroup_files(crontab_domain)
|
||
|
|
||
|
domain_use_interactive_fds(crontab_domain)
|
||
|
|
||
|
files_dontaudit_search_pids(crontab_domain)
|
||
|
|
||
|
|
||
|
auth_rw_var_auth(crontab_domain)
|
||
|
|
||
|
logging_send_audit_msgs(crontab_domain)
|
||
|
logging_set_loginuid(crontab_domain)
|
||
|
|
||
|
init_dontaudit_write_utmp(crontab_domain)
|
||
|
init_read_utmp(crontab_domain)
|
||
|
init_read_state(crontab_domain)
|
||
|
|
||
|
|
||
|
seutil_read_config(crontab_domain)
|
||
|
|
||
|
userdom_manage_user_tmp_dirs(crontab_domain)
|
||
|
userdom_manage_user_tmp_files(crontab_domain)
|
||
|
# Access terminals.
|
||
|
userdom_use_inherited_user_terminals(crontab_domain)
|
||
|
# Read user crontabs
|
||
|
userdom_read_user_home_content_files(crontab_domain)
|
||
|
userdom_read_user_home_content_symlinks(crontab_domain)
|
||
|
|
||
|
tunable_policy(`fcron_crond',`
|
||
|
# fcron wants an instant update of a crontab change for the administrator
|
||
|
# also crontab does a security check for crontab -u
|
||
|
dontaudit crontab_domain crond_t:process signal;
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
ssh_dontaudit_use_ptys(crontab_domain)
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
openshift_dontaudit_rw_inherited_fifo_files(crontab_domain)
|
||
|
openshift_transition(system_cronjob_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# Unconfined cronjobs local policy
|
||
|
#
|
||
|
|
||
|
type unconfined_cronjob_t;
|
||
|
domain_type(unconfined_cronjob_t)
|
||
|
domain_cron_exemption_target(unconfined_cronjob_t)
|
||
|
|
||
|
dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
|
||
|
|
||
|
tunable_policy(`cron_userdomain_transition',`
|
||
|
dontaudit crond_t unconfined_cronjob_t:process transition;
|
||
|
dontaudit crond_t unconfined_cronjob_t:fd use;
|
||
|
dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
|
||
|
',`
|
||
|
allow crond_t unconfined_cronjob_t:process transition;
|
||
|
allow crond_t unconfined_cronjob_t:fd use;
|
||
|
allow crond_t unconfined_cronjob_t:key manage_key_perms;
|
||
|
')
|
||
|
|
||
|
optional_policy(`
|
||
|
unconfined_domain(unconfined_cronjob_t)
|
||
|
')
|