From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id DDD9E138010 for ; Tue, 2 Oct 2012 18:23:23 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3BE2621C016; Tue, 2 Oct 2012 18:11:18 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id E271B21C01A for ; Tue, 2 Oct 2012 18:11:12 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 51D4B33D763 for ; Tue, 2 Oct 2012 18:11:03 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 20D9FE544E for ; Tue, 2 Oct 2012 18:11:00 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1349201127.f120e886dbba68a31eba791831db34da7ad88518.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/cron.if policy/modules/contrib/cron.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: f120e886dbba68a31eba791831db34da7ad88518 X-VCS-Branch: master Date: Tue, 2 Oct 2012 18:11:00 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 536287c0-c92f-4a78-8759-f44e2e69be55 X-Archives-Hash: f58a0e67f5917473f0a184979b57be26 commit: f120e886dbba68a31eba791831db34da7ad88518 Author: Dominick Grift gmail com> AuthorDate: Sun Sep 30 15:54:15 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Tue Oct 2 18:05:27 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f120e886 Changes to the cron policy module Make cron userdomain transition work Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/cron.if | 113 +++++++++++++++++++++++++++++++++++----- policy/modules/contrib/cron.te | 60 ++++++++++++--------- 2 files changed, 133 insertions(+), 40 deletions(-) diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if index ddc323e..384fda7 100644 --- a/policy/modules/contrib/cron.if +++ b/policy/modules/contrib/cron.if @@ -42,7 +42,7 @@ template(`cron_common_crontab_template',` ######################################## ## -## Role access for cron +## Role access for cron. ## ## ## @@ -60,6 +60,7 @@ interface(`cron_role',` gen_require(` type cronjob_t, crontab_t, crontab_exec_t; type user_cron_spool_t, crond_t; + bool cron_userdomain_transition; ') ############################## @@ -82,14 +83,32 @@ interface(`cron_role',` allow $2 user_cron_spool_t:file { getattr read write ioctl }; allow $2 crontab_t:process { ptrace signal_perms }; - ps_process_pattern($2, { cronjob_t crontab_t }) + ps_process_pattern($2, crontab_t) corecmd_exec_bin(crontab_t) corecmd_exec_shell(crontab_t) tunable_policy(`cron_userdomain_transition',` allow crond_t $2:process transition; + allow crond_t $2:fd use; + allow crond_t $2:key manage_key_perms; + allow $2 user_cron_spool_t:file entrypoint; + + allow $2 crond_t:fifo_file rw_fifo_file_perms; + + allow $2 cronjob_t:process { ptrace signal_perms }; + ps_process_pattern($2, cronjob_t) + ',` + dontaudit crond_t $2:process transition; + dontaudit crond_t $2:fd use; + dontaudit crond_t $2:key manage_key_perms; + + dontaudit $2 user_cron_spool_t:file entrypoint; + + dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; + + dontaudit $2 cronjob_t:process { ptrace signal_perms }; ') optional_policy(` @@ -105,22 +124,24 @@ interface(`cron_role',` ######################################## ## -## Role access for unconfined cronjobs +## Role access for unconfined cron. ## ## ## -## Role allowed access +## Role allowed access. ## ## ## ## -## User domain for the role +## User domain for the role. ## ## # interface(`cron_unconfined_role',` gen_require(` type unconfined_cronjob_t, crontab_t, crontab_exec_t; + type crond_t, user_cron_spool_t; + bool cron_userdomain_transition; ') ############################## @@ -135,9 +156,12 @@ interface(`cron_unconfined_role',` # Local policy # - ps_process_pattern($2, unconfined_cronjob_t) + domtrans_pattern($2, crontab_exec_t, crontab_t) - # domtrans_pattern($2, crontab_exec_t, crontab_t) + dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; + allow $2 crond_t:process sigchld; + + allow $2 user_cron_spool_t:file { getattr read write ioctl }; allow $2 crontab_t:process { ptrace signal_perms }; ps_process_pattern($2, crontab_t) @@ -145,6 +169,29 @@ interface(`cron_unconfined_role',` corecmd_exec_bin(crontab_t) corecmd_exec_shell(crontab_t) + tunable_policy(`cron_userdomain_transition',` + allow crond_t $2:process transition; + allow crond_t $2:fd use; + allow crond_t $2:key manage_key_perms; + + allow $2 user_cron_spool_t:file entrypoint; + + allow $2 crond_t:fifo_file rw_fifo_file_perms; + + allow $2 unconfined_cronjob_t:process { ptrace signal_perms }; + ps_process_pattern($2, unconfined_cronjob_t) + ',` + dontaudit crond_t $2:process transition; + dontaudit crond_t $2:fd use; + dontaudit crond_t $2:key manage_key_perms; + + dontaudit $2 user_cron_spool_t:file entrypoint; + + dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; + + dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms }; +') + optional_policy(` gen_require(` class dbus send_msg; @@ -158,16 +205,16 @@ interface(`cron_unconfined_role',` ######################################## ## -## Role access for cron +## Role access for admin cron. ## ## ## -## Role allowed access +## Role allowed access. ## ## ## ## -## User domain for the role +## User domain for the role. ## ## # @@ -175,23 +222,61 @@ interface(`cron_admin_role',` gen_require(` type cronjob_t, crontab_exec_t, admin_crontab_t; class passwd crontab; + type crond_t, user_cron_spool_t; + bool cron_userdomain_transition; ') - role $1 types { cronjob_t admin_crontab_t }; + ############################## + # + # Declarations + # - ps_process_pattern($2, cronjob_t) + role $1 types { cronjob_t admin_crontab_t }; - # Manipulate other users crontab. - allow $2 self:passwd crontab; + ############################## + # + # Local policy + # domtrans_pattern($2, crontab_exec_t, admin_crontab_t) + dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; + allow $2 crond_t:process sigchld; + + allow $2 user_cron_spool_t:file { getattr read write ioctl }; + allow $2 admin_crontab_t:process { ptrace signal_perms }; ps_process_pattern($2, admin_crontab_t) + # Manipulate other users crontab. + allow $2 self:passwd crontab; + corecmd_exec_bin(admin_crontab_t) corecmd_exec_shell(admin_crontab_t) + tunable_policy(`cron_userdomain_transition',` + allow crond_t $2:process transition; + allow crond_t $2:fd use; + allow crond_t $2:key manage_key_perms; + + allow $2 user_cron_spool_t:file entrypoint; + + allow $2 crond_t:fifo_file rw_fifo_file_perms; + + allow $2 cronjob_t:process { ptrace signal_perms }; + ps_process_pattern($2, cronjob_t) + ',` + dontaudit crond_t $2:process transition; + dontaudit crond_t $2:fd use; + dontaudit crond_t $2:key manage_key_perms; + + dontaudit $2 user_cron_spool_t:file entrypoint; + + dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; + + dontaudit $2 cronjob_t:process { ptrace signal_perms }; +') + optional_policy(` gen_require(` class dbus send_msg; diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te index 412d5fb..1ae7194 100644 --- a/policy/modules/contrib/cron.te +++ b/policy/modules/contrib/cron.te @@ -1,4 +1,4 @@ -policy_module(cron, 2.5.0) +policy_module(cron, 2.5.1) gen_require(` class passwd rootok; @@ -132,7 +132,7 @@ ifdef(`enable_mcs',` ############################## # -# Common local policy +# Common crontab local policy # allow crontab_domain self:capability { fowner setuid setgid chown dac_override }; @@ -154,7 +154,7 @@ selinux_dontaudit_search_fs(crontab_domain) files_list_spool(crontab_domain) files_read_etc_files(crontab_domain) files_read_usr_files(crontab_domain) -files_dontaudit_search_pids(crontab_domain) +files_search_pids(crontab_domain) fs_getattr_xattr_fs(crontab_domain) fs_manage_cgroup_dirs(crontab_domain) @@ -168,6 +168,7 @@ auth_rw_var_auth(crontab_domain) logging_send_syslog_msg(crontab_domain) logging_send_audit_msgs(crontab_domain) +logging_set_loginuid(crontab_domain) init_dontaudit_write_utmp(crontab_domain) init_read_utmp(crontab_domain) @@ -183,10 +184,6 @@ userdom_use_user_terminals(crontab_domain) userdom_read_user_home_content_files(crontab_domain) userdom_read_user_home_content_symlinks(crontab_domain) -tunable_policy(`cron_userdomain_transition',` - logging_set_loginuid(crontab_domain) -') - tunable_policy(`fcron_crond',` dontaudit crontab_domain crond_t:process signal; ') @@ -250,9 +247,10 @@ read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) allow crond_t user_cron_spool_t:file manage_lnk_file_perms; -allow crond_t { cronjob_t system_cronjob_t unconfined_cronjob_t }:process transition; -allow crond_t { cronjob_t system_cronjob_t unconfined_cronjob_t }:fd use; -allow crond_t { cronjob_t system_cronjob_t unconfined_cronjob_t }:key manage_key_perms; +allow crond_t system_cronjob_t:process transition; +allow crond_t system_cronjob_t:fd use; +allow crond_t system_cronjob_t:key manage_key_perms; + dontaudit crond_t { cronjob_t system_cronjob_t unconfined_cronjob_t }:process { noatsecure siginh rlimitinh }; domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t) @@ -286,7 +284,6 @@ files_search_var_lib(crond_t) files_search_default(crond_t) mls_fd_share_all_levels(crond_t) -# crontab -e and kernel check of transition mls_file_read_all_levels(crond_t) mls_file_write_all_levels(crond_t) mls_process_set_level(crond_t) @@ -316,16 +313,24 @@ seutil_read_default_contexts(crond_t) miscfiles_read_localization(crond_t) -userdom_use_unpriv_users_fds(crond_t) userdom_list_user_home_dirs(crond_t) mta_send_mail(crond_t) +tunable_policy(`cron_userdomain_transition',` + dontaudit crond_t { cronjob_t unconfined_cronjob_t }:process transition; + dontaudit crond_t { cronjob_t unconfined_cronjob_t }:fd use; + dontaudit crond_t { cronjob_t unconfined_cronjob_t }:key manage_key_perms; +',` + allow crond_t { cronjob_t unconfined_cronjob_t }:process transition; + allow crond_t { cronjob_t unconfined_cronjob_t }:fd use; + allow crond_t { cronjob_t unconfined_cronjob_t }:key manage_key_perms; +') + ifdef(`distro_debian',` allow crond_t self:process setrlimit; optional_policy(` - # Debian logcheck has the home dir set to its cache logwatch_search_cache_dir(crond_t) ') ') @@ -340,8 +345,8 @@ tunable_policy(`allow_polyinstantiation',` files_polyinstantiate_all(crond_t) ') -tunable_policy(`fcron_crond', ` - allow crond_t system_cron_spool_t:file manage_file_perms; +tunable_policy(`fcron_crond',` + allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms; ') optional_policy(` @@ -461,7 +466,7 @@ files_search_var_lib(system_cronjob_t) manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) allow system_cronjob_t crond_t:fd use; -allow system_cronjob_t crond_t:fifo_file rw_file_perms; +allow system_cronjob_t crond_t:fifo_file rw_fifo_file_perms; allow system_cronjob_t crond_t:process sigchld; allow system_cronjob_t cron_spool_t:dir list_dir_perms; @@ -623,7 +628,7 @@ optional_policy(` optional_policy(` postfix_read_config(system_cronjob_t) -') +') optional_policy(` prelink_delete_cache(system_cronjob_t) @@ -664,13 +669,6 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; -allow cronjob_t user_cron_spool_t:file entrypoint; - -#allow crond_t cronjob_t:key create; -allow cronjob_t crond_t:fd use; -allow cronjob_t crond_t:fifo_file rw_file_perms; -allow cronjob_t crond_t:process sigchld; - kernel_read_system_state(cronjob_t) kernel_read_kernel_sysctls(cronjob_t) @@ -723,8 +721,18 @@ userdom_manage_user_home_content_symlinks(cronjob_t) userdom_manage_user_home_content_pipes(cronjob_t) userdom_manage_user_home_content_sockets(cronjob_t) -tunable_policy(`fcron_crond',` - allow crond_t user_cron_spool_t:file manage_file_perms; +tunable_policy(`cron_userdomain_transition',` + dontaudit cronjob_t crond_t:fd use; + dontaudit cronjob_t crond_t:fifo_file rw_fifo_file_perms; + dontaudit cronjob_t crond_t:process sigchld; + + dontaudit cronjob_t user_cron_spool_t:file entrypoint; +',` + allow cronjob_t crond_t:fd use; + allow cronjob_t crond_t:fifo_file rw_fifo_file_perms; + allow cronjob_t crond_t:process sigchld; + + allow cronjob_t user_cron_spool_t:file entrypoint; ') optional_policy(`