From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id EEC40138204 for ; Wed, 21 Nov 2012 21:03:00 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9A2CF21C0E4; Wed, 21 Nov 2012 21:02:18 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id CDF2D21C0E4 for ; Wed, 21 Nov 2012 21:02:17 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 88ACA33D98A for ; Wed, 21 Nov 2012 21:02:16 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id E9140E5449 for ; Wed, 21 Nov 2012 21:02:14 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1353531517.18a25fea6f668acb55b05bd8f791448f3a230172.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/cron.fc policy/modules/contrib/cron.if policy/modules/contrib/cron.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 18a25fea6f668acb55b05bd8f791448f3a230172 X-VCS-Branch: master Date: Wed, 21 Nov 2012 21:02:14 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 46695f67-735a-4f63-b181-975ac3a38a79 X-Archives-Hash: 8642af41f5e5f68ebdb2c3b47d84bc4a commit: 18a25fea6f668acb55b05bd8f791448f3a230172 Author: Sven Vermeulen siphos be> AuthorDate: Sat Nov 17 20:58:51 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Wed Nov 21 20:58:37 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=18a25fea Support at service The at daemon allows users and system administrators to define tasks to be executed once on a particular time. The at service captures the current session's environment and stores it as part of the task to be executed. When ran, at "locks" the job (in the /var/spool/at/atjobs location) and executes it, capturing its output in the /var/spool/at/atspool location. Because of this log output capturing, it doesn't make sense to keep the atspool location as user_cron_spool_t as any service ran through at needs to be able to write to this location, and we don't want such services to have write access to the user_cron_spool_t type. Hence we introduce the user_cron_spool_log_t type for the logging output, allow it to be read by the system mailer (as it is invoked to send the resulting output) and written by any service that is allowed to be called by cron (through cron_system_entry). The cron daemon requires manage privileges on the /var/spool/at/atjobs location (labeled user_cron_spool_t) as it uses locking techniques on the at job scripts themselves (lock files) and removes the scripts once executed. The capability for the admin_crontab_t only seems to be needed for the admin_crontab_t domain, using the regular crontab_t domain for users does not exhibit this behavior. Signed-off-by: Sven Vermeulen siphos.be> --- policy/modules/contrib/cron.fc | 1 + policy/modules/contrib/cron.if | 3 +++ policy/modules/contrib/cron.te | 10 +++++++++- 3 files changed, 13 insertions(+), 1 deletions(-) diff --git a/policy/modules/contrib/cron.fc b/policy/modules/contrib/cron.fc index 8e3db6b..b2d6309 100644 --- a/policy/modules/contrib/cron.fc +++ b/policy/modules/contrib/cron.fc @@ -27,6 +27,7 @@ /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) +/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0) /var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if index 5d1a48e..2b859e5 100644 --- a/policy/modules/contrib/cron.if +++ b/policy/modules/contrib/cron.if @@ -307,8 +307,11 @@ interface(`cron_admin_role',` interface(`cron_system_entry',` gen_require(` type crond_t, system_cronjob_t; + type user_cron_spool_log_t; ') + rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t) + domtrans_pattern(system_cronjob_t, $2, $1) domtrans_pattern(crond_t, $2, $1) diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te index 2f67878..d4b839b 100644 --- a/policy/modules/contrib/cron.te +++ b/policy/modules/contrib/cron.te @@ -134,6 +134,11 @@ ifdef(`distro_gentoo',` logging_syslog_managed_log_file(cron_log_t, "cron.log") ') +type user_cron_spool_log_t; +logging_log_file(user_cron_spool_log_t) +ubac_constrained(user_cron_spool_log_t) +mta_system_content(user_cron_spool_log_t) + ifdef(`enable_mcs',` init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) ') @@ -201,6 +206,7 @@ tunable_policy(`fcron_crond',` # Admin local policy # +allow admin_crontab_t self:capability fsetid; allow admin_crontab_t crond_t:process signal; selinux_get_fs_mount(admin_crontab_t) @@ -254,9 +260,11 @@ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) -read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t) + allow crond_t system_cronjob_t:process transition; allow crond_t system_cronjob_t:fd use; allow crond_t system_cronjob_t:key manage_key_perms;