From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-690427-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 4204B138A1F
	for <garchives@archives.gentoo.org>; Sun, 27 Apr 2014 15:34:15 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id E6FF3E0A4F;
	Sun, 27 Apr 2014 15:34:13 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 4BAECE0A45
	for <gentoo-commits@lists.gentoo.org>; Sun, 27 Apr 2014 15:34:13 +0000 (UTC)
Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 8E3B633FE83
	for <gentoo-commits@lists.gentoo.org>; Sun, 27 Apr 2014 15:34:11 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by spoonbill.gentoo.org (Postfix) with ESMTP id 7B40418743
	for <gentoo-commits@lists.gentoo.org>; Sun, 27 Apr 2014 15:34:09 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1398612511.0dcd9b4afc2135463c0d6884a6011f8274450b41.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/cron.if policy/modules/contrib/cron.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 0dcd9b4afc2135463c0d6884a6011f8274450b41
X-VCS-Branch: master
Date: Sun, 27 Apr 2014 15:34:09 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: a991f4f3-ce24-4bff-bcb3-89d30f4e9b66
X-Archives-Hash: d97ee4201e3a9d3a0af38fd15f608447

commit:     0dcd9b4afc2135463c0d6884a6011f8274450b41
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Apr 21 15:08:23 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Apr 27 15:28:31 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0dcd9b4a

fcron socket support

The fcron daemon creates a socket file in /var/run (called fcron.fifo)
which is used by the fcrondyn application to interact with the fcron
daemon. This application allows admins to list the defined jobs, run
jobs immediately, remove jobs, etc.

Without this, fcrondyn cannot connect to the cron daemon; fcron also
logs this at start-up:

fcron[23724]: Cannot bind socket to '/var/run/fcron.fifo': Permission
denied

Through this patch, we allow the crond daemon to create this socket and
update the admin role to allow the admin domain to stream_connect
through this socket to the crond_t domain.

Changes since v1:
- Moved named file transition outside tunable_policy
- Use user domain instead of role in cron_admin's stream_connect_pattern

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/contrib/cron.if | 5 +++++
 policy/modules/contrib/cron.te | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index a58ce50..2ad65f8 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -277,6 +277,11 @@ interface(`cron_admin_role',`
 		dontaudit $2 cronjob_t:process { ptrace signal_perms };
 	')
 
+	tunable_policy(`crond_fcron',`
+		# Support for fcrondyn
+		stream_connect_pattern($2, crond_var_run_t, crond_var_run_t, crond_t)
+	')
+
 	optional_policy(`
 		gen_require(`
 			class dbus send_msg;

diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 4ab10d8..da85d9b 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -234,6 +234,7 @@ logging_log_filetrans(crond_t, cron_log_t, file)
 
 manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
 files_pid_filetrans(crond_t, crond_var_run_t, file)
+files_pid_filetrans(crond_t, crond_var_run_t, sock_file, "fcron.fifo")
 
 manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
 
@@ -347,6 +348,7 @@ tunable_policy(`allow_polyinstantiation',`
 
 tunable_policy(`fcron_crond',`
 	allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms;
+	allow crond_t crond_var_run_t:sock_file manage_sock_file_perms;
 ')
 
 optional_policy(`