[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, man/man8/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, man/man8/

[Sven Vermeulen]

commit:     2b9c35808edc6b66464db7ce0ba714b3ce81b15f
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Apr 11 14:36:06 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Apr 11 14:36:06 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2b9c3580

Add in AIDE SELinux manpage

---
 man/man8/aide_selinux.8         |  128 +++++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/aide.rst |  107 ++++++++++++++++++++++++++++++++
 2 files changed, 235 insertions(+), 0 deletions(-)

diff --git a/man/man8/aide_selinux.8 b/man/man8/aide_selinux.8
new file mode 100644
index 0000000..382376f
--- /dev/null
+++ b/man/man8/aide_selinux.8
@@ -0,0 +1,128 @@
+.\" Man page generated from reStructuredText.
+.
+.TH AIDE_SELINUX 8 "2013-04-11" "" "SELinux"
+.SH NAME
+aide_selinux \- SELinux policy module for AIDE
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH DESCRIPTION
+.sp
+The \fBaide\fP SELinux module supports the AIDE application (Advanced Intrusion
+Detection Environment) and resources.
+.SH DOMAINS
+.SS aide_t
+.sp
+The \fBaide_t\fP domain is used for the application runtime context. When the
+\fBaide\fP command is invoked, it should run within this domain.
+.sp
+The use of this domain is restricted to the roles responsible for the security
+administration of the system, so \fBsysadm_r\fP and \fBsecadm_r\fP. It is strongly
+discouraged to allow the use of AIDE for other roles.
+.sp
+Due to its sensitive nature, when the MLS policy is enabled, AIDE runs in the
+\fBmls_systemhigh\fP sensitivity.
+.SH LOCATIONS
+.SS USER\-ORIENTED
+.sp
+The following list of locations identify file resources that are used by the
+AIDE domain. They are by default allocated towards the default locations for
+AIDE, so if you use a different location, you will need to properly address
+this. You can do so through \fBsemanage\fP, like so:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+semanage fcontext \-a \-t aide_db_t "/mnt/db/aide(/.*)?"
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The above example marks the \fI/mnt/db/aide\fP location as the location where
+the AIDE databases are stored (identified through the \fBaide_db_t\fP type).
+.INDENT 0.0
+.TP
+.B aide_db_t
+is used for the AIDE database location
+.TP
+.B aide_log_t
+is used for the AIDE logs
+.UNINDENT
+.SH OTHER RESOURCES
+.SS EXECUTABLE FILES
+.INDENT 0.0
+.TP
+.B aide_exec_t
+is used as entry point for the AIDE application that runs in the \fBaide_t\fP
+domain
+.UNINDENT
+.SH POLICY
+.sp
+The following interfaces can be used to enhance the default policy with
+AIDE\-related privileges. More details on these interfaces can be found in the
+interface HTML documentation, we will not list all available interfaces here.
+.SS Run interfaces
+.sp
+The following run interfaces allow users and roles access to the specified
+domains. Only to be used for new user domains and roles.
+.INDENT 0.0
+.TP
+.B aide_run
+Allow the specified user domain and role access and transition rights to the
+\fBaide_t\fP domain.
+.TP
+.B aide_admin
+Allow the specified user domain and role access and transition rights to the
+\fBaide_t\fP domain, and allow administration of the AIDE related resources.
+.UNINDENT
+.SS Domtrans interfaces
+.sp
+The following domain transition interfaces allow domains to execute and
+transition into the mentioned AIDE domain. Only to be used for domains
+assumed to be running within the general \fBsystem_r\fP role, or within a role
+already allowed access to the AIDE domain (such as \fBsysadm_r\fP).
+.INDENT 0.0
+.TP
+.B aide_domtrans
+Allow the specified domain access and transition rights to the \fBaide_t\fP
+domain.
+.UNINDENT
+.SH SEE ALSO
+.INDENT 0.0
+.IP \(bu 2
+Gentoo and SELinux at
+\fI\%https://wiki.gentoo.org/wiki/SELinux\fP
+.IP \(bu 2
+Gentoo Hardened SELinux Project at
+\fI\%http://www.gentoo.org/proj/en/hardened/selinux\fP
+.UNINDENT
+.SH AUTHOR
+Sven Vermeulen <swift@gentoo.org>
+.\" Generated by docutils manpage writer.
+.

diff --git a/policy/modules/contrib/aide.rst b/policy/modules/contrib/aide.rst
new file mode 100644
index 0000000..80325fe
--- /dev/null
+++ b/policy/modules/contrib/aide.rst
@@ -0,0 +1,107 @@
+=================
+ aide_selinux
+=================
+
+------------------------------
+SELinux policy module for AIDE
+------------------------------
+
+:Author:        Sven Vermeulen <swift@gentoo.org>
+:Date:          2013-04-11
+:Manual section:        8
+:Manual group:          SELinux
+
+DESCRIPTION
+===========
+
+The **aide** SELinux module supports the AIDE application (Advanced Intrusion
+Detection Environment) and resources.
+
+DOMAINS
+=======
+
+aide_t
+------
+
+The **aide_t** domain is used for the application runtime context. When the
+``aide`` command is invoked, it should run within this domain. 
+
+The use of this domain is restricted to the roles responsible for the security
+administration of the system, so **sysadm_r** and **secadm_r**. It is strongly
+discouraged to allow the use of AIDE for other roles.
+
+Due to its sensitive nature, when the MLS policy is enabled, AIDE runs in the
+**mls_systemhigh** sensitivity.
+
+LOCATIONS
+=========
+
+USER-ORIENTED
+-------------
+
+The following list of locations identify file resources that are used by the
+AIDE domain. They are by default allocated towards the default locations for
+AIDE, so if you use a different location, you will need to properly address
+this. You can do so through ``semanage``, like so::
+
+  semanage fcontext -a -t aide_db_t "/mnt/db/aide(/.*)?"
+
+The above example marks the */mnt/db/aide* location as the location where
+the AIDE databases are stored (identified through the **aide_db_t** type).
+
+aide_db_t
+  is used for the AIDE database location
+
+aide_log_t
+  is used for the AIDE logs
+
+OTHER RESOURCES
+===============
+
+EXECUTABLE FILES
+----------------
+
+aide_exec_t
+  is used as entry point for the AIDE application that runs in the **aide_t**
+  domain
+
+POLICY
+======
+
+The following interfaces can be used to enhance the default policy with
+AIDE-related privileges. More details on these interfaces can be found in the
+interface HTML documentation, we will not list all available interfaces here.
+
+Run interfaces
+--------------
+
+The following run interfaces allow users and roles access to the specified
+domains. Only to be used for new user domains and roles.
+
+aide_run
+  Allow the specified user domain and role access and transition rights to the
+  **aide_t** domain.
+
+aide_admin
+  Allow the specified user domain and role access and transition rights to the
+  **aide_t** domain, and allow administration of the AIDE related resources.
+
+Domtrans interfaces
+-------------------
+
+The following domain transition interfaces allow domains to execute and
+transition into the mentioned AIDE domain. Only to be used for domains
+assumed to be running within the general **system_r** role, or within a role
+already allowed access to the AIDE domain (such as **sysadm_r**).
+
+aide_domtrans
+  Allow the specified domain access and transition rights to the **aide_t**
+  domain.
+
+SEE ALSO
+========
+
+* Gentoo and SELinux at 
+  https://wiki.gentoo.org/wiki/SELinux
+* Gentoo Hardened SELinux Project at 
+  http://www.gentoo.org/proj/en/hardened/selinux

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, man/man8/

[Sven Vermeulen]

commit:     7fb7f40e5ff78a5ca637061deb2ed8e62c3e99a6
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 15 16:11:16 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 16:11:16 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7fb7f40e

New location for Gentoo Hardened project

---
 man/man8/aide_selinux.8            | 2 +-
 man/man8/portage_selinux.8         | 2 +-
 policy/modules/contrib/aide.rst    | 2 +-
 policy/modules/contrib/portage.rst | 4 ++--
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/man/man8/aide_selinux.8 b/man/man8/aide_selinux.8
index 382376f..99acb45 100644
--- a/man/man8/aide_selinux.8
+++ b/man/man8/aide_selinux.8
@@ -120,7 +120,7 @@ Gentoo and SELinux at
 \fI\%https://wiki.gentoo.org/wiki/SELinux\fP
 .IP \(bu 2
 Gentoo Hardened SELinux Project at
-\fI\%http://www.gentoo.org/proj/en/hardened/selinux\fP
+\fI\%https://wiki.gentoo.org/wiki/Project:Hardened\fP
 .UNINDENT
 .SH AUTHOR
 Sven Vermeulen <swift@gentoo.org>

diff --git a/man/man8/portage_selinux.8 b/man/man8/portage_selinux.8
index 4a7658a..b2ca1e5 100644
--- a/man/man8/portage_selinux.8
+++ b/man/man8/portage_selinux.8
@@ -267,7 +267,7 @@ Gentoo and SELinux at
 \fI\%https://wiki.gentoo.org/wiki/SELinux\fP
 .IP \(bu 2
 Gentoo Hardened SELinux Project at
-\fI\%http://www.gentoo.org/proj/en/hardened/selinux\fP
+\fI\%https://wiki.gentoo.org/wiki/Project:Hardened\fP
 .UNINDENT
 .SH AUTHOR
 Sven Vermeulen <swift@gentoo.org>

diff --git a/policy/modules/contrib/aide.rst b/policy/modules/contrib/aide.rst
index 80325fe..16922e5 100644
--- a/policy/modules/contrib/aide.rst
+++ b/policy/modules/contrib/aide.rst
@@ -104,4 +104,4 @@ SEE ALSO
 * Gentoo and SELinux at 
   https://wiki.gentoo.org/wiki/SELinux
 * Gentoo Hardened SELinux Project at 
-  http://www.gentoo.org/proj/en/hardened/selinux
+  https://wiki.gentoo.org/wiki/Project:Hardened

diff --git a/policy/modules/contrib/portage.rst b/policy/modules/contrib/portage.rst
index 3ca2cc7..ac03eb2 100644
--- a/policy/modules/contrib/portage.rst
+++ b/policy/modules/contrib/portage.rst
@@ -234,5 +234,5 @@ SEE ALSO
 
 * Gentoo and SELinux at 
   https://wiki.gentoo.org/wiki/SELinux
-* Gentoo Hardened SELinux Project at 
-  http://www.gentoo.org/proj/en/hardened/selinux
+* Gentoo Hardened SELinux Project at
+  https://wiki.gentoo.org/wiki/Project:Hardened

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, man/man8/

[Sven Vermeulen]

commit:     071a04199d5f5d9f8dd50b7c5a415b8c3c17ae79
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 15 16:16:00 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 16:16:00 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=071a0419

Correct date

---
 man/man8/salt_selinux.8         | 2 +-
 policy/modules/contrib/salt.rst | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/man/man8/salt_selinux.8 b/man/man8/salt_selinux.8
index eada9f2..867d248 100644
--- a/man/man8/salt_selinux.8
+++ b/man/man8/salt_selinux.8
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH SALT_SELINUX 8 "2013-04-11" "" "SELinux"
+.TH SALT_SELINUX 8 "2014-08-15" "" "SELinux"
 .SH NAME
 salt_selinux \- SELinux policy module for Salt
 .

diff --git a/policy/modules/contrib/salt.rst b/policy/modules/contrib/salt.rst
index 5039edf..0268b95 100644
--- a/policy/modules/contrib/salt.rst
+++ b/policy/modules/contrib/salt.rst
@@ -7,7 +7,7 @@ SELinux policy module for Salt
 ------------------------------
 
 :Author:        Sven Vermeulen <swift@gentoo.org>
-:Date:          2013-04-11
+:Date:          2014-08-15
 :Manual section:        8
 :Manual group:          SELinux
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, man/man8/

[Jason Zaman]

commit:     071a04199d5f5d9f8dd50b7c5a415b8c3c17ae79
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 15 16:16:00 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Fri Aug 15 16:16:00 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=071a0419

Correct date

---
 man/man8/salt_selinux.8         | 2 +-
 policy/modules/contrib/salt.rst | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/man/man8/salt_selinux.8 b/man/man8/salt_selinux.8
index eada9f2..867d248 100644
--- a/man/man8/salt_selinux.8
+++ b/man/man8/salt_selinux.8
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH SALT_SELINUX 8 "2013-04-11" "" "SELinux"
+.TH SALT_SELINUX 8 "2014-08-15" "" "SELinux"
 .SH NAME
 salt_selinux \- SELinux policy module for Salt
 .

diff --git a/policy/modules/contrib/salt.rst b/policy/modules/contrib/salt.rst
index 5039edf..0268b95 100644
--- a/policy/modules/contrib/salt.rst
+++ b/policy/modules/contrib/salt.rst
@@ -7,7 +7,7 @@ SELinux policy module for Salt
 ------------------------------
 
 :Author:        Sven Vermeulen <swift@gentoo.org>
-:Date:          2013-04-11
+:Date:          2014-08-15
 :Manual section:        8
 :Manual group:          SELinux
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, man/man8/

[Jason Zaman]

commit:     7fb7f40e5ff78a5ca637061deb2ed8e62c3e99a6
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 15 16:11:16 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Fri Aug 15 16:11:16 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7fb7f40e

New location for Gentoo Hardened project

---
 man/man8/aide_selinux.8            | 2 +-
 man/man8/portage_selinux.8         | 2 +-
 policy/modules/contrib/aide.rst    | 2 +-
 policy/modules/contrib/portage.rst | 4 ++--
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/man/man8/aide_selinux.8 b/man/man8/aide_selinux.8
index 382376f..99acb45 100644
--- a/man/man8/aide_selinux.8
+++ b/man/man8/aide_selinux.8
@@ -120,7 +120,7 @@ Gentoo and SELinux at
 \fI\%https://wiki.gentoo.org/wiki/SELinux\fP
 .IP \(bu 2
 Gentoo Hardened SELinux Project at
-\fI\%http://www.gentoo.org/proj/en/hardened/selinux\fP
+\fI\%https://wiki.gentoo.org/wiki/Project:Hardened\fP
 .UNINDENT
 .SH AUTHOR
 Sven Vermeulen <swift@gentoo.org>

diff --git a/man/man8/portage_selinux.8 b/man/man8/portage_selinux.8
index 4a7658a..b2ca1e5 100644
--- a/man/man8/portage_selinux.8
+++ b/man/man8/portage_selinux.8
@@ -267,7 +267,7 @@ Gentoo and SELinux at
 \fI\%https://wiki.gentoo.org/wiki/SELinux\fP
 .IP \(bu 2
 Gentoo Hardened SELinux Project at
-\fI\%http://www.gentoo.org/proj/en/hardened/selinux\fP
+\fI\%https://wiki.gentoo.org/wiki/Project:Hardened\fP
 .UNINDENT
 .SH AUTHOR
 Sven Vermeulen <swift@gentoo.org>

diff --git a/policy/modules/contrib/aide.rst b/policy/modules/contrib/aide.rst
index 80325fe..16922e5 100644
--- a/policy/modules/contrib/aide.rst
+++ b/policy/modules/contrib/aide.rst
@@ -104,4 +104,4 @@ SEE ALSO
 * Gentoo and SELinux at 
   https://wiki.gentoo.org/wiki/SELinux
 * Gentoo Hardened SELinux Project at 
-  http://www.gentoo.org/proj/en/hardened/selinux
+  https://wiki.gentoo.org/wiki/Project:Hardened

diff --git a/policy/modules/contrib/portage.rst b/policy/modules/contrib/portage.rst
index 3ca2cc7..ac03eb2 100644
--- a/policy/modules/contrib/portage.rst
+++ b/policy/modules/contrib/portage.rst
@@ -234,5 +234,5 @@ SEE ALSO
 
 * Gentoo and SELinux at 
   https://wiki.gentoo.org/wiki/SELinux
-* Gentoo Hardened SELinux Project at 
-  http://www.gentoo.org/proj/en/hardened/selinux
+* Gentoo Hardened SELinux Project at
+  https://wiki.gentoo.org/wiki/Project:Hardened

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, man/man8/

[Sven Vermeulen]

commit:     9849bb0f35a1fbe3b88f21386420d17248e24561
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 12:59:52 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Nov 11 12:59:52 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9849bb0f

Add cron_selinux manual page, support for bug #526532

---
 man/man8/cron_selinux.8         | 349 ++++++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/cron.rst | 284 ++++++++++++++++++++++++++++++++
 2 files changed, 633 insertions(+)

diff --git a/man/man8/cron_selinux.8 b/man/man8/cron_selinux.8
new file mode 100644
index 0000000..701ad97
--- /dev/null
+++ b/man/man8/cron_selinux.8
@@ -0,0 +1,349 @@
+.\" Man page generated from reStructuredText.
+.
+.TH CRON_SELINUX 8 "2014-11-11" "" "SELinux"
+.SH NAME
+cron_selinux \- SELinux policy module for Cron
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH DESCRIPTION
+.sp
+The \fBcron\fP SELinux module supports various Unix cron daemons, including (but
+not limited to) vixie\-cron, cronie, fcron and anacron.
+.sp
+The SELinux cron support is somewhat more complex than most other SELinux
+domains, because the cron daemon is responsible for executing workload in the
+context of end users as well as the overall system. Most Cron implementations
+are also SELinux\-aware, so having some understanding of how they operate is
+important.
+.sp
+Most of these cron implementations use the SELinux ownership of the crontab
+file (the file which contains the execution task definitions) to determine
+in which context a task is to be executed. For instance, if a crontab file
+installed in \fB/var/spool/cron/crontabs\fP has a SELinux context whose SELinux
+owner is \fIstaff_u\fP, then the tasks defined in it will be run through either
+the general cronjob domain (\fIcronjob_t\fP) or the end user domain (\fIstaff_t\fP)
+depending on the value of the \fIcron_userdomain_transition\fP boolean.
+.sp
+This boolean, if set to 1 (true), will have the tasks run in the user domain
+(such as \fIstaff_t\fP, \fIsysadm_t\fP, \fIunconfined_t\fP, etc.) whereas, if it is set
+to 0 (false), will have the tasks run in the general cronjob domain
+(\fIcronjob_t\fP) for end user tasks, or the system cronjob domain
+(\fIsystem_cronjob_t\fP) for system tasks.
+.sp
+The latter is also an important detail \- if for some reason packages deploy
+their tasks as end user cronjobs, then the resulting commands might not be
+running in the proper domain. As a general rule, system cronjobs are defined
+in either \fB/etc/crontab\fP or in files in the \fB/etc/cron.d\fP directory. End
+user cronjobs are defined in files in the \fB/var/spool/cron/crontabs\fP
+directory.
+.SS System administration
+.sp
+To perform system administration tasks (non\-end user tasks) through cron jobs,
+take the following considerations into account:
+.INDENT 0.0
+.IP \(bu 2
+To ensure that the jobs run in the right context (\fIsystem_cronjob_t\fP for
+starts), make sure that the cronjob definitions (the crontab files) are
+inside \fB/etc/crontab\fP or in the \fB/etc/cron.d\fP directories.
+.IP \(bu 2
+Have the scripts to be executed labeled properly, and consider using a domain
+transition for these scripts (through \fBcron_system_entry()\fP).
+.IP \(bu 2
+Make sure the \fBHOME\fP directory is set to \fB/\fP so that the target domains
+do not need any privileges inside end user locations (including \fB/root\fP).
+.UNINDENT
+.SS User cronjobs
+.sp
+When working with end user crontabs (those triggered / managed through the
+\fBcrontab\fP command), take care that this is done as the SELinux user which is
+associated with the file. This is for two reasons:
+.INDENT 0.0
+.IP 1. 3
+If \fBUSE="ubac"\fP is set, then the SELinux User Based Access Control is
+enabled. This could prevent one SELinux user from editing (or even viewing)
+the crontab files of another user.
+.IP 2. 3
+The owner of the crontab file is also used by most cron implementations to
+find out which context the user cronjob should run in. If this ownership is
+incorrect, then the cronjob might not even launch properly, or run in the
+wrong context.
+.UNINDENT
+.sp
+If this was not done correctly, you will get the following error:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+cron[20642]: (root) ENTRYPOINT FAILED (crontabs/root)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+If the above error still comes up even though the ownership of the \fBcrontab\fP
+file is correct, then check the state of the \fIcron_userdomain_transition\fP
+boolean and the \fBdefault_contexts\fP file. If the boolean is set to true, then
+the \fBdefault_contexts\fP file (or the user\-specific files in the \fBusers/\fP
+directory) should target the user domains instead of the cronjob domains:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+~# getsebool cron_userdomain_transition
+cron_userdomain_transition \-\-> on
+
+~# grep crond_t /etc/selinux/*/contexts{default_contexts,users/*}
+system_r:crond_t:s0   user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+Remember that the default context definitions in the \fBusers/\fP directory
+take priority over the ones defined in the \fBdefault_contexts\fP files.
+.SH BOOLEANS
+.sp
+The following booleans are defined through the \fBcron\fP SELinux policy module.
+They can be toggled using \fBsetsebool\fP, like so:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+setsebool \-P cron_userdomain_transition on
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B cron_can_relabel
+Allow system cron jobs to relabel files on the file system (and restore the
+context of files). This privilege is assigned to the \fIsystem_cronjob_t\fP
+domain.
+.TP
+.B cron_userdomain_transition
+If enabled, end user cron jobs run in their default associated user domain
+(such as \fIuser_t\fP or \fIunconfined_t\fP) instead of the general end user cronjob
+domain (\fIcronjob_t\fP).
+.sp
+This also requires that the \fBdefault_contexts\fP file (inside
+\fB/etc/selinux/*/contexts\fP) is updated accordingly, mentioning that the target
+contexts are now the user domains rather than the cronjob domains.
+.TP
+.B fcron_crond
+Enable additional SELinux policy rules needed for the fcron cron implementation.
+.UNINDENT
+.SH DOMAINS
+.SS crond_t
+.sp
+The main cron domain is \fIcrond_t\fP, used by the cron daemon. It is generally
+responsible for initiating the cronjob tasks, detecting changes on the crontab
+files and reloading the configuration if that happens.
+.sp
+Almost all cron implementations are launched through their respective init
+script.
+.sp
+Some cron implementations which are not SELinux\-aware might have the cronjobs
+themselves also run through the \fIcrond_t\fP domain.
+.SS cronjob_t
+.sp
+The \fIcronjob_t\fP domain is used for end user generic cronjobs.
+.SS system_cronjob_t
+.sp
+The \fIsystem_cronjob_t\fP domain is used for system cronjobs.
+.SS crontab_t
+.sp
+The \fIcrontab_t\fP domain is used by end users\(aq \fBcrontab\fP execution (the command
+used to manipulate end user crontab files).
+.SS admin_crontab_t
+.sp
+The \fIadmin_crontab_t\fP domain is used by administrators4 \fBcrontab\fP execution
+(the command used to manipulate crontab files).
+.SH LOCATIONS
+.sp
+The following list of locations identify file resources that are used by the
+cron domains. They are by default allocated towards the default locations for
+cron, so if you use a different location, you will need to properly address
+this. You can do so through \fBsemanage\fP, like so:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+semanage fcontext \-a \-t system_cron_spool_t "/usr/local/etc/cron\e.d(/.*)?"
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The above example marks the \fI/usr/local/etc/cron.d\fP location as the location where
+system cronjob definitions are stored.
+.SS FUNCTIONAL
+.INDENT 0.0
+.TP
+.B cron_spool_t
+is used for the end user cronjob definition files
+.TP
+.B sysadm_cron_spool_t
+is used for the administrator cronjob definition files
+.TP
+.B system_cron_spool_t
+is used for the system cronjob definition files
+.UNINDENT
+.SS EXEUTABLES
+.INDENT 0.0
+.TP
+.B anacron_exec_t
+is used for the \fBanacron\fP binary
+.TP
+.B crond_exec_t
+is used for the cron daemon binary
+.TP
+.B crond_initrc_exec_t
+is used for the cron init script (such as \fB/etc/init.d/crond\fP)
+.TP
+.B crontab_exec_t
+is used for the \fBcrontab\fP binary
+.UNINDENT
+.SS DAEMON FILES
+.INDENT 0.0
+.TP
+.B cron_log_t
+is used for the cron log files
+.TP
+.B cron_var_lib_t
+is used for the variable state information of the cron daemon
+.TP
+.B crond_tmp_t
+is used for the temporary files created/managed by the cron daemon
+.TP
+.B crond_var_run_t
+is used for the variable runtime information of the cron daemon
+.UNINDENT
+.SH POLICY
+.sp
+The following interfaces can be used to enhance the default policy with
+cron\-related provileges. More details on these interfaces can be found in the
+interface HTML documentation, we will not list all available interfaces here.
+.SS Domain interaction
+.sp
+The most interesting definition in the policy is the \fBcron_system_entry\fP
+interface. It allows for the system cronjob domain (\fIsystem_cronjob_t\fP) to
+execute a particular type (second argument) and transition to a given domain
+(first argument).
+.sp
+For instance, to allow a system cronjob to execute any portage commands:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+cron_system_entry(portage_t, portage_exec_t)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+It is generally preferred to transition a system cron job as fast as possible
+to a specific domain rather than enhancing the \fIsystem_cronjob_t\fP with
+additional privileges.
+.SS Role interfaces
+.sp
+The following role interfaces allow users and roles access to the specified
+domains. Only to be used for user domains and roles.
+.INDENT 0.0
+.TP
+.B cron_role
+is used to allow users and roles access to the cron related domains. This
+one should be used for end users, not administrators.
+.sp
+For instance:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+cron_role(myuser_r, myuser_t)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.TP
+.B cron_admin_role
+is used to allow users and roles administrative access to the cron related
+domains.
+.sp
+For instance:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+cron_admin_role(myuser_r, myuser_t)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH BUGS
+.SS Munin
+.sp
+The \fBnet\-analyzer/munin\fP package deploys the munin cronjobs as end user
+cronjobs inside \fB/var/spool/cron/crontabs\fP\&. The munin cronjobs are meant to
+be executed as the munin Linux account, but the jobs themselves are best seen
+as system cronjobs (as they are not related to a true interactive end user).
+.sp
+The default deployed files do not get the \fIsystem_u\fP SELinux ownership
+assigned. To fix this, execute the following command:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+~# chcon \-u system_u /var/spool/cron/crontabs/munin
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+For more information, see bug #526532.
+.SH SEE ALSO
+.INDENT 0.0
+.IP \(bu 2
+Gentoo and SELinux at \fI\%https://wiki.gentoo.org/wiki/SELinux\fP
+.IP \(bu 2
+Gentoo Hardened SELinux Project at
+\fI\%https://wiki.gentoo.org/wiki/Project:Hardened\fP
+.UNINDENT
+.SH AUTHOR
+Sven Vermeulen <swift@gentoo.org>
+.\" Generated by docutils manpage writer.
+.

diff --git a/policy/modules/contrib/cron.rst b/policy/modules/contrib/cron.rst
new file mode 100644
index 0000000..55f625c
--- /dev/null
+++ b/policy/modules/contrib/cron.rst
@@ -0,0 +1,284 @@
+============
+cron_selinux
+============
+
+------------------------------
+SELinux policy module for Cron
+------------------------------
+
+:Author:        Sven Vermeulen <swift@gentoo.org>
+:Date:          2014-11-11
+:Manual section:        8
+:Manual group:          SELinux
+
+DESCRIPTION
+===========
+
+The **cron** SELinux module supports various Unix cron daemons, including (but
+not limited to) vixie-cron, cronie, fcron and anacron.
+
+The SELinux cron support is somewhat more complex than most other SELinux
+domains, because the cron daemon is responsible for executing workload in the
+context of end users as well as the overall system. Most Cron implementations
+are also SELinux-aware, so having some understanding of how they operate is
+important.
+
+Most of these cron implementations use the SELinux ownership of the crontab
+file (the file which contains the execution task definitions) to determine
+in which context a task is to be executed. For instance, if a crontab file
+installed in ``/var/spool/cron/crontabs`` has a SELinux context whose SELinux
+owner is *staff_u*, then the tasks defined in it will be run through either
+the general cronjob domain (*cronjob_t*) or the end user domain (*staff_t*)
+depending on the value of the *cron_userdomain_transition* boolean.
+
+This boolean, if set to 1 (true), will have the tasks run in the user domain
+(such as *staff_t*, *sysadm_t*, *unconfined_t*, etc.) whereas, if it is set
+to 0 (false), will have the tasks run in the general cronjob domain
+(*cronjob_t*) for end user tasks, or the system cronjob domain
+(*system_cronjob_t*) for system tasks.
+
+The latter is also an important detail - if for some reason packages deploy
+their tasks as end user cronjobs, then the resulting commands might not be
+running in the proper domain. As a general rule, system cronjobs are defined
+in either ``/etc/crontab`` or in files in the ``/etc/cron.d`` directory. End
+user cronjobs are defined in files in the ``/var/spool/cron/crontabs``
+directory.
+
+System administration
+---------------------
+
+To perform system administration tasks (non-end user tasks) through cron jobs,
+take the following considerations into account:
+
+* To ensure that the jobs run in the right context (*system_cronjob_t* for
+  starts), make sure that the cronjob definitions (the crontab files) are
+  inside ``/etc/crontab`` or in the ``/etc/cron.d`` directories.
+* Have the scripts to be executed labeled properly, and consider using a domain
+  transition for these scripts (through ``cron_system_entry()``).
+* Make sure the ``HOME`` directory is set to ``/`` so that the target domains
+  do not need any privileges inside end user locations (including ``/root``).
+
+User cronjobs
+-------------
+
+When working with end user crontabs (those triggered / managed through the
+**crontab** command), take care that this is done as the SELinux user which is
+associated with the file. This is for two reasons:
+
+1. If ``USE="ubac"`` is set, then the SELinux User Based Access Control is
+   enabled. This could prevent one SELinux user from editing (or even viewing)
+   the crontab files of another user.
+2. The owner of the crontab file is also used by most cron implementations to
+   find out which context the user cronjob should run in. If this ownership is
+   incorrect, then the cronjob might not even launch properly, or run in the
+   wrong context.
+
+If this was not done correctly, you will get the following error::
+
+  cron[20642]: (root) ENTRYPOINT FAILED (crontabs/root)
+
+If the above error still comes up even though the ownership of the ``crontab``
+file is correct, then check the state of the *cron_userdomain_transition*
+boolean and the ``default_contexts`` file. If the boolean is set to true, then
+the ``default_contexts`` file (or the user-specific files in the ``users/``
+directory) should target the user domains instead of the cronjob domains::
+
+  ~# getsebool cron_userdomain_transition
+  cron_userdomain_transition --> on
+
+  ~# grep crond_t /etc/selinux/*/contexts{default_contexts,users/*}
+  system_r:crond_t:s0	user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
+
+Remember that the default context definitions in the ``users/`` directory
+take priority over the ones defined in the ``default_contexts`` files.
+
+BOOLEANS
+========
+
+The following booleans are defined through the **cron** SELinux policy module.
+They can be toggled using ``setsebool``, like so::
+
+  setsebool -P cron_userdomain_transition on
+
+cron_can_relabel
+  Allow system cron jobs to relabel files on the file system (and restore the
+  context of files). This privilege is assigned to the *system_cronjob_t*
+  domain.
+
+cron_userdomain_transition
+  If enabled, end user cron jobs run in their default associated user domain
+  (such as *user_t* or *unconfined_t*) instead of the general end user cronjob
+  domain (*cronjob_t*).
+
+  This also requires that the ``default_contexts`` file (inside
+  ``/etc/selinux/*/contexts``) is updated accordingly, mentioning that the target
+  contexts are now the user domains rather than the cronjob domains.
+
+fcron_crond
+  Enable additional SELinux policy rules needed for the fcron cron implementation.
+
+DOMAINS
+=======
+
+crond_t
+-------
+
+The main cron domain is *crond_t*, used by the cron daemon. It is generally
+responsible for initiating the cronjob tasks, detecting changes on the crontab
+files and reloading the configuration if that happens.
+
+Almost all cron implementations are launched through their respective init
+script.
+
+Some cron implementations which are not SELinux-aware might have the cronjobs
+themselves also run through the *crond_t* domain.
+
+cronjob_t
+---------
+
+The *cronjob_t* domain is used for end user generic cronjobs.
+
+system_cronjob_t
+----------------
+
+The *system_cronjob_t* domain is used for system cronjobs.
+
+crontab_t
+---------
+
+The *crontab_t* domain is used by end users' **crontab** execution (the command
+used to manipulate end user crontab files).
+
+admin_crontab_t
+---------------
+
+The *admin_crontab_t* domain is used by administrators4 **crontab** execution
+(the command used to manipulate crontab files).
+
+LOCATIONS
+=========
+
+The following list of locations identify file resources that are used by the
+cron domains. They are by default allocated towards the default locations for
+cron, so if you use a different location, you will need to properly address
+this. You can do so through ``semanage``, like so::
+
+  semanage fcontext -a -t system_cron_spool_t "/usr/local/etc/cron\.d(/.*)?"
+
+The above example marks the */usr/local/etc/cron.d* location as the location where
+system cronjob definitions are stored.
+
+FUNCTIONAL
+----------
+
+cron_spool_t
+  is used for the end user cronjob definition files
+
+sysadm_cron_spool_t
+  is used for the administrator cronjob definition files
+
+system_cron_spool_t
+  is used for the system cronjob definition files
+
+EXEUTABLES
+----------
+
+anacron_exec_t
+  is used for the **anacron** binary
+
+crond_exec_t
+  is used for the cron daemon binary
+
+crond_initrc_exec_t
+  is used for the cron init script (such as ``/etc/init.d/crond``)
+
+crontab_exec_t
+  is used for the **crontab** binary
+
+
+DAEMON FILES
+------------
+
+cron_log_t
+  is used for the cron log files
+
+cron_var_lib_t
+  is used for the variable state information of the cron daemon
+
+crond_tmp_t
+  is used for the temporary files created/managed by the cron daemon
+
+crond_var_run_t
+  is used for the variable runtime information of the cron daemon
+
+POLICY
+======
+
+The following interfaces can be used to enhance the default policy with
+cron-related provileges. More details on these interfaces can be found in the
+interface HTML documentation, we will not list all available interfaces here.
+
+Domain interaction
+------------------
+
+The most interesting definition in the policy is the ``cron_system_entry``
+interface. It allows for the system cronjob domain (*system_cronjob_t*) to
+execute a particular type (second argument) and transition to a given domain
+(first argument).
+
+For instance, to allow a system cronjob to execute any portage commands::
+
+  cron_system_entry(portage_t, portage_exec_t)
+
+
+It is generally preferred to transition a system cron job as fast as possible
+to a specific domain rather than enhancing the *system_cronjob_t* with
+additional privileges.
+
+Role interfaces
+---------------
+
+The following role interfaces allow users and roles access to the specified
+domains. Only to be used for user domains and roles.
+
+cron_role
+  is used to allow users and roles access to the cron related domains. This
+  one should be used for end users, not administrators.
+
+  For instance::
+
+    cron_role(myuser_r, myuser_t)
+
+cron_admin_role
+  is used to allow users and roles administrative access to the cron related
+  domains.
+
+  For instance::
+
+    cron_admin_role(myuser_r, myuser_t)
+
+BUGS
+====
+
+Munin
+-----
+
+The ``net-analyzer/munin`` package deploys the munin cronjobs as end user
+cronjobs inside ``/var/spool/cron/crontabs``. The munin cronjobs are meant to
+be executed as the munin Linux account, but the jobs themselves are best seen
+as system cronjobs (as they are not related to a true interactive end user).
+
+The default deployed files do not get the *system_u* SELinux ownership
+assigned. To fix this, execute the following command::
+
+  ~# chcon -u system_u /var/spool/cron/crontabs/munin
+
+For more information, see bug #526532.
+
+
+SEE ALSO
+========
+
+* Gentoo and SELinux at https://wiki.gentoo.org/wiki/SELinux
+* Gentoo Hardened SELinux Project at
+  https://wiki.gentoo.org/wiki/Project:Hardened

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, man/man8/

[Sven Vermeulen]

commit:     96b9d3ea8b0f23712fca45c58b36a0d107eb4e07
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 13:08:49 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Nov 11 13:08:49 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=96b9d3ea

Fix typo in cron manual page

---
 man/man8/cron_selinux.8         | 2 +-
 policy/modules/contrib/cron.rst | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/man/man8/cron_selinux.8 b/man/man8/cron_selinux.8
index 701ad97..c3dd184 100644
--- a/man/man8/cron_selinux.8
+++ b/man/man8/cron_selinux.8
@@ -218,7 +218,7 @@ is used for the administrator cronjob definition files
 .B system_cron_spool_t
 is used for the system cronjob definition files
 .UNINDENT
-.SS EXEUTABLES
+.SS EXECUTABLES
 .INDENT 0.0
 .TP
 .B anacron_exec_t

diff --git a/policy/modules/contrib/cron.rst b/policy/modules/contrib/cron.rst
index 55f625c..caf0977 100644
--- a/policy/modules/contrib/cron.rst
+++ b/policy/modules/contrib/cron.rst
@@ -180,8 +180,8 @@ sysadm_cron_spool_t
 system_cron_spool_t
   is used for the system cronjob definition files
 
-EXEUTABLES
-----------
+EXECUTABLES
+-----------
 
 anacron_exec_t
   is used for the **anacron** binary