From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-824389-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 660AF1395D2
	for <garchives@archives.gentoo.org>; Fri, 31 Jul 2015 14:15:45 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id A69A914042;
	Fri, 31 Jul 2015 14:15:43 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 1DE0514042
	for <gentoo-commits@lists.gentoo.org>; Fri, 31 Jul 2015 14:15:43 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 77B6C340968
	for <gentoo-commits@lists.gentoo.org>; Fri, 31 Jul 2015 14:15:42 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id C264B118
	for <gentoo-commits@lists.gentoo.org>; Fri, 31 Jul 2015 14:15:38 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1438274493.668db9970fcfe4c20ba9619272799c3dd258fce0.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/cron.if
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 668db9970fcfe4c20ba9619272799c3dd258fce0
X-VCS-Branch: master
Date: Fri, 31 Jul 2015 14:15:38 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 1de83f06-8bdf-410c-9072-d2f554a975fb
X-Archives-Hash: 1b86180b016fd0da696063cd1036a5b6

commit:     668db9970fcfe4c20ba9619272799c3dd258fce0
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jul 16 13:09:44 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jul 30 16:41:33 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=668db997

Introduce cron_admin interface

 policy/modules/contrib/cron.if | 53 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)

diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index 868d89f..3925811 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -835,3 +835,56 @@ interface(`cron_dontaudit_write_system_job_tmp_files',`
 
 	dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
 ')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate a cron environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`cron_admin',`
+	gen_require(`
+		type crond_t, cronjob_t, crond_initrc_exec_t;
+		type cron_var_lib_t, system_cronjob_var_lib_t;
+		type crond_tmp_t, admin_crontab_tmp_t;
+		type crontab_tmp_t, system_cronjob_tmp_t;
+		type cron_var_run_t, system_cronjob_var_run_t, crond_var_run_t;
+		type cron_log_t, system_cronjob_lock_t, user_cron_spool_log_t;
+		attribute cron_spool_type;
+	')
+
+	allow $1 { crond_t cronjob_t }:process { ptrace signal_perms };
+	ps_process_pattern($1, { crond_t cronjob_t })
+
+	init_startstop_service($1, $2, crond_t, crond_initrc_exec_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, { cron_var_lib_t system_cronjob_var_lib_t })
+
+	files_search_tmp($1)
+	admin_pattern($1, { crond_tmp_t admin_crontab_tmp_t })
+	admin_pattern($1, { crontab_tmp_t system_cronjob_tmp_t })
+
+	files_search_pids($1)
+	admin_pattern($1, { cron_var_run_t crond_var_run_t system_cronjob_var_run_t })
+
+	files_search_locks($1)
+	admin_pattern($1, system_cronjob_lock_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, { cron_log_t user_cron_spool_log_t })
+
+	files_search_spool($1)
+	admin_pattern($1, cron_spool_type)
+')


From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-825177-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 641FB1395E1
	for <garchives@archives.gentoo.org>; Sun,  2 Aug 2015 19:06:39 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 466301401E;
	Sun,  2 Aug 2015 19:06:38 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 6D3871401A
	for <gentoo-commits@lists.gentoo.org>; Sun,  2 Aug 2015 19:06:37 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id C49A43406AA
	for <gentoo-commits@lists.gentoo.org>; Sun,  2 Aug 2015 19:06:36 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 7A043124
	for <gentoo-commits@lists.gentoo.org>; Sun,  2 Aug 2015 19:06:33 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1438274493.668db9970fcfe4c20ba9619272799c3dd258fce0.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/cron.if
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 668db9970fcfe4c20ba9619272799c3dd258fce0
X-VCS-Branch: next
Date: Sun,  2 Aug 2015 19:06:33 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: b77303cd-a06e-445c-bf60-55a94424663f
X-Archives-Hash: e3c088dcc4d5c468774a17b7e1355b1a
Message-ID: <20150802190633.aZDc7sK3YLYO51I3NtYWkiKNJvDprUgHfOOd6Vrbd6k@z>

commit:     668db9970fcfe4c20ba9619272799c3dd258fce0
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jul 16 13:09:44 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jul 30 16:41:33 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=668db997

Introduce cron_admin interface

 policy/modules/contrib/cron.if | 53 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)

diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index 868d89f..3925811 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -835,3 +835,56 @@ interface(`cron_dontaudit_write_system_job_tmp_files',`
 
 	dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
 ')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate a cron environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`cron_admin',`
+	gen_require(`
+		type crond_t, cronjob_t, crond_initrc_exec_t;
+		type cron_var_lib_t, system_cronjob_var_lib_t;
+		type crond_tmp_t, admin_crontab_tmp_t;
+		type crontab_tmp_t, system_cronjob_tmp_t;
+		type cron_var_run_t, system_cronjob_var_run_t, crond_var_run_t;
+		type cron_log_t, system_cronjob_lock_t, user_cron_spool_log_t;
+		attribute cron_spool_type;
+	')
+
+	allow $1 { crond_t cronjob_t }:process { ptrace signal_perms };
+	ps_process_pattern($1, { crond_t cronjob_t })
+
+	init_startstop_service($1, $2, crond_t, crond_initrc_exec_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, { cron_var_lib_t system_cronjob_var_lib_t })
+
+	files_search_tmp($1)
+	admin_pattern($1, { crond_tmp_t admin_crontab_tmp_t })
+	admin_pattern($1, { crontab_tmp_t system_cronjob_tmp_t })
+
+	files_search_pids($1)
+	admin_pattern($1, { cron_var_run_t crond_var_run_t system_cronjob_var_run_t })
+
+	files_search_locks($1)
+	admin_pattern($1, system_cronjob_lock_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, { cron_log_t user_cron_spool_log_t })
+
+	files_search_spool($1)
+	admin_pattern($1, cron_spool_type)
+')