From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 660AF1395D2 for ; Fri, 31 Jul 2015 14:15:45 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A69A914042; Fri, 31 Jul 2015 14:15:43 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1DE0514042 for ; Fri, 31 Jul 2015 14:15:43 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 77B6C340968 for ; Fri, 31 Jul 2015 14:15:42 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id C264B118 for ; Fri, 31 Jul 2015 14:15:38 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1438274493.668db9970fcfe4c20ba9619272799c3dd258fce0.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/cron.if X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 668db9970fcfe4c20ba9619272799c3dd258fce0 X-VCS-Branch: master Date: Fri, 31 Jul 2015 14:15:38 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 1de83f06-8bdf-410c-9072-d2f554a975fb X-Archives-Hash: 1b86180b016fd0da696063cd1036a5b6 commit: 668db9970fcfe4c20ba9619272799c3dd258fce0 Author: Jason Zaman perfinion com> AuthorDate: Thu Jul 16 13:09:44 2015 +0000 Commit: Jason Zaman gentoo org> CommitDate: Thu Jul 30 16:41:33 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=668db997 Introduce cron_admin interface policy/modules/contrib/cron.if | 53 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if index 868d89f..3925811 100644 --- a/policy/modules/contrib/cron.if +++ b/policy/modules/contrib/cron.if @@ -835,3 +835,56 @@ interface(`cron_dontaudit_write_system_job_tmp_files',` dontaudit $1 system_cronjob_tmp_t:file write_file_perms; ') + +######################################## +## +## All of the rules required to +## administrate a cron environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`cron_admin',` + gen_require(` + type crond_t, cronjob_t, crond_initrc_exec_t; + type cron_var_lib_t, system_cronjob_var_lib_t; + type crond_tmp_t, admin_crontab_tmp_t; + type crontab_tmp_t, system_cronjob_tmp_t; + type cron_var_run_t, system_cronjob_var_run_t, crond_var_run_t; + type cron_log_t, system_cronjob_lock_t, user_cron_spool_log_t; + attribute cron_spool_type; + ') + + allow $1 { crond_t cronjob_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { crond_t cronjob_t }) + + init_startstop_service($1, $2, crond_t, crond_initrc_exec_t) + + files_search_var_lib($1) + admin_pattern($1, { cron_var_lib_t system_cronjob_var_lib_t }) + + files_search_tmp($1) + admin_pattern($1, { crond_tmp_t admin_crontab_tmp_t }) + admin_pattern($1, { crontab_tmp_t system_cronjob_tmp_t }) + + files_search_pids($1) + admin_pattern($1, { cron_var_run_t crond_var_run_t system_cronjob_var_run_t }) + + files_search_locks($1) + admin_pattern($1, system_cronjob_lock_t) + + logging_search_logs($1) + admin_pattern($1, { cron_log_t user_cron_spool_log_t }) + + files_search_spool($1) + admin_pattern($1, cron_spool_type) +') From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 641FB1395E1 for ; Sun, 2 Aug 2015 19:06:39 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 466301401E; Sun, 2 Aug 2015 19:06:38 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6D3871401A for ; Sun, 2 Aug 2015 19:06:37 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id C49A43406AA for ; Sun, 2 Aug 2015 19:06:36 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 7A043124 for ; Sun, 2 Aug 2015 19:06:33 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1438274493.668db9970fcfe4c20ba9619272799c3dd258fce0.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/cron.if X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 668db9970fcfe4c20ba9619272799c3dd258fce0 X-VCS-Branch: next Date: Sun, 2 Aug 2015 19:06:33 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: b77303cd-a06e-445c-bf60-55a94424663f X-Archives-Hash: e3c088dcc4d5c468774a17b7e1355b1a Message-ID: <20150802190633.aZDc7sK3YLYO51I3NtYWkiKNJvDprUgHfOOd6Vrbd6k@z> commit: 668db9970fcfe4c20ba9619272799c3dd258fce0 Author: Jason Zaman perfinion com> AuthorDate: Thu Jul 16 13:09:44 2015 +0000 Commit: Jason Zaman gentoo org> CommitDate: Thu Jul 30 16:41:33 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=668db997 Introduce cron_admin interface policy/modules/contrib/cron.if | 53 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if index 868d89f..3925811 100644 --- a/policy/modules/contrib/cron.if +++ b/policy/modules/contrib/cron.if @@ -835,3 +835,56 @@ interface(`cron_dontaudit_write_system_job_tmp_files',` dontaudit $1 system_cronjob_tmp_t:file write_file_perms; ') + +######################################## +## +## All of the rules required to +## administrate a cron environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`cron_admin',` + gen_require(` + type crond_t, cronjob_t, crond_initrc_exec_t; + type cron_var_lib_t, system_cronjob_var_lib_t; + type crond_tmp_t, admin_crontab_tmp_t; + type crontab_tmp_t, system_cronjob_tmp_t; + type cron_var_run_t, system_cronjob_var_run_t, crond_var_run_t; + type cron_log_t, system_cronjob_lock_t, user_cron_spool_log_t; + attribute cron_spool_type; + ') + + allow $1 { crond_t cronjob_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { crond_t cronjob_t }) + + init_startstop_service($1, $2, crond_t, crond_initrc_exec_t) + + files_search_var_lib($1) + admin_pattern($1, { cron_var_lib_t system_cronjob_var_lib_t }) + + files_search_tmp($1) + admin_pattern($1, { crond_tmp_t admin_crontab_tmp_t }) + admin_pattern($1, { crontab_tmp_t system_cronjob_tmp_t }) + + files_search_pids($1) + admin_pattern($1, { cron_var_run_t crond_var_run_t system_cronjob_var_run_t }) + + files_search_locks($1) + admin_pattern($1, system_cronjob_lock_t) + + logging_search_logs($1) + admin_pattern($1, { cron_log_t user_cron_spool_log_t }) + + files_search_spool($1) + admin_pattern($1, cron_spool_type) +')