Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/services/cron.if
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/services/cron.if')
-rw-r--r--policy/modules/services/cron.if965
1 files changed, 965 insertions, 0 deletions
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
new file mode 100644
index 00000000..7bb6065b
--- /dev/null
+++ b/policy/modules/services/cron.if
@@ -0,0 +1,965 @@
+## <summary>Periodic execution of scheduled commands.</summary>
+
+#######################################
+## <summary>
+## The template to define a crontab domain.
+## </summary>
+## <param name="domain_prefix">
+## <summary>
+## Domain prefix to be used.
+## </summary>
+## </param>
+#
+template(`cron_common_crontab_template',`
+ gen_require(`
+ attribute crontab_domain;
+ type crontab_exec_t;
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ type $1_t, crontab_domain;
+ userdom_user_application_domain($1_t, crontab_exec_t)
+
+ type $1_tmp_t;
+ userdom_user_tmp_file($1_tmp_t)
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
+
+ auth_domtrans_chk_passwd($1_t)
+ auth_use_nsswitch($1_t)
+')
+
+########################################
+## <summary>
+## Role access for cron.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cron_role',`
+ gen_require(`
+ type cronjob_t, crontab_t, crontab_exec_t;
+ type user_cron_spool_t, crond_t;
+ bool cron_userdomain_transition;
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ role $1 types { cronjob_t crontab_t };
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ domtrans_pattern($2, crontab_exec_t, crontab_t)
+
+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+ allow $2 crond_t:process sigchld;
+
+ allow $2 user_cron_spool_t:file { getattr read write ioctl };
+
+ allow $2 crontab_t:process { ptrace signal_perms };
+ ps_process_pattern($2, crontab_t)
+
+ corecmd_exec_bin(crontab_t)
+ corecmd_exec_shell(crontab_t)
+
+ tunable_policy(`cron_userdomain_transition',`
+ allow crond_t $2:process transition;
+ allow crond_t $2:fd use;
+ allow crond_t $2:key manage_key_perms;
+
+ allow $2 user_cron_spool_t:file entrypoint;
+
+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
+
+ allow $2 cronjob_t:process { ptrace signal_perms };
+ ps_process_pattern($2, cronjob_t)
+ ',`
+ dontaudit crond_t $2:process transition;
+ dontaudit crond_t $2:fd use;
+ dontaudit crond_t $2:key manage_key_perms;
+
+ dontaudit $2 user_cron_spool_t:file entrypoint;
+
+ dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+
+ dontaudit $2 cronjob_t:process { ptrace signal_perms };
+ ')
+
+ optional_policy(`
+ gen_require(`
+ class dbus send_msg;
+ ')
+
+ dbus_stub(cronjob_t)
+
+ allow cronjob_t $2:dbus send_msg;
+ ')
+')
+
+########################################
+## <summary>
+## Role access for unconfined cron.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`cron_unconfined_role',`
+ gen_require(`
+ type unconfined_cronjob_t, crontab_t, crontab_exec_t;
+ type crond_t, user_cron_spool_t;
+ bool cron_userdomain_transition;
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ role $1 types { unconfined_cronjob_t crontab_t };
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ domtrans_pattern($2, crontab_exec_t, crontab_t)
+
+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+ allow $2 crond_t:process sigchld;
+
+ allow $2 user_cron_spool_t:file { getattr read write ioctl };
+
+ allow $2 crontab_t:process { ptrace signal_perms };
+ ps_process_pattern($2, crontab_t)
+
+ corecmd_exec_bin(crontab_t)
+ corecmd_exec_shell(crontab_t)
+
+ tunable_policy(`cron_userdomain_transition',`
+ allow crond_t $2:process transition;
+ allow crond_t $2:fd use;
+ allow crond_t $2:key manage_key_perms;
+
+ allow $2 user_cron_spool_t:file entrypoint;
+
+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
+
+ allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
+ ps_process_pattern($2, unconfined_cronjob_t)
+ ',`
+ dontaudit crond_t $2:process transition;
+ dontaudit crond_t $2:fd use;
+ dontaudit crond_t $2:key manage_key_perms;
+
+ dontaudit $2 user_cron_spool_t:file entrypoint;
+
+ dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+
+ dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms };
+')
+
+ optional_policy(`
+ gen_require(`
+ class dbus send_msg;
+ ')
+
+ dbus_stub(unconfined_cronjob_t)
+
+ allow unconfined_cronjob_t $2:dbus send_msg;
+ ')
+')
+
+########################################
+## <summary>
+## Role access for admin cron.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`cron_admin_role',`
+ gen_require(`
+ type cronjob_t, crontab_exec_t, admin_crontab_t;
+ class passwd crontab;
+ type crond_t, crond_var_run_t, user_cron_spool_t;
+ bool cron_userdomain_transition, fcron_crond;
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ role $1 types { cronjob_t admin_crontab_t };
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
+
+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+ allow $2 crond_t:process sigchld;
+
+ allow $2 user_cron_spool_t:file { getattr read write ioctl };
+
+ allow $2 admin_crontab_t:process { ptrace signal_perms };
+ ps_process_pattern($2, admin_crontab_t)
+
+ # Manipulate other users crontab.
+ allow $2 self:passwd crontab;
+
+ corecmd_exec_bin(admin_crontab_t)
+ corecmd_exec_shell(admin_crontab_t)
+
+ tunable_policy(`cron_userdomain_transition',`
+ allow crond_t $2:process transition;
+ allow crond_t $2:fd use;
+ allow crond_t $2:key manage_key_perms;
+
+ allow $2 user_cron_spool_t:file entrypoint;
+
+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
+
+ allow $2 cronjob_t:process { ptrace signal_perms };
+ ps_process_pattern($2, cronjob_t)
+ ',`
+ dontaudit crond_t $2:process transition;
+ dontaudit crond_t $2:fd use;
+ dontaudit crond_t $2:key manage_key_perms;
+
+ dontaudit $2 user_cron_spool_t:file entrypoint;
+
+ dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+
+ dontaudit $2 cronjob_t:process { ptrace signal_perms };
+ ')
+
+ tunable_policy(`fcron_crond',`
+ # Support for fcrondyn
+ stream_connect_pattern($2, crond_var_run_t, crond_var_run_t, crond_t)
+ ')
+
+ optional_policy(`
+ gen_require(`
+ class dbus send_msg;
+ ')
+
+ dbus_stub(admin_cronjob_t)
+
+ allow cronjob_t $2:dbus send_msg;
+ ')
+')
+
+########################################
+## <summary>
+## Make the specified program domain
+## accessable from the system cron jobs.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to transition to.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The type of the file used as an entrypoint to this domain.
+## </summary>
+## </param>
+#
+interface(`cron_system_entry',`
+ gen_require(`
+ type crond_t, system_cronjob_t;
+ ')
+
+ domtrans_pattern(system_cronjob_t, $2, $1)
+ domtrans_pattern(crond_t, $2, $1)
+
+ role system_r types $1;
+')
+
+########################################
+## <summary>
+## Execute cron in the cron system domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cron_domtrans',`
+ gen_require(`
+ type system_cronjob_t, crond_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, crond_exec_t, system_cronjob_t)
+')
+
+########################################
+## <summary>
+## Execute crond in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_exec',`
+ gen_require(`
+ type crond_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, crond_exec_t)
+')
+
+########################################
+## <summary>
+## Execute crond server in the crond domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cron_initrc_domtrans',`
+ gen_require(`
+ type crond_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, crond_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Use crond file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_use_fds',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ allow $1 crond_t:fd use;
+')
+
+########################################
+## <summary>
+## Send child terminated signals to crond.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_sigchld',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ allow $1 crond_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Set the attributes of cron log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_setattr_log_files',`
+ gen_require(`
+ type cron_log_t;
+ ')
+
+ allow $1 cron_log_t:file setattr_file_perms;
+')
+
+########################################
+## <summary>
+## Create cron log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_create_log_files',`
+ gen_require(`
+ type cron_log_t;
+ ')
+
+ create_files_pattern($1, cron_log_t, cron_log_t)
+')
+
+########################################
+## <summary>
+## Write to cron log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_write_log_files',`
+ gen_require(`
+ type cron_log_t;
+ ')
+
+ allow $1 cron_log_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write and delete
+## cron log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_manage_log_files',`
+ gen_require(`
+ type cron_log_t;
+ ')
+
+ manage_files_pattern($1, cron_log_t, cron_log_t)
+
+ logging_search_logs($1)
+')
+
+########################################
+## <summary>
+## Create specified objects in generic
+## log directories with the cron log file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`cron_generic_log_filetrans_log',`
+ gen_require(`
+ type cron_log_t;
+ ')
+
+ logging_log_filetrans($1, cron_log_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Read cron daemon unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_read_pipes',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ allow $1 crond_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write
+## cron daemon unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`cron_dontaudit_write_pipes',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ dontaudit $1 crond_t:fifo_file write;
+')
+
+########################################
+## <summary>
+## Read and write crond unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_pipes',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ allow $1 crond_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write crond TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_tcp_sockets',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ allow $1 crond_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and
+## write cron daemon TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`cron_dontaudit_rw_tcp_sockets',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ dontaudit $1 crond_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+## Search cron spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_search_spool',`
+ gen_require(`
+ type cron_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 cron_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## crond pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_manage_pid_files',`
+ gen_require(`
+ type crond_var_run_t;
+ ')
+
+ manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute anacron in the cron
+## system domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cron_anacron_domtrans_system_job',`
+ gen_require(`
+ type system_cronjob_t, anacron_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
+')
+
+########################################
+## <summary>
+## Use system cron job file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_use_system_job_fds',`
+ gen_require(`
+ type system_cronjob_t;
+ ')
+
+ allow $1 system_cronjob_t:fd use;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the system spool.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_manage_system_spool',`
+ gen_require(`
+ type system_cron_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, system_cron_spool_t, system_cron_spool_t)
+')
+
+########################################
+## <summary>
+## Read and write crond temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_tmp_files',`
+ gen_require(`
+ type crond_tmp_t;
+ ')
+
+ allow $1 crond_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read system cron job lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_read_system_job_lib_files',`
+ gen_require(`
+ type system_cronjob_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## system cron job lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_manage_system_job_lib_files',`
+ gen_require(`
+ type system_cronjob_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
+########################################
+## <summary>
+## Write system cron job unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_write_system_job_pipes',`
+ gen_require(`
+ type system_cronjob_t;
+ ')
+
+ allow $1 system_cronjob_t:file write;
+')
+
+########################################
+## <summary>
+## Read and write system cron job
+## unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_system_job_pipes',`
+ gen_require(`
+ type system_cronjob_t;
+ ')
+
+ allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write inherited system cron
+## job unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_system_job_stream_sockets',`
+ gen_require(`
+ type system_cronjob_t;
+ ')
+
+ allow $1 system_cronjob_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## Read system cron job temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_read_system_job_tmp_files',`
+ gen_require(`
+ type system_cronjob_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 system_cronjob_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to append temporary
+## system cron job files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`cron_dontaudit_append_system_job_tmp_files',`
+ gen_require(`
+ type system_cronjob_tmp_t;
+ ')
+
+ dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write to inherited system cron job temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_inherited_system_job_tmp_files',`
+ gen_require(`
+ type system_cronjob_tmp_t;
+ ')
+
+ allow $1 system_cronjob_tmp_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write temporary
+## system cron job files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`cron_dontaudit_write_system_job_tmp_files',`
+ gen_require(`
+ type system_cronjob_tmp_t;
+ ')
+
+ dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+## Execute crontab in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cron_exec_crontab',`
+ gen_require(`
+ type crontab_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, crontab_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate a cron environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cron_admin',`
+ gen_require(`
+ type crond_t, cronjob_t, crond_initrc_exec_t;
+ type cron_var_lib_t, system_cronjob_var_lib_t;
+ type crond_tmp_t, admin_crontab_tmp_t;
+ type crontab_tmp_t, system_cronjob_tmp_t;
+ type cron_var_run_t, system_cronjob_var_run_t, crond_var_run_t;
+ type cron_log_t, system_cronjob_lock_t, user_cron_spool_log_t;
+ attribute cron_spool_type;
+ ')
+
+ allow $1 { crond_t cronjob_t }:process { ptrace signal_perms };
+ ps_process_pattern($1, { crond_t cronjob_t })
+
+ init_startstop_service($1, $2, crond_t, crond_initrc_exec_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, { cron_var_lib_t system_cronjob_var_lib_t })
+
+ files_search_tmp($1)
+ admin_pattern($1, { crond_tmp_t admin_crontab_tmp_t })
+ admin_pattern($1, { crontab_tmp_t system_cronjob_tmp_t })
+
+ files_search_pids($1)
+ admin_pattern($1, { cron_var_run_t crond_var_run_t system_cronjob_var_run_t })
+
+ files_search_locks($1)
+ admin_pattern($1, system_cronjob_lock_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, { cron_log_t user_cron_spool_log_t })
+
+ files_search_spool($1)
+ admin_pattern($1, cron_spool_type)
+')