]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/services/cron.te
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Remove module for livecd.
[people/stevee/selinux-policy.git] / policy / modules / services / cron.te
CommitLineData
fe4355ca 1policy_module(cron, 2.2.1)
23caa6d1 2
25c67461
CP		 3gen_require(`
4 class passwd rootok;
5')
6
23caa6d1
CP		 7########################################
8#
9# Declarations
10#
56e1b3d2
CP		 11
12## <desc>
68ac47d8
DG		 13## <p>
14## Allow system cron jobs to relabel filesystem
15## for restoring file contexts.
16## </p>
56e1b3d2 17## </desc>
0bfccda4 18gen_tunable(cron_can_relabel, false)
56e1b3d2
CP		 19
20## <desc>
68ac47d8
DG		 21## <p>
22## Enable extra rules in the cron domain
23## to support fcron.
24## </p>
56e1b3d2 25## </desc>
0bfccda4 26gen_tunable(fcron_crond, false)
56e1b3d2 27
df00b2e2 28attribute cron_spool_type;
23caa6d1 29
3b3bf871 30type anacron_exec_t;
d46cfe45 31application_executable_file(anacron_exec_t)
3b3bf871 32
23caa6d1 33type cron_spool_t;
0059652b 34files_spool_file(cron_spool_t)
23caa6d1 35
e2b84ef7
CP		 36# var/lib files
37type cron_var_lib_t;
38files_type(cron_var_lib_t)
39
c61b3504 40type cron_var_run_t;
45deadcb 41files_pid_file(cron_var_run_t)
c61b3504 42
e2b84ef7
CP		 43# var/log files
44type cron_log_t;
45logging_log_file(cron_log_t)
46
296273a7
CP		 47type cronjob_t;
48typealias cronjob_t alias { user_crond_t staff_crond_t sysadm_crond_t };
49typealias cronjob_t alias { auditadm_crond_t secadm_crond_t };
50domain_type(cronjob_t)
51domain_cron_exemption_target(cronjob_t)
52corecmd_shell_entry_type(cronjob_t)
53ubac_constrained(cronjob_t)
54
3774e4eb 55type crond_t;
e070dd2d 56type crond_exec_t;
0bfccda4 57init_daemon_domain(crond_t, crond_exec_t)
15722ec9 58domain_interactive_fd(crond_t)
2e863f8a 59domain_cron_exemption_source(crond_t)
23caa6d1 60
c61b3504
CP		 61type crond_initrc_exec_t;
62init_script_file(crond_initrc_exec_t)
63
13b6b29b
DW		 64type crond_unit_file_t;
65systemd_unit_file(crond_unit_file_t)
66
23caa6d1 67type crond_tmp_t;
c9428d33 68files_tmp_file(crond_tmp_t)
3eaa9939
DW		 69files_poly_parent(crond_tmp_t)
70mta_system_content(crond_tmp_t)
23caa6d1
CP		 71
72type crond_var_run_t;
c9428d33 73files_pid_file(crond_var_run_t)
3eaa9939 74mta_system_content(crond_var_run_t)
23caa6d1
CP		 75
76type crontab_exec_t;
d46cfe45 77application_executable_file(crontab_exec_t)
23caa6d1 78
296273a7
CP		 79cron_common_crontab_template(admin_crontab)
80typealias admin_crontab_t alias sysadm_crontab_t;
81typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t;
82
83cron_common_crontab_template(crontab)
84typealias crontab_t alias { user_crontab_t staff_crontab_t };
85typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
86typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
87typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
3eaa9939 88allow admin_crontab_t crond_t:process signal;
296273a7 89
aae06c13 90type system_cron_spool_t, cron_spool_type;
0059652b 91files_spool_file(system_cron_spool_t)
aae06c13 92
296273a7
CP		 93type system_cronjob_t alias system_crond_t;
94init_daemon_domain(system_cronjob_t, anacron_exec_t)
95corecmd_shell_entry_type(system_cronjob_t)
96role system_r types system_cronjob_t;
3eaa9939 97domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
23caa6d1 98
296273a7
CP		 99type system_cronjob_lock_t alias system_crond_lock_t;
100files_lock_file(system_cronjob_lock_t)
075c4fda 101
296273a7
CP		 102type system_cronjob_tmp_t alias system_crond_tmp_t;
103files_tmp_file(system_cronjob_tmp_t)
23caa6d1 104
296273a7
CP		 105type unconfined_cronjob_t;
106domain_type(unconfined_cronjob_t)
2a77737d 107domain_cron_exemption_target(unconfined_cronjob_t)
296273a7
CP		 108
109# Type of user crontabs once moved to cron spool.
110type user_cron_spool_t, cron_spool_type;
c61b3504 111typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
296273a7 112typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
0059652b 113files_spool_file(user_cron_spool_t)
296273a7 114ubac_constrained(user_cron_spool_t)
3eaa9939
DW		 115mta_system_content(user_cron_spool_t)
116
117type system_cronjob_var_lib_t;
118files_type(system_cronjob_var_lib_t)
119typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
120
121type system_cronjob_var_run_t;
122files_pid_file(system_cronjob_var_run_t)
296273a7 123
ef521e99
DG		 124ifdef(`enable_mcs',`
125 init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
126')
127
296273a7
CP		 128########################################
129#
130# Admin crontab local policy
131#
132
133# Allow our crontab domain to unlink a user cron spool file.
1dfc76f7 134allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
296273a7
CP		 135
136# Manipulate other users crontab.
137selinux_get_fs_mount(admin_crontab_t)
138selinux_validate_context(admin_crontab_t)
139selinux_compute_access_vector(admin_crontab_t)
140selinux_compute_create_context(admin_crontab_t)
141selinux_compute_relabel_context(admin_crontab_t)
142selinux_compute_user_contexts(admin_crontab_t)
143
68ac47d8 144tunable_policy(`fcron_crond',`
296273a7
CP		 145 # fcron wants an instant update of a crontab change for the administrator
146 # also crontab does a security check for crontab -u
147 allow admin_crontab_t self:process setfscreate;
148')
149
23caa6d1
CP		 150########################################
151#
296273a7 152# Cron daemon local policy
23caa6d1
CP		 153#
154
04384c5b 155allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
23caa6d1 156dontaudit crond_t self:capability { sys_resource sys_tty_config };
3eaa9939 157allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
681c9a02 158allow crond_t self:process { setexec setfscreate };
23caa6d1 159allow crond_t self:fd use;
c0868a7a 160allow crond_t self:fifo_file rw_fifo_file_perms;
0a10b1fa
CP		 161allow crond_t self:unix_dgram_socket create_socket_perms;
162allow crond_t self:unix_stream_socket create_stream_socket_perms;
23caa6d1
CP		 163allow crond_t self:unix_dgram_socket sendto;
164allow crond_t self:unix_stream_socket connectto;
0a10b1fa
CP		 165allow crond_t self:shm create_shm_perms;
166allow crond_t self:sem create_sem_perms;
167allow crond_t self:msgq create_msgq_perms;
23caa6d1 168allow crond_t self:msg { send receive };
d6d16b97 169allow crond_t self:key { search write link };
23caa6d1 170
c61b3504
CP		 171manage_files_pattern(crond_t, cron_log_t, cron_log_t)
172logging_log_filetrans(crond_t, cron_log_t, file)
173
174manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
3f67f722 175files_pid_filetrans(crond_t, crond_var_run_t, file)
23caa6d1 176
c61b3504 177manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
c0868a7a 178
0bfccda4
CP		 179manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
180manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
181files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
350b6ab7 182
c61b3504
CP		 183list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
184read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
075c4fda 185
445522dc 186kernel_read_kernel_sysctls(crond_t)
c61b3504 187kernel_read_fs_sysctls(crond_t)
d9845ae9
CP		 188kernel_search_key(crond_t)
189
8bd67899 190dev_read_sysfs(crond_t)
5e0da6a0
CP		 191selinux_get_fs_mount(crond_t)
192selinux_validate_context(crond_t)
193selinux_compute_access_vector(crond_t)
194selinux_compute_create_context(crond_t)
195selinux_compute_relabel_context(crond_t)
196selinux_compute_user_contexts(crond_t)
23caa6d1 197
f0c985ca 198dev_read_urand(crond_t)
23caa6d1 199
0fd9dc55 200fs_getattr_all_fs(crond_t)
ab940a4c 201fs_search_auto_mountpoints(crond_t)
c61b3504 202fs_list_inotifyfs(crond_t)
23caa6d1 203
efd8ede3 204# need auth_chkpwd to check for locked accounts.
c9428d33 205auth_domtrans_chk_passwd(crond_t)
fb5c4713 206auth_manage_var_auth(crond_t)
efd8ede3 207
c9428d33 208corecmd_exec_shell(crond_t)
8021cb4f 209corecmd_list_bin(crond_t)
4e889ea1 210corecmd_exec_bin(crond_t)
8021cb4f 211corecmd_read_bin_symlinks(crond_t)
23caa6d1 212
15722ec9 213domain_use_interactive_fds(crond_t)
3eaa9939
DW		 214domain_subj_id_change_exemption(crond_t)
215domain_role_change_exemption(crond_t)
23caa6d1 216
c61b3504
CP		 217files_read_usr_files(crond_t)
218files_read_etc_runtime_files(crond_t)
8fd36732 219files_read_etc_files(crond_t)
9e04f5c5 220files_read_generic_spool(crond_t)
681c9a02 221files_list_usr(crond_t)
3774e4eb
CP		 222# Read from /var/spool/cron.
223files_search_var_lib(crond_t)
224files_search_default(crond_t)
23caa6d1 225
5a11df38
MG		 226fs_manage_cgroup_dirs(crond_t)
227fs_manage_cgroup_files(crond_t)
228
558fe7df
MG		 229# needed by "crontab -e"
230mls_file_read_all_levels(crond_t)
231mls_file_write_all_levels(crond_t)
232
233# needed because of kernel check of transition
234mls_process_set_level(crond_t)
235
236# to make cronjob working
237mls_fd_share_all_levels(crond_t)
238mls_trusted_object(crond_t)
239
d87a4847 240init_read_state(crond_t)
68228b33 241init_rw_utmp(crond_t)
c61b3504 242init_spec_domtrans_script(crond_t)
075c4fda 243
5a11df38 244auth_manage_var_auth(crond_t)
c0cf6e0a
CP		 245auth_use_nsswitch(crond_t)
246
3eaa9939 247logging_send_audit_msgs(crond_t)
c9428d33 248logging_send_syslog_msg(crond_t)
3eaa9939 249logging_set_loginuid(crond_t)
23caa6d1 250
5e0da6a0
CP		 251seutil_read_config(crond_t)
252seutil_read_default_contexts(crond_t)
8fd36732 253seutil_sigchld_newrole(crond_t)
23caa6d1
CP		 254
255miscfiles_read_localization(crond_t)
256
103fe280 257userdom_use_unpriv_users_fds(crond_t)
9778406f 258# Not sure why this is needed
296273a7 259userdom_list_user_home_dirs(crond_t)
dc3ce1ec 260userdom_list_admin_dir(crond_t)
3eaa9939 261userdom_create_all_users_keys(crond_t)
23caa6d1 262
a5e2133b 263mta_send_mail(crond_t)
3eaa9939 264mta_system_content(cron_spool_t)
a5e2133b 265
73ca55d3 266ifdef(`distro_debian',`
74d920c3
CP		 267 # pam_limits is used
268 allow crond_t self:process setrlimit;
269
73ca55d3
CP		 270 optional_policy(`
271 # Debian logcheck has the home dir set to its cache
272 logwatch_search_cache_dir(crond_t)
273 ')
274')
275
68ac47d8 276ifdef(`distro_redhat',`
b24f35d8
CP		 277 # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
278 # via redirection of standard out.
bb7170f6 279 optional_policy(`
b24f35d8
CP		 280 rpm_manage_log(crond_t)
281 ')
075c4fda
CP		 282')
283
3eaa9939
DW		 284tunable_policy(`allow_polyinstantiation',`
285 files_polyinstantiate_all(crond_t)
286')
287
c61b3504 288tunable_policy(`fcron_crond', `
ef521e99
DG		 289 allow crond_t system_cron_spool_t:file manage_file_perms;
290')
291
3eaa9939
DW		 292optional_policy(`
293 apache_search_sys_content(crond_t)
294')
295
296optional_policy(`
68ac47d8
DG		 297 djbdns_search_tinydns_keys(crond_t)
298 djbdns_link_tinydns_keys(crond_t)
c61b3504
CP		 299')
300
d6d16b97
CP		 301optional_policy(`
302 locallogin_search_keys(crond_t)
303 locallogin_link_keys(crond_t)
304')
305
3eaa9939
DW		 306optional_policy(`
307 # these should probably be unconfined_crond_t
308 dbus_system_bus_client(crond_t)
309 init_dbus_send_script(crond_t)
1961c353 310 init_dbus_chat(crond_t)
3eaa9939
DW		 311')
312
c61b3504
CP		 313optional_policy(`
314 amanda_search_var_lib(crond_t)
b24f35d8
CP		 315')
316
bb7170f6 317optional_policy(`
8a0a9944
CP		 318 amavis_search_lib(crond_t)
319')
320
bb7170f6 321optional_policy(`
c61b3504 322 hal_dbus_chat(crond_t)
3eaa9939
DW		 323 hal_write_log(crond_t)
324 hal_dbus_chat(system_cronjob_t)
9b06402e
CP		 325')
326
b6d37ebb
CP		 327optional_policy(`
328 # cjp: why?
329 munin_search_lib(crond_t)
330')
331
c61b3504
CP		 332optional_policy(`
333 rpc_search_nfs_state_data(crond_t)
334')
335
bb7170f6 336optional_policy(`
ebdc3b79 337 # Commonly used from postinst scripts
1815bad1 338 rpm_read_pipes(crond_t)
ebdc3b79
CP		 339')
340
bb7170f6 341optional_policy(`
a1fcff33 342 # allow crond to find /usr/lib/postgresql/bin/do.maintenance
1815bad1 343 postgresql_search_db(crond_t)
a1fcff33
CP		 344')
345
ac679c2f
DG		 346optional_policy(`
347 systemd_use_fds_logind(crond_t)
348 systemd_write_inherited_logind_sessions_pipes(crond_t)
349')
350
bb7170f6 351optional_policy(`
c9428d33 352 udev_read_db(crond_t)
23caa6d1
CP		 353')
354
0a394bf0
DW		 355optional_policy(`
356 vnstatd_search_lib(crond_t)
357')
358
23caa6d1
CP		 359########################################
360#
361# System cron process domain
362#
9bbc757a 363
c61b3504 364allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
3eaa9939 365
c61b3504 366allow system_cronjob_t self:process { signal_perms getsched setsched };
296273a7
CP		 367allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
368allow system_cronjob_t self:passwd rootok;
350b6ab7 369
e2b84ef7
CP		 370# This is to handle creation of files in /var/log directory.
371# Used currently by rpm script log files
296273a7
CP		 372allow system_cronjob_t cron_log_t:file manage_file_perms;
373logging_log_filetrans(system_cronjob_t, cron_log_t, file)
e2b84ef7
CP		 374
375# This is to handle /var/lib/misc directory. Used currently
376# by prelink var/lib files for cron
1dfc76f7 377allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
296273a7 378files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
e2b84ef7 379
3eaa9939
DW		 380allow system_cronjob_t cron_var_run_t:file manage_file_perms;
381files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
382
296273a7 383allow system_cronjob_t system_cron_spool_t:file read_file_perms;
3eaa9939 384
8effc8a7
DW		 385mls_file_read_to_clearance(system_cronjob_t)
386
3eaa9939
DW		 387# anacron forces the following
388manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
389
350b6ab7
CP		 390# The entrypoint interface is not used as this is not
391# a regular entrypoint. Since crontab files are
392# not directly executed, crond must ensure that
393# the crontab file has a type that is appropriate
394# for the domain of the user cron job. It
395# performs an entrypoint permission check
396# for this purpose.
296273a7 397allow system_cronjob_t system_cron_spool_t:file entrypoint;
350b6ab7
CP		 398
399# Permit a transition from the crond_t domain to this domain.
400# The transition is requested explicitly by the modified crond
401# via setexeccon. There is no way to set up an automatic
402# transition, since crontabs are configuration files, not executables.
296273a7
CP		 403allow crond_t system_cronjob_t:process transition;
404dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh };
405allow crond_t system_cronjob_t:fd use;
406allow system_cronjob_t crond_t:fd use;
407allow system_cronjob_t crond_t:fifo_file rw_file_perms;
408allow system_cronjob_t crond_t:process sigchld;
3eaa9939 409allow crond_t system_cronjob_t:key manage_key_perms;
350b6ab7
CP		 410
411# Write /var/lock/makewhatis.lock.
296273a7 412allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
3f67f722 413files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
350b6ab7
CP		 414
415# write temporary files
296273a7
CP		 416manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
417manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
418filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
419files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
9bbc757a 420
3eaa9939
DW		 421# var/lib files for system_crond
422files_search_var_lib(system_cronjob_t)
423manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
424
350b6ab7 425# Read from /var/spool/cron.
296273a7 426allow system_cronjob_t cron_spool_t:dir list_dir_perms;
3eaa9939 427allow system_cronjob_t cron_spool_t:file rw_file_perms;
350b6ab7 428
296273a7
CP		 429kernel_read_kernel_sysctls(system_cronjob_t)
430kernel_read_system_state(system_cronjob_t)
431kernel_read_software_raid_state(system_cronjob_t)
350b6ab7
CP		 432
433# ps does not need to access /boot when run from cron
296273a7 434files_dontaudit_search_boot(system_cronjob_t)
350b6ab7 435
296273a7 436corecmd_exec_all_executables(system_cronjob_t)
350b6ab7 437
296273a7
CP		 438corenet_all_recvfrom_unlabeled(system_cronjob_t)
439corenet_all_recvfrom_netlabel(system_cronjob_t)
668b3093
CP		 440corenet_tcp_sendrecv_generic_if(system_cronjob_t)
441corenet_udp_sendrecv_generic_if(system_cronjob_t)
c1262146
CP		 442corenet_tcp_sendrecv_generic_node(system_cronjob_t)
443corenet_udp_sendrecv_generic_node(system_cronjob_t)
296273a7
CP		 444corenet_tcp_sendrecv_all_ports(system_cronjob_t)
445corenet_udp_sendrecv_all_ports(system_cronjob_t)
350b6ab7 446
296273a7
CP		 447dev_getattr_all_blk_files(system_cronjob_t)
448dev_getattr_all_chr_files(system_cronjob_t)
449dev_read_urand(system_cronjob_t)
3eaa9939 450dev_read_sysfs(system_cronjob_t)
350b6ab7 451
296273a7
CP		 452fs_getattr_all_fs(system_cronjob_t)
453fs_getattr_all_files(system_cronjob_t)
454fs_getattr_all_symlinks(system_cronjob_t)
455fs_getattr_all_pipes(system_cronjob_t)
456fs_getattr_all_sockets(system_cronjob_t)
350b6ab7
CP		 457
458# quiet other ps operations
296273a7
CP		 459domain_dontaudit_read_all_domains_state(system_cronjob_t)
460
461files_exec_etc_files(system_cronjob_t)
462files_read_etc_files(system_cronjob_t)
463files_read_etc_runtime_files(system_cronjob_t)
464files_list_all(system_cronjob_t)
465files_getattr_all_dirs(system_cronjob_t)
466files_getattr_all_files(system_cronjob_t)
467files_getattr_all_symlinks(system_cronjob_t)
468files_getattr_all_pipes(system_cronjob_t)
469files_getattr_all_sockets(system_cronjob_t)
470files_read_usr_files(system_cronjob_t)
471files_read_var_files(system_cronjob_t)
350b6ab7 472# for nscd:
296273a7 473files_dontaudit_search_pids(system_cronjob_t)
350b6ab7
CP		 474# Access other spool directories like
475# /var/spool/anacron and /var/spool/slrnpull.
296273a7 476files_manage_generic_spool(system_cronjob_t)
3eaa9939 477files_create_boot_flag(system_cronjob_t)
350b6ab7 478
296273a7
CP		 479init_use_script_fds(system_cronjob_t)
480init_read_utmp(system_cronjob_t)
481init_dontaudit_rw_utmp(system_cronjob_t)
350b6ab7 482# prelink tells init to restart it self, we either need to allow or dontaudit
c61b3504
CP		 483init_telinit(system_cronjob_t)
484init_domtrans_script(system_cronjob_t)
350b6ab7 485
296273a7 486auth_use_nsswitch(system_cronjob_t)
c0cf6e0a 487
296273a7
CP		 488libs_exec_lib_files(system_cronjob_t)
489libs_exec_ld_so(system_cronjob_t)
350b6ab7 490
296273a7 491logging_read_generic_logs(system_cronjob_t)
c61b3504 492logging_send_audit_msgs(system_cronjob_t)
296273a7 493logging_send_syslog_msg(system_cronjob_t)
350b6ab7 494
296273a7
CP		 495miscfiles_read_localization(system_cronjob_t)
496miscfiles_manage_man_pages(system_cronjob_t)
350b6ab7 497
296273a7 498seutil_read_config(system_cronjob_t)
3774e4eb 499
68ac47d8 500ifdef(`distro_redhat',`
350b6ab7 501 # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
3eaa9939
DW		 502 allow crond_t system_cron_spool_t:file manage_file_perms;
503
350b6ab7 504 # via redirection of standard out.
bb7170f6 505 optional_policy(`
296273a7 506 rpm_manage_log(system_cronjob_t)
9778406f 507 ')
350b6ab7 508')
9778406f 509
350b6ab7 510tunable_policy(`cron_can_relabel',`
296273a7 511 seutil_domtrans_setfiles(system_cronjob_t)
350b6ab7 512',`
296273a7
CP		 513 selinux_get_fs_mount(system_cronjob_t)
514 selinux_validate_context(system_cronjob_t)
515 selinux_compute_access_vector(system_cronjob_t)
516 selinux_compute_create_context(system_cronjob_t)
517 selinux_compute_relabel_context(system_cronjob_t)
518 selinux_compute_user_contexts(system_cronjob_t)
519 seutil_read_file_contexts(system_cronjob_t)
350b6ab7 520')
af23450c 521
350b6ab7
CP		 522optional_policy(`
523 # Needed for certwatch
296273a7
CP		 524 apache_exec_modules(system_cronjob_t)
525 apache_read_config(system_cronjob_t)
526 apache_read_log(system_cronjob_t)
527 apache_read_sys_content(system_cronjob_t)
3eaa9939
DW		 528 apache_delete_cache_dirs(system_cronjob_t)
529 apache_delete_cache_files(system_cronjob_t)
350b6ab7 530')
b24f35d8 531
350b6ab7 532optional_policy(`
296273a7 533 cyrus_manage_data(system_cronjob_t)
350b6ab7 534')
af23450c 535
3eaa9939
DW		 536optional_policy(`
537 dbus_system_bus_client(system_cronjob_t)
538')
539
540optional_policy(`
541 exim_read_spool_files(system_cronjob_t)
542')
543
350b6ab7 544optional_policy(`
296273a7 545 ftp_read_log(system_cronjob_t)
350b6ab7 546')
67962667 547
350b6ab7 548optional_policy(`
296273a7
CP		 549 inn_manage_log(system_cronjob_t)
550 inn_manage_pid(system_cronjob_t)
551 inn_read_config(system_cronjob_t)
350b6ab7 552')
3b914745 553
c61b3504
CP		 554optional_policy(`
555 lpd_list_spool(system_cronjob_t)
556')
557
350b6ab7 558optional_policy(`
296273a7 559 mrtg_append_create_logs(system_cronjob_t)
350b6ab7 560')
23caa6d1 561
350b6ab7 562optional_policy(`
be02baeb 563 mta_read_config(system_cronjob_t)
296273a7 564 mta_send_mail(system_cronjob_t)
3eaa9939 565 mta_system_content(system_cron_spool_t)
350b6ab7 566')
246a6042 567
350b6ab7 568optional_policy(`
296273a7 569 mysql_read_config(system_cronjob_t)
350b6ab7 570')
cf6a7d89 571
b63ea22f
MG		 572optional_policy(`
573 networkmanager_dbus_chat(system_cronjob_t)
574')
575
350b6ab7 576optional_policy(`
296273a7 577 postfix_read_config(system_cronjob_t)
350b6ab7 578')
23caa6d1 579
350b6ab7 580optional_policy(`
296273a7 581 prelink_delete_cache(system_cronjob_t)
c61b3504
CP		 582 prelink_manage_lib(system_cronjob_t)
583 prelink_manage_log(system_cronjob_t)
584 prelink_read_cache(system_cronjob_t)
3eaa9939 585 prelink_relabel_lib(system_cronjob_t)
350b6ab7 586')
6a57b68d 587
350b6ab7 588optional_policy(`
296273a7
CP		 589 samba_read_config(system_cronjob_t)
590 samba_read_log(system_cronjob_t)
591 #samba_read_secrets(system_cronjob_t)
350b6ab7
CP		 592')
593
594optional_policy(`
296273a7 595 slocate_create_append_log(system_cronjob_t)
350b6ab7 596')
0f73fdea 597
350b6ab7 598optional_policy(`
c61b3504 599 spamassassin_manage_lib_files(system_cronjob_t)
3eaa9939 600 spamassassin_manage_home_client(system_cronjob_t)
350b6ab7 601')
84c92239 602
350b6ab7 603optional_policy(`
296273a7 604 sysstat_manage_log(system_cronjob_t)
350b6ab7 605')
23caa6d1 606
350b6ab7 607optional_policy(`
3eaa9939 608 unconfined_domain(crond_t)
296273a7 609 unconfined_domain(system_cronjob_t)
9461b606
DW		 610')
611
612optional_policy(`
613 unconfined_shell_domtrans(crond_t)
614 unconfined_dbus_send(crond_t)
296273a7 615 userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
350b6ab7
CP		 616')
617
296273a7
CP		 618########################################
619#
620# User cronjobs local policy
621#
622
296273a7
CP		 623allow cronjob_t self:process { signal_perms setsched };
624allow cronjob_t self:fifo_file rw_fifo_file_perms;
625allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
626allow cronjob_t self:unix_dgram_socket create_socket_perms;
627
628# The entrypoint interface is not used as this is not
629# a regular entrypoint. Since crontab files are
630# not directly executed, crond must ensure that
631# the crontab file has a type that is appropriate
632# for the domain of the user cron job. It
633# performs an entrypoint permission check
634# for this purpose.
635allow cronjob_t user_cron_spool_t:file entrypoint;
636
637# Permit a transition from the crond_t domain to this domain.
638# The transition is requested explicitly by the modified crond
639# via setexeccon. There is no way to set up an automatic
640# transition, since crontabs are configuration files, not executables.
641allow crond_t cronjob_t:process transition;
642dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh };
643allow crond_t cronjob_t:fd use;
644allow cronjob_t crond_t:fd use;
645allow cronjob_t crond_t:fifo_file rw_file_perms;
646allow cronjob_t crond_t:process sigchld;
647
648kernel_read_system_state(cronjob_t)
649kernel_read_kernel_sysctls(cronjob_t)
650
651# ps does not need to access /boot when run from cron
652files_dontaudit_search_boot(cronjob_t)
653
654corenet_all_recvfrom_unlabeled(cronjob_t)
655corenet_all_recvfrom_netlabel(cronjob_t)
668b3093
CP		 656corenet_tcp_sendrecv_generic_if(cronjob_t)
657corenet_udp_sendrecv_generic_if(cronjob_t)
c1262146
CP		 658corenet_tcp_sendrecv_generic_node(cronjob_t)
659corenet_udp_sendrecv_generic_node(cronjob_t)
296273a7
CP		 660corenet_tcp_sendrecv_all_ports(cronjob_t)
661corenet_udp_sendrecv_all_ports(cronjob_t)
662corenet_tcp_connect_all_ports(cronjob_t)
663corenet_sendrecv_all_client_packets(cronjob_t)
664
665dev_read_urand(cronjob_t)
666
667fs_getattr_all_fs(cronjob_t)
668
669corecmd_exec_all_executables(cronjob_t)
670
671# quiet other ps operations
672domain_dontaudit_read_all_domains_state(cronjob_t)
673domain_dontaudit_getattr_all_domains(cronjob_t)
674
675files_read_usr_files(cronjob_t)
676files_exec_etc_files(cronjob_t)
677# for nscd:
678files_dontaudit_search_pids(cronjob_t)
679
680libs_exec_lib_files(cronjob_t)
681libs_exec_ld_so(cronjob_t)
682
683files_read_etc_runtime_files(cronjob_t)
684files_read_var_files(cronjob_t)
685files_search_spool(cronjob_t)
686
687logging_search_logs(cronjob_t)
688
689seutil_read_config(cronjob_t)
690
691miscfiles_read_localization(cronjob_t)
692
693userdom_manage_user_tmp_files(cronjob_t)
694userdom_manage_user_tmp_symlinks(cronjob_t)
695userdom_manage_user_tmp_pipes(cronjob_t)
696userdom_manage_user_tmp_sockets(cronjob_t)
697# Run scripts in user home directory and access shared libs.
698userdom_exec_user_home_content_files(cronjob_t)
699# Access user files and dirs.
700userdom_manage_user_home_content_files(cronjob_t)
701userdom_manage_user_home_content_symlinks(cronjob_t)
702userdom_manage_user_home_content_pipes(cronjob_t)
703userdom_manage_user_home_content_sockets(cronjob_t)
704#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
705
c61b3504 706list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
3eaa9939 707rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
c61b3504 708read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
3eaa9939 709read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
ee4b1e0a 710allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
c61b3504 711
68ac47d8 712tunable_policy(`fcron_crond',`
296273a7
CP		 713 allow crond_t user_cron_spool_t:file manage_file_perms;
714')
715
716# need a per-role version of this:
717#optional_policy(`
718# mono_domtrans(cronjob_t)
719#')
720
721optional_policy(`
722 nis_use_ypbind(cronjob_t)
723')
724
725########################################
726#
727# Unconfined cronjobs local policy
728#
729
730optional_policy(`
2a77737d
CP		 731 # Permit a transition from the crond_t domain to this domain.
732 # The transition is requested explicitly by the modified crond
733 # via setexeccon. There is no way to set up an automatic
734 # transition, since crontabs are configuration files, not executables.
735 allow crond_t unconfined_cronjob_t:process transition;
736 dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
737 allow crond_t unconfined_cronjob_t:fd use;
738
296273a7
CP		 739 unconfined_domain(unconfined_cronjob_t)
740')
The IPFire selinux policy.