]>
Commit | Line | Data |
---|---|---|
fe4355ca | 1 | policy_module(cron, 2.2.1) |
23caa6d1 | 2 | |
25c67461 CP |
3 | gen_require(` |
4 | class passwd rootok; | |
5 | ') | |
6 | ||
23caa6d1 CP |
7 | ######################################## |
8 | # | |
9 | # Declarations | |
10 | # | |
56e1b3d2 CP |
11 | |
12 | ## <desc> | |
68ac47d8 DG |
13 | ## <p> |
14 | ## Allow system cron jobs to relabel filesystem | |
15 | ## for restoring file contexts. | |
16 | ## </p> | |
56e1b3d2 | 17 | ## </desc> |
0bfccda4 | 18 | gen_tunable(cron_can_relabel, false) |
56e1b3d2 CP |
19 | |
20 | ## <desc> | |
68ac47d8 DG |
21 | ## <p> |
22 | ## Enable extra rules in the cron domain | |
23 | ## to support fcron. | |
24 | ## </p> | |
56e1b3d2 | 25 | ## </desc> |
0bfccda4 | 26 | gen_tunable(fcron_crond, false) |
56e1b3d2 | 27 | |
df00b2e2 | 28 | attribute cron_spool_type; |
23caa6d1 | 29 | |
3b3bf871 | 30 | type anacron_exec_t; |
d46cfe45 | 31 | application_executable_file(anacron_exec_t) |
3b3bf871 | 32 | |
23caa6d1 | 33 | type cron_spool_t; |
0059652b | 34 | files_spool_file(cron_spool_t) |
23caa6d1 | 35 | |
e2b84ef7 CP |
36 | # var/lib files |
37 | type cron_var_lib_t; | |
38 | files_type(cron_var_lib_t) | |
39 | ||
c61b3504 | 40 | type cron_var_run_t; |
45deadcb | 41 | files_pid_file(cron_var_run_t) |
c61b3504 | 42 | |
e2b84ef7 CP |
43 | # var/log files |
44 | type cron_log_t; | |
45 | logging_log_file(cron_log_t) | |
46 | ||
296273a7 CP |
47 | type cronjob_t; |
48 | typealias cronjob_t alias { user_crond_t staff_crond_t sysadm_crond_t }; | |
49 | typealias cronjob_t alias { auditadm_crond_t secadm_crond_t }; | |
50 | domain_type(cronjob_t) | |
51 | domain_cron_exemption_target(cronjob_t) | |
52 | corecmd_shell_entry_type(cronjob_t) | |
53 | ubac_constrained(cronjob_t) | |
54 | ||
3774e4eb | 55 | type crond_t; |
e070dd2d | 56 | type crond_exec_t; |
0bfccda4 | 57 | init_daemon_domain(crond_t, crond_exec_t) |
15722ec9 | 58 | domain_interactive_fd(crond_t) |
2e863f8a | 59 | domain_cron_exemption_source(crond_t) |
23caa6d1 | 60 | |
c61b3504 CP |
61 | type crond_initrc_exec_t; |
62 | init_script_file(crond_initrc_exec_t) | |
63 | ||
13b6b29b DW |
64 | type crond_unit_file_t; |
65 | systemd_unit_file(crond_unit_file_t) | |
66 | ||
23caa6d1 | 67 | type crond_tmp_t; |
c9428d33 | 68 | files_tmp_file(crond_tmp_t) |
3eaa9939 DW |
69 | files_poly_parent(crond_tmp_t) |
70 | mta_system_content(crond_tmp_t) | |
23caa6d1 CP |
71 | |
72 | type crond_var_run_t; | |
c9428d33 | 73 | files_pid_file(crond_var_run_t) |
3eaa9939 | 74 | mta_system_content(crond_var_run_t) |
23caa6d1 CP |
75 | |
76 | type crontab_exec_t; | |
d46cfe45 | 77 | application_executable_file(crontab_exec_t) |
23caa6d1 | 78 | |
296273a7 CP |
79 | cron_common_crontab_template(admin_crontab) |
80 | typealias admin_crontab_t alias sysadm_crontab_t; | |
81 | typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t; | |
82 | ||
83 | cron_common_crontab_template(crontab) | |
84 | typealias crontab_t alias { user_crontab_t staff_crontab_t }; | |
85 | typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; | |
86 | typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; | |
87 | typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; | |
3eaa9939 | 88 | allow admin_crontab_t crond_t:process signal; |
296273a7 | 89 | |
aae06c13 | 90 | type system_cron_spool_t, cron_spool_type; |
0059652b | 91 | files_spool_file(system_cron_spool_t) |
aae06c13 | 92 | |
296273a7 CP |
93 | type system_cronjob_t alias system_crond_t; |
94 | init_daemon_domain(system_cronjob_t, anacron_exec_t) | |
95 | corecmd_shell_entry_type(system_cronjob_t) | |
96 | role system_r types system_cronjob_t; | |
3eaa9939 | 97 | domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t) |
23caa6d1 | 98 | |
296273a7 CP |
99 | type system_cronjob_lock_t alias system_crond_lock_t; |
100 | files_lock_file(system_cronjob_lock_t) | |
075c4fda | 101 | |
296273a7 CP |
102 | type system_cronjob_tmp_t alias system_crond_tmp_t; |
103 | files_tmp_file(system_cronjob_tmp_t) | |
23caa6d1 | 104 | |
296273a7 CP |
105 | type unconfined_cronjob_t; |
106 | domain_type(unconfined_cronjob_t) | |
2a77737d | 107 | domain_cron_exemption_target(unconfined_cronjob_t) |
296273a7 CP |
108 | |
109 | # Type of user crontabs once moved to cron spool. | |
110 | type user_cron_spool_t, cron_spool_type; | |
c61b3504 | 111 | typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; |
296273a7 | 112 | typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; |
0059652b | 113 | files_spool_file(user_cron_spool_t) |
296273a7 | 114 | ubac_constrained(user_cron_spool_t) |
3eaa9939 DW |
115 | mta_system_content(user_cron_spool_t) |
116 | ||
117 | type system_cronjob_var_lib_t; | |
118 | files_type(system_cronjob_var_lib_t) | |
119 | typealias system_cronjob_var_lib_t alias system_crond_var_lib_t; | |
120 | ||
121 | type system_cronjob_var_run_t; | |
122 | files_pid_file(system_cronjob_var_run_t) | |
296273a7 | 123 | |
ef521e99 DG |
124 | ifdef(`enable_mcs',` |
125 | init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) | |
126 | ') | |
127 | ||
296273a7 CP |
128 | ######################################## |
129 | # | |
130 | # Admin crontab local policy | |
131 | # | |
132 | ||
133 | # Allow our crontab domain to unlink a user cron spool file. | |
1dfc76f7 | 134 | allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms }; |
296273a7 CP |
135 | |
136 | # Manipulate other users crontab. | |
137 | selinux_get_fs_mount(admin_crontab_t) | |
138 | selinux_validate_context(admin_crontab_t) | |
139 | selinux_compute_access_vector(admin_crontab_t) | |
140 | selinux_compute_create_context(admin_crontab_t) | |
141 | selinux_compute_relabel_context(admin_crontab_t) | |
142 | selinux_compute_user_contexts(admin_crontab_t) | |
143 | ||
68ac47d8 | 144 | tunable_policy(`fcron_crond',` |
296273a7 CP |
145 | # fcron wants an instant update of a crontab change for the administrator |
146 | # also crontab does a security check for crontab -u | |
147 | allow admin_crontab_t self:process setfscreate; | |
148 | ') | |
149 | ||
23caa6d1 CP |
150 | ######################################## |
151 | # | |
296273a7 | 152 | # Cron daemon local policy |
23caa6d1 CP |
153 | # |
154 | ||
04384c5b | 155 | allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search }; |
23caa6d1 | 156 | dontaudit crond_t self:capability { sys_resource sys_tty_config }; |
3eaa9939 | 157 | allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; |
681c9a02 | 158 | allow crond_t self:process { setexec setfscreate }; |
23caa6d1 | 159 | allow crond_t self:fd use; |
c0868a7a | 160 | allow crond_t self:fifo_file rw_fifo_file_perms; |
0a10b1fa CP |
161 | allow crond_t self:unix_dgram_socket create_socket_perms; |
162 | allow crond_t self:unix_stream_socket create_stream_socket_perms; | |
23caa6d1 CP |
163 | allow crond_t self:unix_dgram_socket sendto; |
164 | allow crond_t self:unix_stream_socket connectto; | |
0a10b1fa CP |
165 | allow crond_t self:shm create_shm_perms; |
166 | allow crond_t self:sem create_sem_perms; | |
167 | allow crond_t self:msgq create_msgq_perms; | |
23caa6d1 | 168 | allow crond_t self:msg { send receive }; |
d6d16b97 | 169 | allow crond_t self:key { search write link }; |
23caa6d1 | 170 | |
c61b3504 CP |
171 | manage_files_pattern(crond_t, cron_log_t, cron_log_t) |
172 | logging_log_filetrans(crond_t, cron_log_t, file) | |
173 | ||
174 | manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) | |
3f67f722 | 175 | files_pid_filetrans(crond_t, crond_var_run_t, file) |
23caa6d1 | 176 | |
c61b3504 | 177 | manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) |
c0868a7a | 178 | |
0bfccda4 CP |
179 | manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) |
180 | manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) | |
181 | files_tmp_filetrans(crond_t, crond_tmp_t, { file dir }) | |
350b6ab7 | 182 | |
c61b3504 CP |
183 | list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) |
184 | read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) | |
075c4fda | 185 | |
445522dc | 186 | kernel_read_kernel_sysctls(crond_t) |
c61b3504 | 187 | kernel_read_fs_sysctls(crond_t) |
d9845ae9 CP |
188 | kernel_search_key(crond_t) |
189 | ||
8bd67899 | 190 | dev_read_sysfs(crond_t) |
5e0da6a0 CP |
191 | selinux_get_fs_mount(crond_t) |
192 | selinux_validate_context(crond_t) | |
193 | selinux_compute_access_vector(crond_t) | |
194 | selinux_compute_create_context(crond_t) | |
195 | selinux_compute_relabel_context(crond_t) | |
196 | selinux_compute_user_contexts(crond_t) | |
23caa6d1 | 197 | |
f0c985ca | 198 | dev_read_urand(crond_t) |
23caa6d1 | 199 | |
0fd9dc55 | 200 | fs_getattr_all_fs(crond_t) |
ab940a4c | 201 | fs_search_auto_mountpoints(crond_t) |
c61b3504 | 202 | fs_list_inotifyfs(crond_t) |
23caa6d1 | 203 | |
efd8ede3 | 204 | # need auth_chkpwd to check for locked accounts. |
c9428d33 | 205 | auth_domtrans_chk_passwd(crond_t) |
fb5c4713 | 206 | auth_manage_var_auth(crond_t) |
efd8ede3 | 207 | |
c9428d33 | 208 | corecmd_exec_shell(crond_t) |
8021cb4f | 209 | corecmd_list_bin(crond_t) |
4e889ea1 | 210 | corecmd_exec_bin(crond_t) |
8021cb4f | 211 | corecmd_read_bin_symlinks(crond_t) |
23caa6d1 | 212 | |
15722ec9 | 213 | domain_use_interactive_fds(crond_t) |
3eaa9939 DW |
214 | domain_subj_id_change_exemption(crond_t) |
215 | domain_role_change_exemption(crond_t) | |
23caa6d1 | 216 | |
c61b3504 CP |
217 | files_read_usr_files(crond_t) |
218 | files_read_etc_runtime_files(crond_t) | |
8fd36732 | 219 | files_read_etc_files(crond_t) |
9e04f5c5 | 220 | files_read_generic_spool(crond_t) |
681c9a02 | 221 | files_list_usr(crond_t) |
3774e4eb CP |
222 | # Read from /var/spool/cron. |
223 | files_search_var_lib(crond_t) | |
224 | files_search_default(crond_t) | |
23caa6d1 | 225 | |
5a11df38 MG |
226 | fs_manage_cgroup_dirs(crond_t) |
227 | fs_manage_cgroup_files(crond_t) | |
228 | ||
558fe7df MG |
229 | # needed by "crontab -e" |
230 | mls_file_read_all_levels(crond_t) | |
231 | mls_file_write_all_levels(crond_t) | |
232 | ||
233 | # needed because of kernel check of transition | |
234 | mls_process_set_level(crond_t) | |
235 | ||
236 | # to make cronjob working | |
237 | mls_fd_share_all_levels(crond_t) | |
238 | mls_trusted_object(crond_t) | |
239 | ||
d87a4847 | 240 | init_read_state(crond_t) |
68228b33 | 241 | init_rw_utmp(crond_t) |
c61b3504 | 242 | init_spec_domtrans_script(crond_t) |
075c4fda | 243 | |
5a11df38 | 244 | auth_manage_var_auth(crond_t) |
c0cf6e0a CP |
245 | auth_use_nsswitch(crond_t) |
246 | ||
3eaa9939 | 247 | logging_send_audit_msgs(crond_t) |
c9428d33 | 248 | logging_send_syslog_msg(crond_t) |
3eaa9939 | 249 | logging_set_loginuid(crond_t) |
23caa6d1 | 250 | |
5e0da6a0 CP |
251 | seutil_read_config(crond_t) |
252 | seutil_read_default_contexts(crond_t) | |
8fd36732 | 253 | seutil_sigchld_newrole(crond_t) |
23caa6d1 CP |
254 | |
255 | miscfiles_read_localization(crond_t) | |
256 | ||
103fe280 | 257 | userdom_use_unpriv_users_fds(crond_t) |
9778406f | 258 | # Not sure why this is needed |
296273a7 | 259 | userdom_list_user_home_dirs(crond_t) |
dc3ce1ec | 260 | userdom_list_admin_dir(crond_t) |
3eaa9939 | 261 | userdom_create_all_users_keys(crond_t) |
23caa6d1 | 262 | |
a5e2133b | 263 | mta_send_mail(crond_t) |
3eaa9939 | 264 | mta_system_content(cron_spool_t) |
a5e2133b | 265 | |
73ca55d3 | 266 | ifdef(`distro_debian',` |
74d920c3 CP |
267 | # pam_limits is used |
268 | allow crond_t self:process setrlimit; | |
269 | ||
73ca55d3 CP |
270 | optional_policy(` |
271 | # Debian logcheck has the home dir set to its cache | |
272 | logwatch_search_cache_dir(crond_t) | |
273 | ') | |
274 | ') | |
275 | ||
68ac47d8 | 276 | ifdef(`distro_redhat',` |
b24f35d8 CP |
277 | # Run the rpm program in the rpm_t domain. Allow creation of RPM log files |
278 | # via redirection of standard out. | |
bb7170f6 | 279 | optional_policy(` |
b24f35d8 CP |
280 | rpm_manage_log(crond_t) |
281 | ') | |
075c4fda CP |
282 | ') |
283 | ||
3eaa9939 DW |
284 | tunable_policy(`allow_polyinstantiation',` |
285 | files_polyinstantiate_all(crond_t) | |
286 | ') | |
287 | ||
c61b3504 | 288 | tunable_policy(`fcron_crond', ` |
ef521e99 DG |
289 | allow crond_t system_cron_spool_t:file manage_file_perms; |
290 | ') | |
291 | ||
3eaa9939 DW |
292 | optional_policy(` |
293 | apache_search_sys_content(crond_t) | |
294 | ') | |
295 | ||
296 | optional_policy(` | |
68ac47d8 DG |
297 | djbdns_search_tinydns_keys(crond_t) |
298 | djbdns_link_tinydns_keys(crond_t) | |
c61b3504 CP |
299 | ') |
300 | ||
d6d16b97 CP |
301 | optional_policy(` |
302 | locallogin_search_keys(crond_t) | |
303 | locallogin_link_keys(crond_t) | |
304 | ') | |
305 | ||
3eaa9939 DW |
306 | optional_policy(` |
307 | # these should probably be unconfined_crond_t | |
308 | dbus_system_bus_client(crond_t) | |
309 | init_dbus_send_script(crond_t) | |
1961c353 | 310 | init_dbus_chat(crond_t) |
3eaa9939 DW |
311 | ') |
312 | ||
c61b3504 CP |
313 | optional_policy(` |
314 | amanda_search_var_lib(crond_t) | |
b24f35d8 CP |
315 | ') |
316 | ||
bb7170f6 | 317 | optional_policy(` |
8a0a9944 CP |
318 | amavis_search_lib(crond_t) |
319 | ') | |
320 | ||
bb7170f6 | 321 | optional_policy(` |
c61b3504 | 322 | hal_dbus_chat(crond_t) |
3eaa9939 DW |
323 | hal_write_log(crond_t) |
324 | hal_dbus_chat(system_cronjob_t) | |
9b06402e CP |
325 | ') |
326 | ||
b6d37ebb CP |
327 | optional_policy(` |
328 | # cjp: why? | |
329 | munin_search_lib(crond_t) | |
330 | ') | |
331 | ||
c61b3504 CP |
332 | optional_policy(` |
333 | rpc_search_nfs_state_data(crond_t) | |
334 | ') | |
335 | ||
bb7170f6 | 336 | optional_policy(` |
ebdc3b79 | 337 | # Commonly used from postinst scripts |
1815bad1 | 338 | rpm_read_pipes(crond_t) |
ebdc3b79 CP |
339 | ') |
340 | ||
bb7170f6 | 341 | optional_policy(` |
a1fcff33 | 342 | # allow crond to find /usr/lib/postgresql/bin/do.maintenance |
1815bad1 | 343 | postgresql_search_db(crond_t) |
a1fcff33 CP |
344 | ') |
345 | ||
ac679c2f DG |
346 | optional_policy(` |
347 | systemd_use_fds_logind(crond_t) | |
348 | systemd_write_inherited_logind_sessions_pipes(crond_t) | |
349 | ') | |
350 | ||
bb7170f6 | 351 | optional_policy(` |
c9428d33 | 352 | udev_read_db(crond_t) |
23caa6d1 CP |
353 | ') |
354 | ||
0a394bf0 DW |
355 | optional_policy(` |
356 | vnstatd_search_lib(crond_t) | |
357 | ') | |
358 | ||
23caa6d1 CP |
359 | ######################################## |
360 | # | |
361 | # System cron process domain | |
362 | # | |
9bbc757a | 363 | |
c61b3504 | 364 | allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; |
3eaa9939 | 365 | |
c61b3504 | 366 | allow system_cronjob_t self:process { signal_perms getsched setsched }; |
296273a7 CP |
367 | allow system_cronjob_t self:fifo_file rw_fifo_file_perms; |
368 | allow system_cronjob_t self:passwd rootok; | |
350b6ab7 | 369 | |
e2b84ef7 CP |
370 | # This is to handle creation of files in /var/log directory. |
371 | # Used currently by rpm script log files | |
296273a7 CP |
372 | allow system_cronjob_t cron_log_t:file manage_file_perms; |
373 | logging_log_filetrans(system_cronjob_t, cron_log_t, file) | |
e2b84ef7 CP |
374 | |
375 | # This is to handle /var/lib/misc directory. Used currently | |
376 | # by prelink var/lib files for cron | |
1dfc76f7 | 377 | allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms }; |
296273a7 | 378 | files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) |
e2b84ef7 | 379 | |
3eaa9939 DW |
380 | allow system_cronjob_t cron_var_run_t:file manage_file_perms; |
381 | files_pid_filetrans(system_cronjob_t, cron_var_run_t, file) | |
382 | ||
296273a7 | 383 | allow system_cronjob_t system_cron_spool_t:file read_file_perms; |
3eaa9939 | 384 | |
8effc8a7 DW |
385 | mls_file_read_to_clearance(system_cronjob_t) |
386 | ||
3eaa9939 DW |
387 | # anacron forces the following |
388 | manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t) | |
389 | ||
350b6ab7 CP |
390 | # The entrypoint interface is not used as this is not |
391 | # a regular entrypoint. Since crontab files are | |
392 | # not directly executed, crond must ensure that | |
393 | # the crontab file has a type that is appropriate | |
394 | # for the domain of the user cron job. It | |
395 | # performs an entrypoint permission check | |
396 | # for this purpose. | |
296273a7 | 397 | allow system_cronjob_t system_cron_spool_t:file entrypoint; |
350b6ab7 CP |
398 | |
399 | # Permit a transition from the crond_t domain to this domain. | |
400 | # The transition is requested explicitly by the modified crond | |
401 | # via setexeccon. There is no way to set up an automatic | |
402 | # transition, since crontabs are configuration files, not executables. | |
296273a7 CP |
403 | allow crond_t system_cronjob_t:process transition; |
404 | dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh }; | |
405 | allow crond_t system_cronjob_t:fd use; | |
406 | allow system_cronjob_t crond_t:fd use; | |
407 | allow system_cronjob_t crond_t:fifo_file rw_file_perms; | |
408 | allow system_cronjob_t crond_t:process sigchld; | |
3eaa9939 | 409 | allow crond_t system_cronjob_t:key manage_key_perms; |
350b6ab7 CP |
410 | |
411 | # Write /var/lock/makewhatis.lock. | |
296273a7 | 412 | allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; |
3f67f722 | 413 | files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file) |
350b6ab7 CP |
414 | |
415 | # write temporary files | |
296273a7 CP |
416 | manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) |
417 | manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) | |
418 | filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) | |
419 | files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) | |
9bbc757a | 420 | |
3eaa9939 DW |
421 | # var/lib files for system_crond |
422 | files_search_var_lib(system_cronjob_t) | |
423 | manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) | |
424 | ||
350b6ab7 | 425 | # Read from /var/spool/cron. |
296273a7 | 426 | allow system_cronjob_t cron_spool_t:dir list_dir_perms; |
3eaa9939 | 427 | allow system_cronjob_t cron_spool_t:file rw_file_perms; |
350b6ab7 | 428 | |
296273a7 CP |
429 | kernel_read_kernel_sysctls(system_cronjob_t) |
430 | kernel_read_system_state(system_cronjob_t) | |
431 | kernel_read_software_raid_state(system_cronjob_t) | |
350b6ab7 CP |
432 | |
433 | # ps does not need to access /boot when run from cron | |
296273a7 | 434 | files_dontaudit_search_boot(system_cronjob_t) |
350b6ab7 | 435 | |
296273a7 | 436 | corecmd_exec_all_executables(system_cronjob_t) |
350b6ab7 | 437 | |
296273a7 CP |
438 | corenet_all_recvfrom_unlabeled(system_cronjob_t) |
439 | corenet_all_recvfrom_netlabel(system_cronjob_t) | |
668b3093 CP |
440 | corenet_tcp_sendrecv_generic_if(system_cronjob_t) |
441 | corenet_udp_sendrecv_generic_if(system_cronjob_t) | |
c1262146 CP |
442 | corenet_tcp_sendrecv_generic_node(system_cronjob_t) |
443 | corenet_udp_sendrecv_generic_node(system_cronjob_t) | |
296273a7 CP |
444 | corenet_tcp_sendrecv_all_ports(system_cronjob_t) |
445 | corenet_udp_sendrecv_all_ports(system_cronjob_t) | |
350b6ab7 | 446 | |
296273a7 CP |
447 | dev_getattr_all_blk_files(system_cronjob_t) |
448 | dev_getattr_all_chr_files(system_cronjob_t) | |
449 | dev_read_urand(system_cronjob_t) | |
3eaa9939 | 450 | dev_read_sysfs(system_cronjob_t) |
350b6ab7 | 451 | |
296273a7 CP |
452 | fs_getattr_all_fs(system_cronjob_t) |
453 | fs_getattr_all_files(system_cronjob_t) | |
454 | fs_getattr_all_symlinks(system_cronjob_t) | |
455 | fs_getattr_all_pipes(system_cronjob_t) | |
456 | fs_getattr_all_sockets(system_cronjob_t) | |
350b6ab7 CP |
457 | |
458 | # quiet other ps operations | |
296273a7 CP |
459 | domain_dontaudit_read_all_domains_state(system_cronjob_t) |
460 | ||
461 | files_exec_etc_files(system_cronjob_t) | |
462 | files_read_etc_files(system_cronjob_t) | |
463 | files_read_etc_runtime_files(system_cronjob_t) | |
464 | files_list_all(system_cronjob_t) | |
465 | files_getattr_all_dirs(system_cronjob_t) | |
466 | files_getattr_all_files(system_cronjob_t) | |
467 | files_getattr_all_symlinks(system_cronjob_t) | |
468 | files_getattr_all_pipes(system_cronjob_t) | |
469 | files_getattr_all_sockets(system_cronjob_t) | |
470 | files_read_usr_files(system_cronjob_t) | |
471 | files_read_var_files(system_cronjob_t) | |
350b6ab7 | 472 | # for nscd: |
296273a7 | 473 | files_dontaudit_search_pids(system_cronjob_t) |
350b6ab7 CP |
474 | # Access other spool directories like |
475 | # /var/spool/anacron and /var/spool/slrnpull. | |
296273a7 | 476 | files_manage_generic_spool(system_cronjob_t) |
3eaa9939 | 477 | files_create_boot_flag(system_cronjob_t) |
350b6ab7 | 478 | |
296273a7 CP |
479 | init_use_script_fds(system_cronjob_t) |
480 | init_read_utmp(system_cronjob_t) | |
481 | init_dontaudit_rw_utmp(system_cronjob_t) | |
350b6ab7 | 482 | # prelink tells init to restart it self, we either need to allow or dontaudit |
c61b3504 CP |
483 | init_telinit(system_cronjob_t) |
484 | init_domtrans_script(system_cronjob_t) | |
350b6ab7 | 485 | |
296273a7 | 486 | auth_use_nsswitch(system_cronjob_t) |
c0cf6e0a | 487 | |
296273a7 CP |
488 | libs_exec_lib_files(system_cronjob_t) |
489 | libs_exec_ld_so(system_cronjob_t) | |
350b6ab7 | 490 | |
296273a7 | 491 | logging_read_generic_logs(system_cronjob_t) |
c61b3504 | 492 | logging_send_audit_msgs(system_cronjob_t) |
296273a7 | 493 | logging_send_syslog_msg(system_cronjob_t) |
350b6ab7 | 494 | |
296273a7 CP |
495 | miscfiles_read_localization(system_cronjob_t) |
496 | miscfiles_manage_man_pages(system_cronjob_t) | |
350b6ab7 | 497 | |
296273a7 | 498 | seutil_read_config(system_cronjob_t) |
3774e4eb | 499 | |
68ac47d8 | 500 | ifdef(`distro_redhat',` |
350b6ab7 | 501 | # Run the rpm program in the rpm_t domain. Allow creation of RPM log files |
3eaa9939 DW |
502 | allow crond_t system_cron_spool_t:file manage_file_perms; |
503 | ||
350b6ab7 | 504 | # via redirection of standard out. |
bb7170f6 | 505 | optional_policy(` |
296273a7 | 506 | rpm_manage_log(system_cronjob_t) |
9778406f | 507 | ') |
350b6ab7 | 508 | ') |
9778406f | 509 | |
350b6ab7 | 510 | tunable_policy(`cron_can_relabel',` |
296273a7 | 511 | seutil_domtrans_setfiles(system_cronjob_t) |
350b6ab7 | 512 | ',` |
296273a7 CP |
513 | selinux_get_fs_mount(system_cronjob_t) |
514 | selinux_validate_context(system_cronjob_t) | |
515 | selinux_compute_access_vector(system_cronjob_t) | |
516 | selinux_compute_create_context(system_cronjob_t) | |
517 | selinux_compute_relabel_context(system_cronjob_t) | |
518 | selinux_compute_user_contexts(system_cronjob_t) | |
519 | seutil_read_file_contexts(system_cronjob_t) | |
350b6ab7 | 520 | ') |
af23450c | 521 | |
350b6ab7 CP |
522 | optional_policy(` |
523 | # Needed for certwatch | |
296273a7 CP |
524 | apache_exec_modules(system_cronjob_t) |
525 | apache_read_config(system_cronjob_t) | |
526 | apache_read_log(system_cronjob_t) | |
527 | apache_read_sys_content(system_cronjob_t) | |
3eaa9939 DW |
528 | apache_delete_cache_dirs(system_cronjob_t) |
529 | apache_delete_cache_files(system_cronjob_t) | |
350b6ab7 | 530 | ') |
b24f35d8 | 531 | |
350b6ab7 | 532 | optional_policy(` |
296273a7 | 533 | cyrus_manage_data(system_cronjob_t) |
350b6ab7 | 534 | ') |
af23450c | 535 | |
3eaa9939 DW |
536 | optional_policy(` |
537 | dbus_system_bus_client(system_cronjob_t) | |
538 | ') | |
539 | ||
540 | optional_policy(` | |
541 | exim_read_spool_files(system_cronjob_t) | |
542 | ') | |
543 | ||
350b6ab7 | 544 | optional_policy(` |
296273a7 | 545 | ftp_read_log(system_cronjob_t) |
350b6ab7 | 546 | ') |
67962667 | 547 | |
350b6ab7 | 548 | optional_policy(` |
296273a7 CP |
549 | inn_manage_log(system_cronjob_t) |
550 | inn_manage_pid(system_cronjob_t) | |
551 | inn_read_config(system_cronjob_t) | |
350b6ab7 | 552 | ') |
3b914745 | 553 | |
c61b3504 CP |
554 | optional_policy(` |
555 | lpd_list_spool(system_cronjob_t) | |
556 | ') | |
557 | ||
350b6ab7 | 558 | optional_policy(` |
296273a7 | 559 | mrtg_append_create_logs(system_cronjob_t) |
350b6ab7 | 560 | ') |
23caa6d1 | 561 | |
350b6ab7 | 562 | optional_policy(` |
be02baeb | 563 | mta_read_config(system_cronjob_t) |
296273a7 | 564 | mta_send_mail(system_cronjob_t) |
3eaa9939 | 565 | mta_system_content(system_cron_spool_t) |
350b6ab7 | 566 | ') |
246a6042 | 567 | |
350b6ab7 | 568 | optional_policy(` |
296273a7 | 569 | mysql_read_config(system_cronjob_t) |
350b6ab7 | 570 | ') |
cf6a7d89 | 571 | |
b63ea22f MG |
572 | optional_policy(` |
573 | networkmanager_dbus_chat(system_cronjob_t) | |
574 | ') | |
575 | ||
350b6ab7 | 576 | optional_policy(` |
296273a7 | 577 | postfix_read_config(system_cronjob_t) |
350b6ab7 | 578 | ') |
23caa6d1 | 579 | |
350b6ab7 | 580 | optional_policy(` |
296273a7 | 581 | prelink_delete_cache(system_cronjob_t) |
c61b3504 CP |
582 | prelink_manage_lib(system_cronjob_t) |
583 | prelink_manage_log(system_cronjob_t) | |
584 | prelink_read_cache(system_cronjob_t) | |
3eaa9939 | 585 | prelink_relabel_lib(system_cronjob_t) |
350b6ab7 | 586 | ') |
6a57b68d | 587 | |
350b6ab7 | 588 | optional_policy(` |
296273a7 CP |
589 | samba_read_config(system_cronjob_t) |
590 | samba_read_log(system_cronjob_t) | |
591 | #samba_read_secrets(system_cronjob_t) | |
350b6ab7 CP |
592 | ') |
593 | ||
594 | optional_policy(` | |
296273a7 | 595 | slocate_create_append_log(system_cronjob_t) |
350b6ab7 | 596 | ') |
0f73fdea | 597 | |
350b6ab7 | 598 | optional_policy(` |
c61b3504 | 599 | spamassassin_manage_lib_files(system_cronjob_t) |
3eaa9939 | 600 | spamassassin_manage_home_client(system_cronjob_t) |
350b6ab7 | 601 | ') |
84c92239 | 602 | |
350b6ab7 | 603 | optional_policy(` |
296273a7 | 604 | sysstat_manage_log(system_cronjob_t) |
350b6ab7 | 605 | ') |
23caa6d1 | 606 | |
350b6ab7 | 607 | optional_policy(` |
3eaa9939 | 608 | unconfined_domain(crond_t) |
296273a7 | 609 | unconfined_domain(system_cronjob_t) |
9461b606 DW |
610 | ') |
611 | ||
612 | optional_policy(` | |
613 | unconfined_shell_domtrans(crond_t) | |
614 | unconfined_dbus_send(crond_t) | |
296273a7 | 615 | userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) |
350b6ab7 CP |
616 | ') |
617 | ||
296273a7 CP |
618 | ######################################## |
619 | # | |
620 | # User cronjobs local policy | |
621 | # | |
622 | ||
296273a7 CP |
623 | allow cronjob_t self:process { signal_perms setsched }; |
624 | allow cronjob_t self:fifo_file rw_fifo_file_perms; | |
625 | allow cronjob_t self:unix_stream_socket create_stream_socket_perms; | |
626 | allow cronjob_t self:unix_dgram_socket create_socket_perms; | |
627 | ||
628 | # The entrypoint interface is not used as this is not | |
629 | # a regular entrypoint. Since crontab files are | |
630 | # not directly executed, crond must ensure that | |
631 | # the crontab file has a type that is appropriate | |
632 | # for the domain of the user cron job. It | |
633 | # performs an entrypoint permission check | |
634 | # for this purpose. | |
635 | allow cronjob_t user_cron_spool_t:file entrypoint; | |
636 | ||
637 | # Permit a transition from the crond_t domain to this domain. | |
638 | # The transition is requested explicitly by the modified crond | |
639 | # via setexeccon. There is no way to set up an automatic | |
640 | # transition, since crontabs are configuration files, not executables. | |
641 | allow crond_t cronjob_t:process transition; | |
642 | dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh }; | |
643 | allow crond_t cronjob_t:fd use; | |
644 | allow cronjob_t crond_t:fd use; | |
645 | allow cronjob_t crond_t:fifo_file rw_file_perms; | |
646 | allow cronjob_t crond_t:process sigchld; | |
647 | ||
648 | kernel_read_system_state(cronjob_t) | |
649 | kernel_read_kernel_sysctls(cronjob_t) | |
650 | ||
651 | # ps does not need to access /boot when run from cron | |
652 | files_dontaudit_search_boot(cronjob_t) | |
653 | ||
654 | corenet_all_recvfrom_unlabeled(cronjob_t) | |
655 | corenet_all_recvfrom_netlabel(cronjob_t) | |
668b3093 CP |
656 | corenet_tcp_sendrecv_generic_if(cronjob_t) |
657 | corenet_udp_sendrecv_generic_if(cronjob_t) | |
c1262146 CP |
658 | corenet_tcp_sendrecv_generic_node(cronjob_t) |
659 | corenet_udp_sendrecv_generic_node(cronjob_t) | |
296273a7 CP |
660 | corenet_tcp_sendrecv_all_ports(cronjob_t) |
661 | corenet_udp_sendrecv_all_ports(cronjob_t) | |
662 | corenet_tcp_connect_all_ports(cronjob_t) | |
663 | corenet_sendrecv_all_client_packets(cronjob_t) | |
664 | ||
665 | dev_read_urand(cronjob_t) | |
666 | ||
667 | fs_getattr_all_fs(cronjob_t) | |
668 | ||
669 | corecmd_exec_all_executables(cronjob_t) | |
670 | ||
671 | # quiet other ps operations | |
672 | domain_dontaudit_read_all_domains_state(cronjob_t) | |
673 | domain_dontaudit_getattr_all_domains(cronjob_t) | |
674 | ||
675 | files_read_usr_files(cronjob_t) | |
676 | files_exec_etc_files(cronjob_t) | |
677 | # for nscd: | |
678 | files_dontaudit_search_pids(cronjob_t) | |
679 | ||
680 | libs_exec_lib_files(cronjob_t) | |
681 | libs_exec_ld_so(cronjob_t) | |
682 | ||
683 | files_read_etc_runtime_files(cronjob_t) | |
684 | files_read_var_files(cronjob_t) | |
685 | files_search_spool(cronjob_t) | |
686 | ||
687 | logging_search_logs(cronjob_t) | |
688 | ||
689 | seutil_read_config(cronjob_t) | |
690 | ||
691 | miscfiles_read_localization(cronjob_t) | |
692 | ||
693 | userdom_manage_user_tmp_files(cronjob_t) | |
694 | userdom_manage_user_tmp_symlinks(cronjob_t) | |
695 | userdom_manage_user_tmp_pipes(cronjob_t) | |
696 | userdom_manage_user_tmp_sockets(cronjob_t) | |
697 | # Run scripts in user home directory and access shared libs. | |
698 | userdom_exec_user_home_content_files(cronjob_t) | |
699 | # Access user files and dirs. | |
700 | userdom_manage_user_home_content_files(cronjob_t) | |
701 | userdom_manage_user_home_content_symlinks(cronjob_t) | |
702 | userdom_manage_user_home_content_pipes(cronjob_t) | |
703 | userdom_manage_user_home_content_sockets(cronjob_t) | |
704 | #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) | |
705 | ||
c61b3504 | 706 | list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) |
3eaa9939 | 707 | rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) |
c61b3504 | 708 | read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) |
3eaa9939 | 709 | read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) |
ee4b1e0a | 710 | allow crond_t user_cron_spool_t:file manage_lnk_file_perms; |
c61b3504 | 711 | |
68ac47d8 | 712 | tunable_policy(`fcron_crond',` |
296273a7 CP |
713 | allow crond_t user_cron_spool_t:file manage_file_perms; |
714 | ') | |
715 | ||
716 | # need a per-role version of this: | |
717 | #optional_policy(` | |
718 | # mono_domtrans(cronjob_t) | |
719 | #') | |
720 | ||
721 | optional_policy(` | |
722 | nis_use_ypbind(cronjob_t) | |
723 | ') | |
724 | ||
725 | ######################################## | |
726 | # | |
727 | # Unconfined cronjobs local policy | |
728 | # | |
729 | ||
730 | optional_policy(` | |
2a77737d CP |
731 | # Permit a transition from the crond_t domain to this domain. |
732 | # The transition is requested explicitly by the modified crond | |
733 | # via setexeccon. There is no way to set up an automatic | |
734 | # transition, since crontabs are configuration files, not executables. | |
735 | allow crond_t unconfined_cronjob_t:process transition; | |
736 | dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh }; | |
737 | allow crond_t unconfined_cronjob_t:fd use; | |
738 | ||
296273a7 CP |
739 | unconfined_domain(unconfined_cronjob_t) |
740 | ') |