Index: refpolicy-2.20180701/policy/modules/services/cron.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/cron.if
+++ refpolicy-2.20180701/policy/modules/services/cron.if
@@ -21,23 +21,33 @@ template(`cron_common_crontab_template',
# Declarations
#
- type $1_t, crontab_domain;
- userdom_user_application_domain($1_t, crontab_exec_t)
+ type $1_crontab_t, crontab_domain;
+ userdom_user_application_domain($1_crontab_t, crontab_exec_t)
- type $1_tmp_t;
- userdom_user_tmp_file($1_tmp_t)
+ type $1_crontab_tmp_t;
+ userdom_user_tmp_file($1_crontab_tmp_t)
+
+ type $1_cron_spool_t, cron_spool_type;
##############################
#
# Local policy
#
- manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
- manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
- files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
+ manage_dirs_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t)
+ manage_files_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t)
+ files_tmp_filetrans($1_crontab_t, $1_crontab_tmp_t, { dir file })
+
+ auth_domtrans_chk_passwd($1_crontab_t)
+ auth_use_nsswitch($1_crontab_t)
+ allow $1_crontab_t self:capability fsetid;
+
+ files_type($1_cron_spool_t)
+ ubac_constrained($1_cron_spool_t)
+ mta_system_content($1_cron_spool_t)
- auth_domtrans_chk_passwd($1_t)
- auth_use_nsswitch($1_t)
+ manage_files_pattern($1_crontab_t, { cron_spool_t user_cron_spool_t }, $1_cron_spool_t)
+ filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t, file)
')
########################################
@@ -58,9 +68,11 @@ template(`cron_common_crontab_template',
#
interface(`cron_role',`
gen_require(`
+ifdef(`cronjob_domain', `
type cronjob_t;
+')
type crontab_exec_t, crond_t;
- type crontab_t, user_cron_spool_t;
+ type $2_crontab_t, $2_cron_spool_t;
bool cron_userdomain_transition;
')
@@ -69,60 +81,51 @@ interface(`cron_role',`
# Declarations
#
+ifdef(`cronjob_domain', `
role $1 types { cronjob_t };
- role $1 types { crontab_t };
+')
+ role $1 types { $2_crontab_t };
##############################
#
# Local policy
#
- domtrans_pattern($2_t, crontab_exec_t, crontab_t)
+ domtrans_pattern($2_t, crontab_exec_t, $2_crontab_t)
dontaudit crond_t $2_t:process { noatsecure siginh rlimitinh };
allow $2_t crond_t:process sigchld;
- allow $2_t user_cron_spool_t:file { getattr read write ioctl };
+ allow $2_t $2_cron_spool_t:file { getattr read write ioctl };
- allow $2_t crontab_t:process { ptrace signal_perms };
- ps_process_pattern($2_t, crontab_t)
+ allow $2_t $2_crontab_t:process { ptrace signal_perms };
+ ps_process_pattern($2_t, $2_crontab_t)
- corecmd_exec_bin(crontab_t)
- corecmd_exec_shell(crontab_t)
+ corecmd_exec_bin($2_crontab_t)
+ corecmd_exec_shell($2_crontab_t)
+ifndef(`cronjob_domain', `
tunable_policy(`cron_userdomain_transition',`
+')
allow crond_t $2_t:process transition;
allow crond_t $2_t:fd use;
allow crond_t $2_t:key manage_key_perms;
- allow $2_t user_cron_spool_t:file entrypoint;
+ allow $2_t $2_cron_spool_t:file entrypoint;
allow $2_t crond_t:fifo_file rw_fifo_file_perms;
-
- allow $2_t cronjob_t:process { ptrace signal_perms };
- ps_process_pattern($2_t, cronjob_t)
+ifndef(`cronjob_domain', `
',`
dontaudit crond_t $2_t:process transition;
dontaudit crond_t $2_t:fd use;
dontaudit crond_t $2_t:key manage_key_perms;
- dontaudit $2_t user_cron_spool_t:file entrypoint;
+ dontaudit $2_t $2_cron_spool_t:file entrypoint;
dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms;
-
- dontaudit $2_t cronjob_t:process { ptrace signal_perms };
- ')
-
- optional_policy(`
- gen_require(`
- class dbus send_msg;
- ')
-
- dbus_stub(cronjob_t)
-
- allow cronjob_t $2_t:dbus send_msg;
')
')
+')
########################################
## <summary>
@@ -139,6 +142,7 @@ interface(`cron_role',`
## </summary>
## </param>
#
+ifdef(`cronjob_domain', `
interface(`cron_unconfined_role',`
gen_require(`
type unconfined_cronjob_t, crontab_t, crontab_exec_t;
@@ -204,6 +208,7 @@ interface(`cron_unconfined_role',`
allow unconfined_cronjob_t $2:dbus send_msg;
')
')
+')
########################################
## <summary>
Index: refpolicy-2.20180701/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/cron.te
+++ refpolicy-2.20180701/policy/modules/services/cron.te
@@ -25,7 +25,9 @@ gen_tunable(cron_can_relabel, false)
## the generic cronjob domain.
## </p>
## </desc>
-gen_tunable(cron_userdomain_transition, false)
+ifndef(`cronjob_domain', `
+gen_tunable(cron_userdomain_transition, true)
+')
## <desc>
## <p>
@@ -83,15 +85,16 @@ files_pid_file(crond_var_run_t)
type crontab_exec_t;
application_executable_file(crontab_exec_t)
-cron_common_crontab_template(admin_crontab)
-typealias admin_crontab_t alias sysadm_crontab_t;
-typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t;
-
-cron_common_crontab_template(crontab)
-typealias crontab_t alias { user_crontab_t staff_crontab_t };
-typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
-typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
-typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+cron_common_crontab_template(sysadm)
+typealias sysadm_crontab_t alias admin_crontab_t;
+typealias sysadm_crontab_tmp_t alias admin_crontab_tmp_t;
+
+cron_common_crontab_template(user)
+cron_common_crontab_template(staff)
+cron_common_crontab_template(unconfined)
+typealias user_crontab_t alias { crontab_t };
+typealias sysadm_crontab_t alias { auditadm_crontab_t secadm_crontab_t };
+typealias sysadm_crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
type system_cron_spool_t, cron_spool_type;
files_type(system_cron_spool_t)
@@ -113,11 +116,7 @@ files_type(system_cronjob_var_lib_t)
type system_cronjob_var_run_t;
files_pid_file(system_cronjob_var_run_t)
-type user_cron_spool_t, cron_spool_type;
-typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
-typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
-files_type(user_cron_spool_t)
-ubac_constrained(user_cron_spool_t)
+typealias sysadm_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
type user_cron_spool_log_t;
logging_log_file(user_cron_spool_log_t)
@@ -145,9 +144,6 @@ allow crontab_domain self:capability { c
allow crontab_domain self:process { getcap setsched signal_perms };
allow crontab_domain self:fifo_file rw_fifo_file_perms;
-manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
-filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
-
allow crontab_domain cron_spool_t:dir setattr_dir_perms;
allow crontab_domain crond_t:process signal;
@@ -216,8 +212,8 @@ tunable_policy(`fcron_crond',`
# Daemon local policy
#
-allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice };
-dontaudit crond_t self:capability { sys_resource sys_tty_config };
+allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice sys_resource };
+dontaudit crond_t self:capability { sys_tty_config };
allow crond_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow crond_t self:fd use;
@@ -231,6 +227,7 @@ allow crond_t self:msg { send receive };
allow crond_t self:key { search write link };
dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
+allow crond_t cron_spool_type:file read_file_perms;
allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
logging_log_filetrans(crond_t, cron_log_t, file)