1
#DESC Crond - Crond daemon
3
# Domains for the top-level crond daemon process and
4
# for system cron jobs. The domains for user cron jobs
5
# are in macros/program/crond_macros.te.
7
# X-Debian-Packages: cron
8
# Authors: Jonathan Crowley (MITRE) <jonathan@mitre.org>,
9
# Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
12
# NB The constraints file has some entries for crond_t, this makes it
13
# different from all other domains...
15
# Domain for crond. It needs auth_chkpwd to check for locked accounts.
16
daemon_domain(crond, `, privmail, auth_chkpwd, privfd')
18
# This domain is granted permissions common to most domains (including can_net)
19
general_domain_access(crond_t)
21
# Type for the anacron executable.
22
type anacron_exec_t, file_type, sysadmfile, exec_type;
24
# Type for temporary files.
30
allow system_crond_t proc_t:lnk_file read;
31
allow system_crond_t proc_t:filesystem getattr;
32
allow system_crond_t usbdevfs_t:filesystem getattr;
35
allow mta_user_agent system_crond_t:fd use;
39
allow system_crond_t etc_t:file r_file_perms;
40
allow system_crond_t etc_runtime_t:file read;
47
allow crond_t self:capability { dac_override setgid setuid net_bind_service };
49
# Get security policy decisions.
50
can_getsecurity(crond_t)
52
# for finding binaries and /bin/sh
53
allow crond_t { bin_t sbin_t }:dir search;
54
allow crond_t { bin_t sbin_t }:lnk_file read;
56
# Read from /var/spool/cron.
57
allow crond_t var_lib_t:dir search;
58
allow crond_t var_spool_t:dir r_dir_perms;
59
allow crond_t cron_spool_t:dir r_dir_perms;
60
allow crond_t cron_spool_t:file r_file_perms;
62
# Read /etc/security/default_contexts.
63
allow crond_t default_context_t:file r_file_perms;
65
allow crond_t etc_t:file { getattr read };
66
allow crond_t etc_t:lnk_file read;
68
allow crond_t default_t:dir { search };
70
# crond tries to search /root. Not sure why.
71
allow crond_t sysadm_home_dir_t:dir r_dir_perms;
74
allow crond_t home_root_t:dir { getattr search };
75
allow crond_t user_home_dir_type:dir r_dir_perms;
78
can_exec(crond_t, shell_exec_t)
81
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
82
# via redirection of standard out.
83
allow crond_t rpm_log_t: file create_file_perms;
85
system_crond_entry(rpm_exec_t, rpm_t)
86
allow system_crond_t rpm_log_t:file create_file_perms;
89
allow system_crond_t var_log_t:file r_file_perms;
95
# Transition to this domain for anacron as well.
96
# Still need to study anacron.
97
domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t)
100
file_type_auto_trans(system_crond_t, var_log_t, crond_log_t, file)
102
# Inherit and use descriptors from init for anacron.
103
allow system_crond_t init_t:fd use;
105
# Inherit and use descriptors from initrc for anacron.
106
allow system_crond_t initrc_t:fd use;
107
allow system_crond_t initrc_devpts_t:chr_file { read write };
109
# Write to a socket from initrc - why? wrong I think
110
#allow system_crond_t initrc_t:udp_socket rw_socket_perms;
113
allow system_crond_t self:capability { chown setgid setuid fowner net_bind_service fsetid };
115
# Read the system crontabs.
116
allow system_crond_t system_cron_spool_t:file r_file_perms;
118
allow crond_t system_cron_spool_t:dir r_dir_perms;
119
allow crond_t system_cron_spool_t:file r_file_perms;
121
# Read from /var/spool/cron.
122
allow system_crond_t cron_spool_t:dir r_dir_perms;
123
allow system_crond_t cron_spool_t:file r_file_perms;
125
# Write to /var/lib/slocate.db.
126
allow system_crond_t var_lib_t:dir rw_dir_perms;
127
allow system_crond_t var_lib_t:file create_file_perms;
129
# Update whatis files.
130
allow system_crond_t catman_t:dir create_dir_perms;
131
allow system_crond_t catman_t:file create_file_perms;
132
allow system_crond_t man_t:file r_file_perms;
133
allow system_crond_t man_t:lnk_file read;
135
# Write /var/lock/makewhatis.lock.
136
lock_domain(system_crond)
138
# for if /var/mail is a symlink
139
allow crond_t mail_spool_t:lnk_file read;
140
allow crond_t mail_spool_t:dir search;
142
# Run logrotate in the logrotate_t domain.
143
ifdef(`logrotate.te', `
144
system_crond_entry(logrotate_exec_t, logrotate_t)
148
r_dir_file(system_mail_t, crond_tmp_t)
151
# Stat any file and search any directory for find.
152
allow system_crond_t file_type:file_class_set getattr;
153
allow system_crond_t file_type:dir { read search getattr };
155
# Create temporary files.
156
type system_crond_tmp_t, file_type, sysadmfile, tmpfile;
157
file_type_auto_trans(system_crond_t, { tmp_t crond_tmp_t }, system_crond_tmp_t)
159
# /sbin/runlevel ask for w access to utmp, but will operate
160
# correctly without it. Do not audit write denials to utmp.
161
# /sbin/runlevel needs lock access however
162
dontaudit system_crond_t initrc_var_run_t:file write;
163
allow system_crond_t initrc_var_run_t:file { getattr read lock };
165
# Access other spool directories like
166
# /var/spool/anacron and /var/spool/slrnpull.
167
allow system_crond_t var_spool_t:file create_file_perms;
168
allow system_crond_t var_spool_t:dir rw_dir_perms;
170
# Do not audit attempts to search unlabeled directories (e.g. slocate).
171
dontaudit system_crond_t unlabeled_t:dir r_dir_perms;
172
dontaudit system_crond_t unlabeled_t:file r_file_perms;
175
# reading /var/spool/cron/mailman
177
allow crond_t var_spool_t:file { getattr read };
178
allow system_crond_t devpts_t:filesystem getattr;
179
allow system_crond_t sysfs_t:filesystem getattr;
180
allow system_crond_t tmpfs_t:filesystem getattr;
181
allow system_crond_t rpc_pipefs_t:filesystem getattr;
184
# These rules are here to allow system cron jobs to su
186
su_restricted_domain(system_crond,system)
187
role system_r types system_crond_su_t;
188
allow system_crond_t self:passwd rootok;
189
allow system_crond_su_t crond_t:fifo_file { ioctl };
191
# prelink tells init to restart it self, we either need to allow or dontaudit
193
allow system_crond_t initctl_t:fifo_file { write };
194
dontaudit userdomain system_crond_t:fd { use };