2
policy_module(cron, 2.2.0)
8
########################################
15
## Allow system cron jobs to relabel filesystem
16
## for restoring file contexts.
19
gen_tunable(cron_can_relabel, false)
23
## Enable extra rules in the cron domain
27
gen_tunable(fcron_crond, false)
29
attribute cron_spool_type;
32
application_executable_file(anacron_exec_t)
35
files_type(cron_spool_t)
39
files_type(cron_var_lib_t)
42
files_type(cron_var_run_t)
46
logging_log_file(cron_log_t)
49
typealias cronjob_t alias { user_crond_t staff_crond_t sysadm_crond_t };
50
typealias cronjob_t alias { auditadm_crond_t secadm_crond_t };
51
domain_type(cronjob_t)
52
domain_cron_exemption_target(cronjob_t)
53
corecmd_shell_entry_type(cronjob_t)
54
ubac_constrained(cronjob_t)
58
init_daemon_domain(crond_t, crond_exec_t)
59
domain_interactive_fd(crond_t)
60
domain_cron_exemption_source(crond_t)
62
type crond_initrc_exec_t;
63
init_script_file(crond_initrc_exec_t)
66
files_tmp_file(crond_tmp_t)
69
files_pid_file(crond_var_run_t)
72
application_executable_file(crontab_exec_t)
74
cron_common_crontab_template(admin_crontab)
75
typealias admin_crontab_t alias sysadm_crontab_t;
76
typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t;
78
cron_common_crontab_template(crontab)
79
typealias crontab_t alias { user_crontab_t staff_crontab_t };
80
typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
81
typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
82
typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
84
type system_cron_spool_t, cron_spool_type;
85
files_type(system_cron_spool_t)
87
type system_cronjob_t alias system_crond_t;
88
init_daemon_domain(system_cronjob_t, anacron_exec_t)
89
corecmd_shell_entry_type(system_cronjob_t)
90
role system_r types system_cronjob_t;
92
type system_cronjob_lock_t alias system_crond_lock_t;
93
files_lock_file(system_cronjob_lock_t)
95
type system_cronjob_tmp_t alias system_crond_tmp_t;
96
files_tmp_file(system_cronjob_tmp_t)
99
init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
102
type unconfined_cronjob_t;
103
domain_type(unconfined_cronjob_t)
104
domain_cron_exemption_target(unconfined_cronjob_t)
106
# Type of user crontabs once moved to cron spool.
107
type user_cron_spool_t, cron_spool_type;
108
typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
109
typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
110
files_type(user_cron_spool_t)
111
ubac_constrained(user_cron_spool_t)
113
########################################
115
# Admin crontab local policy
118
# Allow our crontab domain to unlink a user cron spool file.
119
allow admin_crontab_t user_cron_spool_t:file { getattr read unlink };
121
# Manipulate other users crontab.
122
selinux_get_fs_mount(admin_crontab_t)
123
selinux_validate_context(admin_crontab_t)
124
selinux_compute_access_vector(admin_crontab_t)
125
selinux_compute_create_context(admin_crontab_t)
126
selinux_compute_relabel_context(admin_crontab_t)
127
selinux_compute_user_contexts(admin_crontab_t)
129
tunable_policy(`fcron_crond', `
130
# fcron wants an instant update of a crontab change for the administrator
131
# also crontab does a security check for crontab -u
132
allow admin_crontab_t self:process setfscreate;
135
########################################
137
# Cron daemon local policy
140
allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
141
dontaudit crond_t self:capability { sys_resource sys_tty_config };
142
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
143
allow crond_t self:process { setexec setfscreate };
144
allow crond_t self:fd use;
145
allow crond_t self:fifo_file rw_fifo_file_perms;
146
allow crond_t self:unix_dgram_socket create_socket_perms;
147
allow crond_t self:unix_stream_socket create_stream_socket_perms;
148
allow crond_t self:unix_dgram_socket sendto;
149
allow crond_t self:unix_stream_socket connectto;
150
allow crond_t self:shm create_shm_perms;
151
allow crond_t self:sem create_sem_perms;
152
allow crond_t self:msgq create_msgq_perms;
153
allow crond_t self:msg { send receive };
154
allow crond_t self:key { search write link };
156
manage_files_pattern(crond_t, cron_log_t, cron_log_t)
157
logging_log_filetrans(crond_t, cron_log_t, file)
159
manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
160
files_pid_filetrans(crond_t, crond_var_run_t, file)
162
manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
164
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
165
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
166
files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
168
list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
169
read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
171
kernel_read_kernel_sysctls(crond_t)
172
kernel_read_fs_sysctls(crond_t)
173
kernel_search_key(crond_t)
175
dev_read_sysfs(crond_t)
176
selinux_get_fs_mount(crond_t)
177
selinux_validate_context(crond_t)
178
selinux_compute_access_vector(crond_t)
179
selinux_compute_create_context(crond_t)
180
selinux_compute_relabel_context(crond_t)
181
selinux_compute_user_contexts(crond_t)
183
dev_read_urand(crond_t)
185
fs_getattr_all_fs(crond_t)
186
fs_search_auto_mountpoints(crond_t)
187
fs_list_inotifyfs(crond_t)
189
# need auth_chkpwd to check for locked accounts.
190
auth_domtrans_chk_passwd(crond_t)
192
corecmd_exec_shell(crond_t)
193
corecmd_list_bin(crond_t)
194
corecmd_read_bin_symlinks(crond_t)
196
domain_use_interactive_fds(crond_t)
198
files_read_usr_files(crond_t)
199
files_read_etc_runtime_files(crond_t)
200
files_read_etc_files(crond_t)
201
files_read_generic_spool(crond_t)
202
files_list_usr(crond_t)
203
# Read from /var/spool/cron.
204
files_search_var_lib(crond_t)
205
files_search_default(crond_t)
207
init_rw_utmp(crond_t)
208
init_spec_domtrans_script(crond_t)
210
auth_use_nsswitch(crond_t)
212
logging_send_syslog_msg(crond_t)
214
seutil_read_config(crond_t)
215
seutil_read_default_contexts(crond_t)
216
seutil_sigchld_newrole(crond_t)
218
miscfiles_read_localization(crond_t)
220
userdom_use_unpriv_users_fds(crond_t)
221
# Not sure why this is needed
222
userdom_list_user_home_dirs(crond_t)
224
mta_send_mail(crond_t)
226
ifdef(`distro_debian',`
228
allow crond_t self:process setrlimit;
231
# Debian logcheck has the home dir set to its cache
232
logwatch_search_cache_dir(crond_t)
236
ifdef(`distro_redhat', `
237
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
238
# via redirection of standard out.
240
rpm_manage_log(crond_t)
244
tunable_policy(`fcron_crond', `
245
allow crond_t system_cron_spool_t:file manage_file_perms;
249
locallogin_search_keys(crond_t)
250
locallogin_link_keys(crond_t)
254
amanda_search_var_lib(crond_t)
258
amavis_search_lib(crond_t)
262
hal_dbus_chat(crond_t)
267
munin_search_lib(crond_t)
271
rpc_search_nfs_state_data(crond_t)
275
# Commonly used from postinst scripts
276
rpm_read_pipes(crond_t)
280
# allow crond to find /usr/lib/postgresql/bin/do.maintenance
281
postgresql_search_db(crond_t)
285
udev_read_db(crond_t)
288
########################################
290
# System cron process domain
293
allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
294
allow system_cronjob_t self:process { signal_perms getsched setsched };
295
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
296
allow system_cronjob_t self:passwd rootok;
298
# This is to handle creation of files in /var/log directory.
299
# Used currently by rpm script log files
300
allow system_cronjob_t cron_log_t:file manage_file_perms;
301
logging_log_filetrans(system_cronjob_t, cron_log_t, file)
303
# This is to handle /var/lib/misc directory. Used currently
304
# by prelink var/lib files for cron
305
allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
306
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
308
allow system_cronjob_t system_cron_spool_t:file read_file_perms;
309
# The entrypoint interface is not used as this is not
310
# a regular entrypoint. Since crontab files are
311
# not directly executed, crond must ensure that
312
# the crontab file has a type that is appropriate
313
# for the domain of the user cron job. It
314
# performs an entrypoint permission check
316
allow system_cronjob_t system_cron_spool_t:file entrypoint;
318
# Permit a transition from the crond_t domain to this domain.
319
# The transition is requested explicitly by the modified crond
320
# via setexeccon. There is no way to set up an automatic
321
# transition, since crontabs are configuration files, not executables.
322
allow crond_t system_cronjob_t:process transition;
323
dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh };
324
allow crond_t system_cronjob_t:fd use;
325
allow system_cronjob_t crond_t:fd use;
326
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
327
allow system_cronjob_t crond_t:process sigchld;
329
# Write /var/lock/makewhatis.lock.
330
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
331
files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
333
# write temporary files
334
manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
335
manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
336
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
337
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
339
# Read from /var/spool/cron.
340
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
341
allow system_cronjob_t cron_spool_t:file read_file_perms;
343
kernel_read_kernel_sysctls(system_cronjob_t)
344
kernel_read_system_state(system_cronjob_t)
345
kernel_read_software_raid_state(system_cronjob_t)
347
# ps does not need to access /boot when run from cron
348
files_dontaudit_search_boot(system_cronjob_t)
350
corecmd_exec_all_executables(system_cronjob_t)
352
corenet_all_recvfrom_unlabeled(system_cronjob_t)
353
corenet_all_recvfrom_netlabel(system_cronjob_t)
354
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
355
corenet_udp_sendrecv_generic_if(system_cronjob_t)
356
corenet_tcp_sendrecv_generic_node(system_cronjob_t)
357
corenet_udp_sendrecv_generic_node(system_cronjob_t)
358
corenet_tcp_sendrecv_all_ports(system_cronjob_t)
359
corenet_udp_sendrecv_all_ports(system_cronjob_t)
361
dev_getattr_all_blk_files(system_cronjob_t)
362
dev_getattr_all_chr_files(system_cronjob_t)
363
dev_read_urand(system_cronjob_t)
365
fs_getattr_all_fs(system_cronjob_t)
366
fs_getattr_all_files(system_cronjob_t)
367
fs_getattr_all_symlinks(system_cronjob_t)
368
fs_getattr_all_pipes(system_cronjob_t)
369
fs_getattr_all_sockets(system_cronjob_t)
371
# quiet other ps operations
372
domain_dontaudit_read_all_domains_state(system_cronjob_t)
374
files_exec_etc_files(system_cronjob_t)
375
files_read_etc_files(system_cronjob_t)
376
files_read_etc_runtime_files(system_cronjob_t)
377
files_list_all(system_cronjob_t)
378
files_getattr_all_dirs(system_cronjob_t)
379
files_getattr_all_files(system_cronjob_t)
380
files_getattr_all_symlinks(system_cronjob_t)
381
files_getattr_all_pipes(system_cronjob_t)
382
files_getattr_all_sockets(system_cronjob_t)
383
files_read_usr_files(system_cronjob_t)
384
files_read_var_files(system_cronjob_t)
386
files_dontaudit_search_pids(system_cronjob_t)
387
# Access other spool directories like
388
# /var/spool/anacron and /var/spool/slrnpull.
389
files_manage_generic_spool(system_cronjob_t)
391
init_use_script_fds(system_cronjob_t)
392
init_read_utmp(system_cronjob_t)
393
init_dontaudit_rw_utmp(system_cronjob_t)
394
# prelink tells init to restart it self, we either need to allow or dontaudit
395
init_telinit(system_cronjob_t)
396
init_domtrans_script(system_cronjob_t)
398
auth_use_nsswitch(system_cronjob_t)
400
libs_exec_lib_files(system_cronjob_t)
401
libs_exec_ld_so(system_cronjob_t)
403
logging_read_generic_logs(system_cronjob_t)
404
logging_send_audit_msgs(system_cronjob_t)
405
logging_send_syslog_msg(system_cronjob_t)
407
miscfiles_read_localization(system_cronjob_t)
408
miscfiles_manage_man_pages(system_cronjob_t)
410
seutil_read_config(system_cronjob_t)
412
ifdef(`distro_redhat', `
413
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
414
# via redirection of standard out.
416
rpm_manage_log(system_cronjob_t)
420
tunable_policy(`cron_can_relabel',`
421
seutil_domtrans_setfiles(system_cronjob_t)
423
selinux_get_fs_mount(system_cronjob_t)
424
selinux_validate_context(system_cronjob_t)
425
selinux_compute_access_vector(system_cronjob_t)
426
selinux_compute_create_context(system_cronjob_t)
427
selinux_compute_relabel_context(system_cronjob_t)
428
selinux_compute_user_contexts(system_cronjob_t)
429
seutil_read_file_contexts(system_cronjob_t)
433
# Needed for certwatch
434
apache_exec_modules(system_cronjob_t)
435
apache_read_config(system_cronjob_t)
436
apache_read_log(system_cronjob_t)
437
apache_read_sys_content(system_cronjob_t)
441
cyrus_manage_data(system_cronjob_t)
445
ftp_read_log(system_cronjob_t)
449
inn_manage_log(system_cronjob_t)
450
inn_manage_pid(system_cronjob_t)
451
inn_read_config(system_cronjob_t)
455
lpd_list_spool(system_cronjob_t)
459
mrtg_append_create_logs(system_cronjob_t)
463
mta_send_mail(system_cronjob_t)
467
mysql_read_config(system_cronjob_t)
471
postfix_read_config(system_cronjob_t)
475
prelink_delete_cache(system_cronjob_t)
476
prelink_manage_lib(system_cronjob_t)
477
prelink_manage_log(system_cronjob_t)
478
prelink_read_cache(system_cronjob_t)
479
prelink_relabelfrom_lib(system_cronjob_t)
483
samba_read_config(system_cronjob_t)
484
samba_read_log(system_cronjob_t)
485
#samba_read_secrets(system_cronjob_t)
489
slocate_create_append_log(system_cronjob_t)
493
spamassassin_manage_lib_files(system_cronjob_t)
497
sysstat_manage_log(system_cronjob_t)
501
unconfined_domain(system_cronjob_t)
502
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
505
########################################
507
# User cronjobs local policy
510
allow cronjob_t self:process { signal_perms setsched };
511
allow cronjob_t self:fifo_file rw_fifo_file_perms;
512
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
513
allow cronjob_t self:unix_dgram_socket create_socket_perms;
515
# The entrypoint interface is not used as this is not
516
# a regular entrypoint. Since crontab files are
517
# not directly executed, crond must ensure that
518
# the crontab file has a type that is appropriate
519
# for the domain of the user cron job. It
520
# performs an entrypoint permission check
522
allow cronjob_t user_cron_spool_t:file entrypoint;
524
# Permit a transition from the crond_t domain to this domain.
525
# The transition is requested explicitly by the modified crond
526
# via setexeccon. There is no way to set up an automatic
527
# transition, since crontabs are configuration files, not executables.
528
allow crond_t cronjob_t:process transition;
529
dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh };
530
allow crond_t cronjob_t:fd use;
531
allow cronjob_t crond_t:fd use;
532
allow cronjob_t crond_t:fifo_file rw_file_perms;
533
allow cronjob_t crond_t:process sigchld;
535
kernel_read_system_state(cronjob_t)
536
kernel_read_kernel_sysctls(cronjob_t)
538
# ps does not need to access /boot when run from cron
539
files_dontaudit_search_boot(cronjob_t)
541
corenet_all_recvfrom_unlabeled(cronjob_t)
542
corenet_all_recvfrom_netlabel(cronjob_t)
543
corenet_tcp_sendrecv_generic_if(cronjob_t)
544
corenet_udp_sendrecv_generic_if(cronjob_t)
545
corenet_tcp_sendrecv_generic_node(cronjob_t)
546
corenet_udp_sendrecv_generic_node(cronjob_t)
547
corenet_tcp_sendrecv_all_ports(cronjob_t)
548
corenet_udp_sendrecv_all_ports(cronjob_t)
549
corenet_tcp_connect_all_ports(cronjob_t)
550
corenet_sendrecv_all_client_packets(cronjob_t)
552
dev_read_urand(cronjob_t)
554
fs_getattr_all_fs(cronjob_t)
556
corecmd_exec_all_executables(cronjob_t)
558
# quiet other ps operations
559
domain_dontaudit_read_all_domains_state(cronjob_t)
560
domain_dontaudit_getattr_all_domains(cronjob_t)
562
files_read_usr_files(cronjob_t)
563
files_exec_etc_files(cronjob_t)
565
files_dontaudit_search_pids(cronjob_t)
567
libs_exec_lib_files(cronjob_t)
568
libs_exec_ld_so(cronjob_t)
570
files_read_etc_runtime_files(cronjob_t)
571
files_read_var_files(cronjob_t)
572
files_search_spool(cronjob_t)
574
logging_search_logs(cronjob_t)
576
seutil_read_config(cronjob_t)
578
miscfiles_read_localization(cronjob_t)
580
userdom_manage_user_tmp_files(cronjob_t)
581
userdom_manage_user_tmp_symlinks(cronjob_t)
582
userdom_manage_user_tmp_pipes(cronjob_t)
583
userdom_manage_user_tmp_sockets(cronjob_t)
584
# Run scripts in user home directory and access shared libs.
585
userdom_exec_user_home_content_files(cronjob_t)
586
# Access user files and dirs.
587
userdom_manage_user_home_content_files(cronjob_t)
588
userdom_manage_user_home_content_symlinks(cronjob_t)
589
userdom_manage_user_home_content_pipes(cronjob_t)
590
userdom_manage_user_home_content_sockets(cronjob_t)
591
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
593
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
594
read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
596
tunable_policy(`fcron_crond', `
597
allow crond_t user_cron_spool_t:file manage_file_perms;
600
# need a per-role version of this:
602
# mono_domtrans(cronjob_t)
606
nis_use_ypbind(cronjob_t)
609
########################################
611
# Unconfined cronjobs local policy
615
# Permit a transition from the crond_t domain to this domain.
616
# The transition is requested explicitly by the modified crond
617
# via setexeccon. There is no way to set up an automatic
618
# transition, since crontabs are configuration files, not executables.
619
allow crond_t unconfined_cronjob_t:process transition;
620
dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
621
allow crond_t unconfined_cronjob_t:fd use;
623
unconfined_domain(unconfined_cronjob_t)