commit: 90affee2271dfbaad7e02781e1c583e886229754
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Thu Sep 28 13:46:14 2023 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct 6 15:30:52 2023 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=90affee2
misc small patches for cron policy (#701)
* Some misc small patches for cron policy
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* added systemd_dontaudit_connect_machined interface
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* Remove the line about connecting to tor
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* remove the dontaudit for connecting to machined
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* changed to distro_debian
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* mta: Whitespace changes.
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
* cron: Move lines.
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
---------
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Co-authored-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/services/cron.if | 36 ++++++++++++++++++++++++++++++++++++
policy/modules/services/cron.te | 11 +++++++++++
policy/modules/services/mta.te | 7 ++++++-
policy/modules/services/postfix.te | 1 +
policy/modules/system/init.if | 18 ++++++++++++++++++
policy/modules/system/systemd.if | 18 ++++++++++++++++++
6 files changed, 90 insertions(+), 1 deletion(-)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index 87306cfdb..049b01494 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -755,6 +755,24 @@ interface(`cron_rw_tmp_files',`
allow $1 crond_tmp_t:file rw_file_perms;
')
+########################################
+## <summary>
+## Read and write inherited crond temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_inherited_tmp_files',`
+ gen_require(`
+ type crond_tmp_t;
+ ')
+
+ allow $1 crond_tmp_t:file rw_inherited_file_perms;
+')
+
########################################
## <summary>
## Read system cron job lib files.
@@ -888,6 +906,24 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
')
+########################################
+## <summary>
+## allow appending temporary system cron job files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow.
+## </summary>
+## </param>
+#
+interface(`cron_append_system_job_tmp_files',`
+ gen_require(`
+ type system_cronjob_tmp_t;
+ ')
+
+ allow $1 system_cronjob_tmp_t:file append_file_perms;
+')
+
########################################
## <summary>
## Read and write to inherited system cron job temporary files.
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index b2de6de31..9df1e3060 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -436,6 +436,8 @@ optional_policy(`
systemd_dbus_chat_logind(system_cronjob_t)
systemd_read_journal_files(system_cronjob_t)
systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
+ # for runuser
+ init_search_keys(system_cronjob_t)
# so cron jobs can restart daemons
init_stream_connect(system_cronjob_t)
init_manage_script_service(system_cronjob_t)
@@ -491,6 +493,7 @@ kernel_getattr_message_if(system_cronjob_t)
kernel_read_irq_sysctls(system_cronjob_t)
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_network_state(system_cronjob_t)
+kernel_read_rpc_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
kernel_read_software_raid_state(system_cronjob_t)
@@ -535,6 +538,7 @@ files_read_usr_files(system_cronjob_t)
files_read_var_files(system_cronjob_t)
files_dontaudit_search_runtime(system_cronjob_t)
files_manage_generic_spool(system_cronjob_t)
+files_manage_var_lib_dirs(system_cronjob_t)
files_create_boot_flag(system_cronjob_t)
files_read_var_lib_symlinks(system_cronjob_t)
@@ -554,6 +558,7 @@ logging_manage_generic_logs(system_cronjob_t)
logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
+miscfiles_read_generic_certs(system_cronjob_t)
miscfiles_read_localization(system_cronjob_t)
seutil_read_config(system_cronjob_t)
@@ -654,6 +659,10 @@ optional_policy(`
mysql_read_config(system_cronjob_t)
')
+optional_policy(`
+ ntp_read_config(system_cronjob_t)
+')
+
optional_policy(`
postfix_read_config(system_cronjob_t)
')
@@ -678,6 +687,8 @@ optional_policy(`
# for gpg-connect-agent to access /run/user/0
userdom_manage_user_runtime_dirs(system_cronjob_t)
+ # for /run/user/0/gnupg
+ userdom_manage_user_tmp_dirs(system_cronjob_t)
')
########################################
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 8ed3c8480..63c8562ae 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -285,7 +285,12 @@ optional_policy(`
userdom_dontaudit_use_user_ptys(system_mail_t)
optional_policy(`
- cron_dontaudit_append_system_job_tmp_files(system_mail_t)
+ ifdef(`distro_debian',`
+ # anacron on Debian gives empty email if this is not
permitted
+ cron_append_system_job_tmp_files(system_mail_t)
+ ', `
+
cron_dontaudit_append_system_job_tmp_files(system_mail_t)
+ ')
')
')
diff --git a/policy/modules/services/postfix.te
b/policy/modules/services/postfix.te
index 7b158e705..528a84de9 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -652,6 +652,7 @@ optional_policy(`
optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
+ cron_use_system_job_fds(postfix_postdrop_t)
')
optional_policy(`
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index daab804c6..d91eadfb5 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3858,3 +3858,21 @@ interface(`init_getrlimit',`
allow $1 init_t:process getrlimit;
')
+
+########################################
+## <summary>
+## Allow searching init_t keys
+## </summary>
+## <param name="domain">
+## <summary>
+## Source domain
+## </summary>
+## </param>
+#
+interface(`init_search_keys',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:key search;
+')
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 64455eed5..19b2dbd85 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1517,6 +1517,24 @@ interface(`systemd_connect_machined',`
allow $1 systemd_machined_t:unix_stream_socket connectto;
')
+########################################
+## <summary>
+## dontaudit connecting to /run/systemd/userdb/io.systemd.Machine socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain that can access the socket
+## </summary>
+## </param>
+#
+interface(`systemd_dontaudit_connect_machined',`
+ gen_require(`
+ type systemd_machined_t;
+ ')
+
+ dontaudit $1 systemd_machined_t:unix_stream_socket connectto;
+')
+
########################################
## <summary>
## Send and receive messages from
