commit: 90affee2271dfbaad7e02781e1c583e886229754 Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au> AuthorDate: Thu Sep 28 13:46:14 2023 +0000 Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org> CommitDate: Fri Oct 6 15:30:52 2023 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=90affee2
misc small patches for cron policy (#701) * Some misc small patches for cron policy Signed-off-by: Russell Coker <russell <AT> coker.com.au> * added systemd_dontaudit_connect_machined interface Signed-off-by: Russell Coker <russell <AT> coker.com.au> * Remove the line about connecting to tor Signed-off-by: Russell Coker <russell <AT> coker.com.au> * remove the dontaudit for connecting to machined Signed-off-by: Russell Coker <russell <AT> coker.com.au> * changed to distro_debian Signed-off-by: Russell Coker <russell <AT> coker.com.au> * mta: Whitespace changes. Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org> * cron: Move lines. Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org> --------- Signed-off-by: Russell Coker <russell <AT> coker.com.au> Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org> Co-authored-by: Chris PeBenito <pebenito <AT> ieee.org> Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org> policy/modules/services/cron.if | 36 ++++++++++++++++++++++++++++++++++++ policy/modules/services/cron.te | 11 +++++++++++ policy/modules/services/mta.te | 7 ++++++- policy/modules/services/postfix.te | 1 + policy/modules/system/init.if | 18 ++++++++++++++++++ policy/modules/system/systemd.if | 18 ++++++++++++++++++ 6 files changed, 90 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index 87306cfdb..049b01494 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -755,6 +755,24 @@ interface(`cron_rw_tmp_files',` allow $1 crond_tmp_t:file rw_file_perms; ') +######################################## +## <summary> +## Read and write inherited crond temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cron_rw_inherited_tmp_files',` + gen_require(` + type crond_tmp_t; + ') + + allow $1 crond_tmp_t:file rw_inherited_file_perms; +') + ######################################## ## <summary> ## Read system cron job lib files. @@ -888,6 +906,24 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` dontaudit $1 system_cronjob_tmp_t:file append_file_perms; ') +######################################## +## <summary> +## allow appending temporary system cron job files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to allow. +## </summary> +## </param> +# +interface(`cron_append_system_job_tmp_files',` + gen_require(` + type system_cronjob_tmp_t; + ') + + allow $1 system_cronjob_tmp_t:file append_file_perms; +') + ######################################## ## <summary> ## Read and write to inherited system cron job temporary files. diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index b2de6de31..9df1e3060 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -436,6 +436,8 @@ optional_policy(` systemd_dbus_chat_logind(system_cronjob_t) systemd_read_journal_files(system_cronjob_t) systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) + # for runuser + init_search_keys(system_cronjob_t) # so cron jobs can restart daemons init_stream_connect(system_cronjob_t) init_manage_script_service(system_cronjob_t) @@ -491,6 +493,7 @@ kernel_getattr_message_if(system_cronjob_t) kernel_read_irq_sysctls(system_cronjob_t) kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_network_state(system_cronjob_t) +kernel_read_rpc_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) kernel_read_software_raid_state(system_cronjob_t) @@ -535,6 +538,7 @@ files_read_usr_files(system_cronjob_t) files_read_var_files(system_cronjob_t) files_dontaudit_search_runtime(system_cronjob_t) files_manage_generic_spool(system_cronjob_t) +files_manage_var_lib_dirs(system_cronjob_t) files_create_boot_flag(system_cronjob_t) files_read_var_lib_symlinks(system_cronjob_t) @@ -554,6 +558,7 @@ logging_manage_generic_logs(system_cronjob_t) logging_send_audit_msgs(system_cronjob_t) logging_send_syslog_msg(system_cronjob_t) +miscfiles_read_generic_certs(system_cronjob_t) miscfiles_read_localization(system_cronjob_t) seutil_read_config(system_cronjob_t) @@ -654,6 +659,10 @@ optional_policy(` mysql_read_config(system_cronjob_t) ') +optional_policy(` + ntp_read_config(system_cronjob_t) +') + optional_policy(` postfix_read_config(system_cronjob_t) ') @@ -678,6 +687,8 @@ optional_policy(` # for gpg-connect-agent to access /run/user/0 userdom_manage_user_runtime_dirs(system_cronjob_t) + # for /run/user/0/gnupg + userdom_manage_user_tmp_dirs(system_cronjob_t) ') ######################################## diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index 8ed3c8480..63c8562ae 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -285,7 +285,12 @@ optional_policy(` userdom_dontaudit_use_user_ptys(system_mail_t) optional_policy(` - cron_dontaudit_append_system_job_tmp_files(system_mail_t) + ifdef(`distro_debian',` + # anacron on Debian gives empty email if this is not permitted + cron_append_system_job_tmp_files(system_mail_t) + ', ` + cron_dontaudit_append_system_job_tmp_files(system_mail_t) + ') ') ') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 7b158e705..528a84de9 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -652,6 +652,7 @@ optional_policy(` optional_policy(` cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) + cron_use_system_job_fds(postfix_postdrop_t) ') optional_policy(` diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index daab804c6..d91eadfb5 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -3858,3 +3858,21 @@ interface(`init_getrlimit',` allow $1 init_t:process getrlimit; ') + +######################################## +## <summary> +## Allow searching init_t keys +## </summary> +## <param name="domain"> +## <summary> +## Source domain +## </summary> +## </param> +# +interface(`init_search_keys',` + gen_require(` + type init_t; + ') + + allow $1 init_t:key search; +') diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 64455eed5..19b2dbd85 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -1517,6 +1517,24 @@ interface(`systemd_connect_machined',` allow $1 systemd_machined_t:unix_stream_socket connectto; ') +######################################## +## <summary> +## dontaudit connecting to /run/systemd/userdb/io.systemd.Machine socket +## </summary> +## <param name="domain"> +## <summary> +## Domain that can access the socket +## </summary> +## </param> +# +interface(`systemd_dontaudit_connect_machined',` + gen_require(` + type systemd_machined_t; + ') + + dontaudit $1 systemd_machined_t:unix_stream_socket connectto; +') + ######################################## ## <summary> ## Send and receive messages from