* [PATCH] cron trivial
@ 2019-01-06 2:43 Russell Coker
0 siblings, 0 replies; only message in thread
From: Russell Coker @ 2019-01-06 2:43 UTC (permalink / raw)
To: selinux-refpolicy
Here are the most trivial cron patches I have, I would like to get this in
before discussing the more significant cron patches.
Index: refpolicy-2.20180701/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/cron.te
+++ refpolicy-2.20180701/policy/modules/services/cron.te
@@ -339,6 +339,7 @@ ifdef(`distro_debian',`
allow crond_t self:process setrlimit;
optional_policy(`
+ apt_domtrans(system_cronjob_t)
apt_manage_cache(system_cronjob_t)
apt_read_db(system_cronjob_t)
@@ -437,6 +438,7 @@ optional_policy(`
')
optional_policy(`
+ init_dbus_chat(crond_t)
systemd_dbus_chat_logind(system_cronjob_t)
systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
# so cron jobs can restart daemons
@@ -459,7 +461,7 @@ allow system_cronjob_t self:fd use;
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow system_cronjob_t cron_log_t:file manage_file_perms;
logging_log_filetrans(system_cronjob_t, cron_log_t, file)
allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
@@ -491,6 +493,11 @@ allow system_cronjob_t cron_spool_t:file
allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
+# popcon wants to stat /proc/kmsg and /proc/kcore
+kernel_getattr_core_if(system_cronjob_t)
+kernel_getattr_message_if(system_cronjob_t)
+
+kernel_read_crypto_sysctls(system_cronjob_t)
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_network_state(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
@@ -513,6 +520,8 @@ dev_getattr_all_blk_files(system_cronjob
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
dev_read_sysfs(system_cronjob_t)
+# for checkarray to write to sync_action
+dev_rw_sysfs(system_cronjob_t)
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
@@ -535,6 +544,7 @@ files_read_var_files(system_cronjob_t)
files_dontaudit_search_pids(system_cronjob_t)
files_manage_generic_spool(system_cronjob_t)
files_create_boot_flag(system_cronjob_t)
+files_read_var_lib_symlinks(system_cronjob_t)
mls_file_read_to_clearance(system_cronjob_t)
Index: refpolicy-2.20180701/policy/modules/services/cron.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/cron.fc
+++ refpolicy-2.20180701/policy/modules/services/cron.fc
@@ -26,6 +26,7 @@
/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
+/var/log/popularity-contest.* gen_context(system_u:object_r:cron_log_t,s0)
/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-01-06 2:43 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-06 2:43 [PATCH] cron trivial Russell Coker
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.