From: Russell Coker <russell@coker.com.au>
To: selinux-refpolicy@vger.kernel.org
Subject: [PATCH cron 1/2] stem
Date: Mon, 7 Jan 2019 14:04:02 +1100 [thread overview]
Message-ID: <20190107030402.GA29392@xev> (raw)
This patch makes the parameter the stem of the user role (EG "user") instead
of the user domain (EG "user_t") the parameter. Separate from the next patch
to make things easier to understand.
Index: refpolicy-2.20180701/policy/modules/services/cron.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/cron.if
+++ refpolicy-2.20180701/policy/modules/services/cron.if
@@ -51,15 +51,16 @@ template(`cron_common_crontab_template',
## </param>
## <param name="domain">
## <summary>
-## User domain for the role.
+## stem of domain for the role.
## </summary>
## </param>
## <rolecap/>
#
interface(`cron_role',`
gen_require(`
- type cronjob_t, crontab_t, crontab_exec_t;
- type user_cron_spool_t, crond_t;
+ type cronjob_t;
+ type crontab_exec_t, crond_t;
+ type crontab_t, user_cron_spool_t;
bool cron_userdomain_transition;
')
@@ -68,47 +69,48 @@ interface(`cron_role',`
# Declarations
#
- role $1 types { cronjob_t crontab_t };
+ role $1 types { cronjob_t };
+ role $1 types { crontab_t };
##############################
#
# Local policy
#
- domtrans_pattern($2, crontab_exec_t, crontab_t)
+ domtrans_pattern($2_t, crontab_exec_t, crontab_t)
- dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
- allow $2 crond_t:process sigchld;
+ dontaudit crond_t $2_t:process { noatsecure siginh rlimitinh };
+ allow $2_t crond_t:process sigchld;
- allow $2 user_cron_spool_t:file { getattr read write ioctl };
+ allow $2_t user_cron_spool_t:file { getattr read write ioctl };
- allow $2 crontab_t:process { ptrace signal_perms };
- ps_process_pattern($2, crontab_t)
+ allow $2_t crontab_t:process { ptrace signal_perms };
+ ps_process_pattern($2_t, crontab_t)
corecmd_exec_bin(crontab_t)
corecmd_exec_shell(crontab_t)
tunable_policy(`cron_userdomain_transition',`
- allow crond_t $2:process transition;
- allow crond_t $2:fd use;
- allow crond_t $2:key manage_key_perms;
+ allow crond_t $2_t:process transition;
+ allow crond_t $2_t:fd use;
+ allow crond_t $2_t:key manage_key_perms;
- allow $2 user_cron_spool_t:file entrypoint;
+ allow $2_t user_cron_spool_t:file entrypoint;
- allow $2 crond_t:fifo_file rw_fifo_file_perms;
+ allow $2_t crond_t:fifo_file rw_fifo_file_perms;
- allow $2 cronjob_t:process { ptrace signal_perms };
- ps_process_pattern($2, cronjob_t)
+ allow $2_t cronjob_t:process { ptrace signal_perms };
+ ps_process_pattern($2_t, cronjob_t)
',`
- dontaudit crond_t $2:process transition;
- dontaudit crond_t $2:fd use;
- dontaudit crond_t $2:key manage_key_perms;
+ dontaudit crond_t $2_t:process transition;
+ dontaudit crond_t $2_t:fd use;
+ dontaudit crond_t $2_t:key manage_key_perms;
- dontaudit $2 user_cron_spool_t:file entrypoint;
+ dontaudit $2_t user_cron_spool_t:file entrypoint;
- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+ dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms;
- dontaudit $2 cronjob_t:process { ptrace signal_perms };
+ dontaudit $2_t cronjob_t:process { ptrace signal_perms };
')
optional_policy(`
@@ -118,7 +120,7 @@ interface(`cron_role',`
dbus_stub(cronjob_t)
- allow cronjob_t $2:dbus send_msg;
+ allow cronjob_t $2_t:dbus send_msg;
')
')
Index: refpolicy-2.20180701/policy/modules/roles/staff.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/roles/staff.te
+++ refpolicy-2.20180701/policy/modules/roles/staff.te
@@ -82,7 +82,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- cron_role(staff_r, staff_t)
+ cron_role(staff_r, staff)
')
optional_policy(`
Index: refpolicy-2.20180701/policy/modules/roles/unprivuser.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/roles/unprivuser.te
+++ refpolicy-2.20180701/policy/modules/roles/unprivuser.te
@@ -50,7 +50,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- cron_role(user_r, user_t)
+ cron_role(user_r, user)
')
optional_policy(`
Index: refpolicy-2.20180701/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20180701/policy/modules/system/unconfined.te
@@ -82,7 +82,7 @@ optional_policy(`
')
optional_policy(`
- cron_unconfined_role(unconfined_r, unconfined_t)
+ cron_role(unconfined_r, unconfined)
')
optional_policy(`
reply other threads:[~2019-01-07 3:04 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190107030402.GA29392@xev \
--to=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.