SELinux-Refpolicy Archive on lore.kernel.org
 help / Atom feed
* [PATCH] cron trivial
@ 2019-01-06  2:43 Russell Coker
  0 siblings, 0 replies; 1+ messages in thread
From: Russell Coker @ 2019-01-06  2:43 UTC (permalink / raw)
  To: selinux-refpolicy

Here are the most trivial cron patches I have, I would like to get this in
before discussing the more significant cron patches.


Index: refpolicy-2.20180701/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/cron.te
+++ refpolicy-2.20180701/policy/modules/services/cron.te
@@ -339,6 +339,7 @@ ifdef(`distro_debian',`
 	allow crond_t self:process setrlimit;
 
 	optional_policy(`
+		apt_domtrans(system_cronjob_t)
 		apt_manage_cache(system_cronjob_t)
 		apt_read_db(system_cronjob_t)
 
@@ -437,6 +438,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	init_dbus_chat(crond_t)
 	systemd_dbus_chat_logind(system_cronjob_t)
 	systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
 	# so cron jobs can restart daemons
@@ -459,7 +461,7 @@ allow system_cronjob_t self:fd use;
 allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
 allow system_cronjob_t self:passwd rootok;
 
-allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow system_cronjob_t cron_log_t:file manage_file_perms;
 logging_log_filetrans(system_cronjob_t, cron_log_t, file)
 
 allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
@@ -491,6 +493,11 @@ allow system_cronjob_t cron_spool_t:file
 
 allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
 
+# popcon wants to stat /proc/kmsg and /proc/kcore
+kernel_getattr_core_if(system_cronjob_t)
+kernel_getattr_message_if(system_cronjob_t)
+
+kernel_read_crypto_sysctls(system_cronjob_t)
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_network_state(system_cronjob_t)
 kernel_read_system_state(system_cronjob_t)
@@ -513,6 +520,8 @@ dev_getattr_all_blk_files(system_cronjob
 dev_getattr_all_chr_files(system_cronjob_t)
 dev_read_urand(system_cronjob_t)
 dev_read_sysfs(system_cronjob_t)
+# for checkarray to write to sync_action
+dev_rw_sysfs(system_cronjob_t)
 
 fs_getattr_all_fs(system_cronjob_t)
 fs_getattr_all_files(system_cronjob_t)
@@ -535,6 +544,7 @@ files_read_var_files(system_cronjob_t)
 files_dontaudit_search_pids(system_cronjob_t)
 files_manage_generic_spool(system_cronjob_t)
 files_create_boot_flag(system_cronjob_t)
+files_read_var_lib_symlinks(system_cronjob_t)
 
 mls_file_read_to_clearance(system_cronjob_t)
 
Index: refpolicy-2.20180701/policy/modules/services/cron.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/cron.fc
+++ refpolicy-2.20180701/policy/modules/services/cron.fc
@@ -26,6 +26,7 @@
 /var/lib/glpi/files(/.*)?	gen_context(system_u:object_r:cron_var_lib_t,s0)
 
 /var/log/cron.*	gen_context(system_u:object_r:cron_log_t,s0)
+/var/log/popularity-contest.*	gen_context(system_u:object_r:cron_log_t,s0)
 /var/log/rpmpkgs.*	--	gen_context(system_u:object_r:cron_log_t,s0)
 
 /run/anacron\.pid	--	gen_context(system_u:object_r:crond_var_run_t,s0)

^ permalink raw reply	[flat|nested] 1+ messages in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-06  2:43 [PATCH] cron trivial Russell Coker

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox