From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 63C6CC76199 for ; Sun, 16 Feb 2020 08:54:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 36742206E2 for ; Sun, 16 Feb 2020 08:54:47 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=perfinion-com.20150623.gappssmtp.com header.i=@perfinion-com.20150623.gappssmtp.com header.b="nqkFlN9k" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726043AbgBPIyr (ORCPT ); Sun, 16 Feb 2020 03:54:47 -0500 Received: from mail-pl1-f170.google.com ([209.85.214.170]:42121 "EHLO mail-pl1-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725899AbgBPIyq (ORCPT ); Sun, 16 Feb 2020 03:54:46 -0500 Received: by mail-pl1-f170.google.com with SMTP id e8so5510225plt.9 for ; Sun, 16 Feb 2020 00:54:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=perfinion-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=6rUf6P/yWtaOtkSbCJ0CsKTyjTaSw740k79GbRIiuY8=; b=nqkFlN9kCqPNESapHICgZVgigIuwacQ/4niaDXp7szsnL5ZIdizIOuK3hVXfbxKPEi GIODQRCvhMY9X7j7I+iJ/laBnz8c17oKh3MalgyqzmTJWi8Zb8JfavmNREF6P/H6efRX lI0s2fM0p1pq+/JjLLh0djOuZWS5SREr2Vx5i4FmcDIUEGZlKcw+gCYqbytM4Xzmw2X7 DuuOOiiBBVuJUAViZ9/ndmY5PxvN9MiXcbNmBojJoobzVVQl2rs6xdFCms5mGFdhZ656 OC7pIgw+rj+Ck8f9J7SPdkRvA6U3km2aQ+ZmsUBV2MsjYY+xjMC9ZCyxSmcyNlcn0ta1 5nzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=6rUf6P/yWtaOtkSbCJ0CsKTyjTaSw740k79GbRIiuY8=; b=MCxMta5z1YoFaEx16HxJ6vdQlip2YN3dxuRSb5Q9sSEW0n7fgzdJ7+8NcZ5yiFuuiA qAcKdCHv0ks2d+6xu7/kfNPfsb03o1x8hMK/W6d1GDM48YHHTm1Zpm5ry4lWFT6sBZPH idMc2xiKGqCUqkNoTmgZ2T5uQGB5yRzZ7CY5mHCVZXwqVo31mS9+sBGutCzeNPQ3xqN5 OUPK2KALxg7aqSABHJqmTnGaw5nm9+x3cY9BF4u0koS5ywYZDOoLLtNEmsDxycGot1kb 21ires1niSOE+b+zJ0FtSfCNLwrjMEeIUr035rBJSRejIXcqVde3No05Jip8CLgIdZXS kd2Q== X-Gm-Message-State: APjAAAV34VIKlYtsFSYbZPSRmxEvU5UcQ6dXwEju5twa/DftQwboNMiE eIbOQ4fj7NW4IDwo+l2NNhvObFzQ7FNzpA== X-Google-Smtp-Source: APXvYqxmFSFWr9dCnzzHsuc1i6l4QeKGFHM12E3f5AyajX3v9qELdGIZKqGQfTLBw242RyIOYtUD5g== X-Received: by 2002:a17:90a:b10b:: with SMTP id z11mr13885796pjq.132.1581843284684; Sun, 16 Feb 2020 00:54:44 -0800 (PST) Received: from localhost ([101.127.140.252]) by smtp.gmail.com with ESMTPSA id b42sm12587208pjc.27.2020.02.16.00.54.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 16 Feb 2020 00:54:44 -0800 (PST) From: Jason Zaman To: selinux-refpolicy@vger.kernel.org Cc: Jason Zaman Subject: [PATCH 04/10] cron: watch cron spool Date: Sun, 16 Feb 2020 16:54:16 +0800 Message-Id: <20200216085422.36530-4-jason@perfinion.com> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200216085422.36530-1-jason@perfinion.com> References: <20200216085422.36530-1-jason@perfinion.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org From: Jason Zaman avc: denied { watch } for pid=7402 comm="crond" path="/var/spool/cron/crontabs" dev="zfs" ino=7627 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_spool_t:s0 tclass=dir permissive=0 avc: denied { watch } for pid=7402 comm="crond" path="/etc/cron.d" dev="zfs" ino=60131 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir permissive=0 avc: denied { watch } for pid=7402 comm="crond" path="/etc/crontab" dev="zfs" ino=1749860 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file permissive=0 --- policy/modules/services/cron.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index 46b64016..dbbd9dbf 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -228,6 +228,7 @@ manage_files_pattern(crond_t, crond_runtime_t, crond_runtime_t) files_pid_filetrans(crond_t, crond_runtime_t, file) manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) +allow crond_t cron_spool_t:dir watch; manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) @@ -235,10 +236,13 @@ files_tmp_filetrans(crond_t, crond_tmp_t, { dir file }) list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) +allow crond_t system_cron_spool_t:dir watch; +allow crond_t system_cron_spool_t:file watch; rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +allow crond_t user_cron_spool_t:dir watch; manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t) -- 2.24.1