[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Fri, 31 Jul 2015 07:16:40 -0700 

commit:     668db9970fcfe4c20ba9619272799c3dd258fce0
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jul 16 13:09:44 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jul 30 16:41:33 2015 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=668db997

Introduce cron_admin interface

 policy/modules/contrib/cron.if | 53 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)

diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index 868d89f..3925811 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -835,3 +835,56 @@ interface(`cron_dontaudit_write_system_job_tmp_files',`
 
        dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
 ')
+
+########################################
+## <summary>
+##     All of the rules required to
+##     administrate a cron environment.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     Role allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cron_admin',`
+       gen_require(`
+               type crond_t, cronjob_t, crond_initrc_exec_t;
+               type cron_var_lib_t, system_cronjob_var_lib_t;
+               type crond_tmp_t, admin_crontab_tmp_t;
+               type crontab_tmp_t, system_cronjob_tmp_t;
+               type cron_var_run_t, system_cronjob_var_run_t, crond_var_run_t;
+               type cron_log_t, system_cronjob_lock_t, user_cron_spool_log_t;
+               attribute cron_spool_type;
+       ')
+
+       allow $1 { crond_t cronjob_t }:process { ptrace signal_perms };
+       ps_process_pattern($1, { crond_t cronjob_t })
+
+       init_startstop_service($1, $2, crond_t, crond_initrc_exec_t)
+
+       files_search_var_lib($1)
+       admin_pattern($1, { cron_var_lib_t system_cronjob_var_lib_t })
+
+       files_search_tmp($1)
+       admin_pattern($1, { crond_tmp_t admin_crontab_tmp_t })
+       admin_pattern($1, { crontab_tmp_t system_cronjob_tmp_t })
+
+       files_search_pids($1)
+       admin_pattern($1, { cron_var_run_t crond_var_run_t 
system_cronjob_var_run_t })
+
+       files_search_locks($1)
+       admin_pattern($1, system_cronjob_lock_t)
+
+       logging_search_logs($1)
+       admin_pattern($1, { cron_log_t user_cron_spool_log_t })
+
+       files_search_spool($1)
+       admin_pattern($1, cron_spool_type)
+')

Reply via email to