[refpolicy] [PATCH 1/1] Cronjobs might create temporary directories

[refpolicy] [PATCH 1/1] Cronjobs might create temporary directories

[Sven Vermeulen]

Cronjobs, like makewhatis, want to create temporary directories
(and not only just temporary files).

We allow a filetrans in tmp_t for directories as well, and allow
system_cronjob_t to manage files and directories of
system_cronjob_tmp_t.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 cron.te |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/cron.te b/cron.te
index f22d27c..07e2697 100644
--- a/cron.te
+++ b/cron.te
@@ -334,11 +334,13 @@ allow system_cronjob_t crond_t:process sigchld;
 allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
 files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
 
-# write temporary files
+# write temporary files/directories
 manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+manage_files_pattern(system_cronjob_t, system_cronjob_tmp_t, system_cronjob_tmp_t)
+manage_dirs_pattern(system_cronjob_t, system_cronjob_tmp_t, system_cronjob_tmp_t)
 manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
 filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })
 
 # Read from /var/spool/cron.
 allow system_cronjob_t cron_spool_t:dir list_dir_perms;
-- 
1.7.3.4

[refpolicy] [PATCH 1/1] Cronjobs might create temporary directories

[Dominick Grift]

On Wed, 2011-09-21 at 21:23 +0200, Sven Vermeulen wrote:
> Cronjobs, like makewhatis, want to create temporary directories
> (and not only just temporary files).

system_cronjob_t is a unconfined_domain(), did you disable or de-install
the unconfined module?

Although allowing this for system_cronjob_t makes sense to me, it does
make me wonder whether its better to just make the makewhatis and other
known scripts cron_system_entry() instead.

Some of these scripts need a lot of specific access (for example
prelink), extending the system-cronjob domain to just allow all that
makes it a very permissive domain. Oh wait, it is a unconfined domain
already ;)

But in any case allowing generic system jobs to manage temporary system
job content makes sense to me.

> We allow a filetrans in tmp_t for directories as well, and allow
> system_cronjob_t to manage files and directories of
> system_cronjob_tmp_t.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  cron.te |    6 ++++--
>  1 files changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/cron.te b/cron.te
> index f22d27c..07e2697 100644
> --- a/cron.te
> +++ b/cron.te
> @@ -334,11 +334,13 @@ allow system_cronjob_t crond_t:process sigchld;
>  allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
>  files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
>  
> -# write temporary files
> +# write temporary files/directories
>  manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
> +manage_files_pattern(system_cronjob_t, system_cronjob_tmp_t, system_cronjob_tmp_t)
> +manage_dirs_pattern(system_cronjob_t, system_cronjob_tmp_t, system_cronjob_tmp_t)
>  manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
>  filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
> -files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
> +files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })
>  
>  # Read from /var/spool/cron.
>  allow system_cronjob_t cron_spool_t:dir list_dir_perms;

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110921/544de97f/attachment.bin 

[refpolicy] [PATCH 1/1] Cronjobs might create temporary directories

[Sven Vermeulen]

On Wed, Sep 21, 2011 at 10:25:11PM +0200, Dominick Grift wrote:
> On Wed, 2011-09-21 at 21:23 +0200, Sven Vermeulen wrote:
> > Cronjobs, like makewhatis, want to create temporary directories
> > (and not only just temporary files).
> 
> system_cronjob_t is a unconfined_domain(), did you disable or de-install
> the unconfined module?

Yup, in Gentoo we support "strict" (i.e. without the unconfined domain) for
servers and hope that this moves to workstations as well.

> Although allowing this for system_cronjob_t makes sense to me, it does
> make me wonder whether its better to just make the makewhatis and other
> known scripts cron_system_entry() instead.

In that case, makewhatis would require its own domain, and perhaps all other
scripts that want to create a temporary directory. I think that might give
too much overhead, although I do feel this is necessary in case of your next
paragraph:

> Some of these scripts need a lot of specific access (for example
> prelink), extending the system-cronjob domain to just allow all that
> makes it a very permissive domain. Oh wait, it is a unconfined domain
> already ;)

Indeed. It's about finding a good balance between manageability and security
I guess.

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH 1/1] Cronjobs might create temporary directories

[Dominick Grift]

On Thu, 2011-09-22 at 08:04 +0200, Sven Vermeulen wrote:
> On Wed, Sep 21, 2011 at 10:25:11PM +0200, Dominick Grift wrote:
> > On Wed, 2011-09-21 at 21:23 +0200, Sven Vermeulen wrote:
> > > Cronjobs, like makewhatis, want to create temporary directories
> > > (and not only just temporary files).
> > 
> > system_cronjob_t is a unconfined_domain(), did you disable or de-install
> > the unconfined module?
> 
> Yup, in Gentoo we support "strict" (i.e. without the unconfined domain) for
> servers and hope that this moves to workstations as well.
> 
> > Although allowing this for system_cronjob_t makes sense to me, it does
> > make me wonder whether its better to just make the makewhatis and other
> > known scripts cron_system_entry() instead.
> 
> In that case, makewhatis would require its own domain, and perhaps all other
> scripts that want to create a temporary directory. I think that might give
> too much overhead, although I do feel this is necessary in case of your next
> paragraph:
> 
> > Some of these scripts need a lot of specific access (for example
> > prelink), extending the system-cronjob domain to just allow all that
> > makes it a very permissive domain. Oh wait, it is a unconfined domain
> > already ;)
> 
> Indeed. It's about finding a good balance between manageability and security
> I guess.

I kind of compare the system_gronjob_t to httpd_sys_script_t in a few
ways. A thing to consider with regard to these generic domains is the
fact that various processes may run in it, thus share resources (types).
So in theory things can escalate inside these generic domains.

In the case of httpd, we use the apache_content_template where that
makes sense. My opinion is that we should do the same for
system_cronjob_t versus cron_system_entry.

Although that is just my view, and looking at the current cron policy i
can see that this concept is currently not applied there.

In Fedora for example, we have prelink running  in a prelink cron script
domain using the cron_system_entry but in refpolicy that same prelink
cron script runs in the system_cronjob_t domain (i can see that from the
various calls in cron.te)

In my view system_cronjob_t should be just a fall back, just like the
httpd_sys_script_t domain in my view is kind of a faill back for httpd
cgi scripts.

> Wkr,
> 	Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110922/a643d0e2/attachment.bin 

[refpolicy] [PATCH 1/1] Cronjobs might create temporary directories

[Sven Vermeulen]

On Thu, Sep 22, 2011 at 09:54:25AM +0200, Dominick Grift wrote:
> I kind of compare the system_gronjob_t to httpd_sys_script_t in a few
> ways. A thing to consider with regard to these generic domains is the
> fact that various processes may run in it, thus share resources (types).
> So in theory things can escalate inside these generic domains.
> 
> In the case of httpd, we use the apache_content_template where that
> makes sense. My opinion is that we should do the same for
> system_cronjob_t versus cron_system_entry.

Looking at the privileges that I would need to grant that are specific to
cron, I do not find many to put in such template mechanism for now (unlike
for apache, where the definition is used to differentiate between
readable/read-writeable files, scriptable types (for things like PHP), and
access to common HTTPd types...

If the system_cronjob_t domain is seen more like a "jump board" towards the
application specific domains, I don't mind creating a makewhatis policy
module and work from there onwards.

> Although that is just my view, and looking at the current cron policy i
> can see that this concept is currently not applied there.
> 
> In Fedora for example, we have prelink running  in a prelink cron script
> domain using the cron_system_entry but in refpolicy that same prelink
> cron script runs in the system_cronjob_t domain (i can see that from the
> various calls in cron.te

It looks like fedora supports both, as I find cron_system_entry() usage for
both prelink_t and prelink_cron_system_t.

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH 1/1] Cronjobs might create temporary directories

[Sven Vermeulen]

On Thu, Sep 22, 2011 at 08:42:51PM +0200, Sven Vermeulen wrote:
> If the system_cronjob_t domain is seen more like a "jump board" towards the
> application specific domains, I don't mind creating a makewhatis policy
> module and work from there onwards.

Giving the fact that the policy will probably read and write man_t together
with the usual suspects (_exec, _domtrans), is it okay to suggest a patch for
the miscfiles module? Or would you rather see an independent module?

I don't think I need to offer a _run or _role interface, since transitioning
from sysadm_t wouldn't be necessary. Or is it better to do that anyway?

Wkr,	
	Sven Vermeulen

[refpolicy] [PATCH 1/1] Cronjobs might create temporary directories

[Dominick Grift]

On Fri, 2011-09-23 at 21:11 +0200, Sven Vermeulen wrote:
> On Thu, Sep 22, 2011 at 08:42:51PM +0200, Sven Vermeulen wrote:
> > If the system_cronjob_t domain is seen more like a "jump board" towards the
> > application specific domains, I don't mind creating a makewhatis policy
> > module and work from there onwards.
> 
> Giving the fact that the policy will probably read and write man_t together
> with the usual suspects (_exec, _domtrans), is it okay to suggest a patch for
> the miscfiles module? Or would you rather see an independent module?
> 
> I don't think I need to offer a _run or _role interface, since transitioning
> from sysadm_t wouldn't be necessary. Or is it better to do that anyway?

I wonder what PeBenito thinks about this.

I wouldnt mind adding this to miscfiles, but i wouldnt add any unused
interfaces. If it turns out they are needed they can always be added
later.

> Wkr,	
> 	Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110923/46106723/attachment.bin 

[refpolicy] [PATCH 1/1] Cronjobs might create temporary directories

[Christopher J. PeBenito]

On 09/23/11 16:26, Dominick Grift wrote:
> On Fri, 2011-09-23 at 21:11 +0200, Sven Vermeulen wrote:
>> On Thu, Sep 22, 2011 at 08:42:51PM +0200, Sven Vermeulen wrote:
>>> If the system_cronjob_t domain is seen more like a "jump board" towards the
>>> application specific domains, I don't mind creating a makewhatis policy
>>> module and work from there onwards.
>>
>> Giving the fact that the policy will probably read and write man_t together
>> with the usual suspects (_exec, _domtrans), is it okay to suggest a patch for
>> the miscfiles module? Or would you rather see an independent module?
>>
>> I don't think I need to offer a _run or _role interface, since transitioning
>> from sysadm_t wouldn't be necessary. Or is it better to do that anyway?
> 
> I wonder what PeBenito thinks about this.
> 
> I wouldnt mind adding this to miscfiles, but i wouldnt add any unused
> interfaces. If it turns out they are needed they can always be added
> later.

I would tend to agree that we want to get privileges out of system_cronjob_t by transitioning to other domains.  But the domain already has sufficient perms to run makewhatis (save for this new tmp patch).  All that we could likely gain by making a new makewhatis domain would be to drop the man page access from system_cronjob_t.  If is demonstrated that we could have real gains from having a makewhatis domain, I'd have to see what the policy looks like to determine if it would be ok in miscfiles.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com