From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 2/2] fcron socket support
Date: Thu, 24 Apr 2014 12:58:43 -0400 [thread overview]
Message-ID: <535942C3.2050501@tresys.com> (raw)
In-Reply-To: <1398092903-6994-3-git-send-email-sven.vermeulen@siphos.be>
On 04/21/2014 11:08 AM, Sven Vermeulen wrote:
> The fcron daemon creates a socket file in /var/run (called fcron.fifo)
> which is used by the fcrondyn application to interact with the fcron
> daemon. This application allows admins to list the defined jobs, run
> jobs immediately, remove jobs, etc.
>
> Without this, fcrondyn cannot connect to the cron daemon; fcron also
> logs this at start-up:
>
> fcron[23724]: Cannot bind socket to '/var/run/fcron.fifo': Permission
> denied
>
> Through this patch, we allow the crond daemon to create this socket and
> update the admin role to allow the admin domain to stream_connect
> through this socket to the crond_t domain.
>
> Changes since v1:
> - Moved named file transition outside tunable_policy
> - Use user domain instead of role in cron_admin's stream_connect_pattern
Merged. I moved the file transition back into the tunable, but dropped the name. I don't think the name is necessary in this case. I also added a missing type require for the interface change.
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> cron.if | 5 +++++
> cron.te | 2 ++
> 2 files changed, 7 insertions(+)
>
> diff --git a/cron.if b/cron.if
> index 1303b30..7496a64 100644
> --- a/cron.if
> +++ b/cron.if
> @@ -277,6 +277,11 @@ interface(`cron_admin_role',`
> dontaudit $2 cronjob_t:process { ptrace signal_perms };
> ')
>
> + tunable_policy(`crond_fcron',`
> + # Support for fcrondyn
> + stream_connect_pattern($2, crond_var_run_t, crond_var_run_t, crond_t)
> + ')
> +
> optional_policy(`
> gen_require(`
> class dbus send_msg;
> diff --git a/cron.te b/cron.te
> index bd8a5cc..89a6620 100644
> --- a/cron.te
> +++ b/cron.te
> @@ -232,6 +232,7 @@ logging_log_filetrans(crond_t, cron_log_t, file)
>
> manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
> files_pid_filetrans(crond_t, crond_var_run_t, file)
> +files_pid_filetrans(crond_t, crond_var_run_t, sock_file, "fcron.fifo")
>
> manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
>
> @@ -347,6 +348,7 @@ tunable_policy(`allow_polyinstantiation',`
>
> tunable_policy(`fcron_crond',`
> allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms;
> + allow crond_t crond_var_run_t:sock_file manage_sock_file_perms;
> ')
>
> optional_policy(`
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2014-04-24 16:58 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-21 15:08 [refpolicy] [PATCH v2 0/2] Minor updates on fcron and snort Sven Vermeulen
2014-04-21 15:08 ` [refpolicy] [PATCH 1/2] Snort policy updates Sven Vermeulen
2014-04-24 16:57 ` Christopher J. PeBenito
2014-04-21 15:08 ` [refpolicy] [PATCH 2/2] fcron socket support Sven Vermeulen
2014-04-24 16:58 ` Christopher J. PeBenito [this message]
-- strict thread matches above, loose matches on Subject: below --
2014-04-20 8:55 [refpolicy] [PATCH 0/2] Minor updates on fcron and snort Sven Vermeulen
2014-04-20 8:55 ` [refpolicy] [PATCH 2/2] fcron socket support Sven Vermeulen
2014-04-21 13:00 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=535942C3.2050501@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.