[refpolicy] [PATCH 2/2] fcron socket support

[refpolicy] [PATCH 2/2] fcron socket support

[Sven Vermeulen]

The fcron daemon creates a socket file in /var/run (called fcron.fifo)
which is used by the fcrondyn application to interact with the fcron
daemon. This application allows admins to list the defined jobs, run
jobs immediately, remove jobs, etc.

Without this, fcrondyn cannot connect to the cron daemon; fcron also
logs this at start-up:

fcron[23724]: Cannot bind socket to '/var/run/fcron.fifo': Permission
denied

Through this patch, we allow the crond daemon to create this socket and
update the admin role to allow the admin domain to stream_connect
through this socket to the crond_t domain.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 cron.if | 5 +++++
 cron.te | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/cron.if b/cron.if
index 1303b30..4ee25fd 100644
--- a/cron.if
+++ b/cron.if
@@ -277,6 +277,11 @@ interface(`cron_admin_role',`
 		dontaudit $2 cronjob_t:process { ptrace signal_perms };
 	')
 
+	tunable_policy(`crond_fcron',`
+		# Support for fcrondyn
+		stream_connect_pattern($1, crond_var_run_t, crond_var_run_t, crond_t)
+	')
+
 	optional_policy(`
 		gen_require(`
 			class dbus send_msg;
diff --git a/cron.te b/cron.te
index bd8a5cc..a2cc311 100644
--- a/cron.te
+++ b/cron.te
@@ -347,6 +347,8 @@ tunable_policy(`allow_polyinstantiation',`
 
 tunable_policy(`fcron_crond',`
 	allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms;
+	allow crond_t crond_var_run_t:sock_file manage_sock_file_perms;
+	files_pid_filetrans(crond_t, crond_var_run_t, sock_file, "fcron.fifo")
 ')
 
 optional_policy(`
-- 
1.8.3.2

[refpolicy] [PATCH 2/2] fcron socket support

[Christopher J. PeBenito]

On 04/20/2014 04:55 AM, Sven Vermeulen wrote:
> diff --git a/cron.te b/cron.te
> index bd8a5cc..a2cc311 100644
> --- a/cron.te
> +++ b/cron.te
> @@ -347,6 +347,8 @@ tunable_policy(`allow_polyinstantiation',`
>  
>  tunable_policy(`fcron_crond',`
>  	allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms;
> +	allow crond_t crond_var_run_t:sock_file manage_sock_file_perms;
> +	files_pid_filetrans(crond_t, crond_var_run_t, sock_file, "fcron.fifo")
>  ')

This has at least two problems.  Name filetrans in a conditional aren't allowed, and also I got an error with a role in a allow rule:

policy/modules/roles/sysadm.te":424:ERROR 'unknown type sysadm_r' at token ';' on line 2363883:
#line 424
	allow sysadm_r crond_var_run_t:dir { getattr search open };
checkpolicy:  error(s) encountered while parsing configuration



-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH v2 0/2] Minor updates on fcron and snort

[Sven Vermeulen]

Small set of changes to fcron and snort

Changes since v1:
- Update fcron to fix build failures

Sven Vermeulen (2):
  Snort policy updates
  fcron socket support

 cron.if  | 5 +++++
 cron.te  | 2 ++
 snort.fc | 1 +
 snort.te | 3 ++-
 4 files changed, 10 insertions(+), 1 deletion(-)

-- 
1.8.3.2

[refpolicy] [PATCH 1/2] Snort policy updates

[Sven Vermeulen]

When snort starts up, its init script creates the /var/run/snort directory.
However, the policy did not have a file transition for this, which results
in the /var/run/snort directory to be initrc_var_run_t.

By supporting a file transition to snort_var_run_t the PID file can be
hosted inside its own directory as intended.

Error logs from Snort:
Apr  9 14:42:45 server snort[1916]: WARNING: /var/run/snort is invalid,
trying /var/run...
Apr  9 14:42:45 server snort[1916]: Previous Error, errno=13,
(Permission denied)
Apr  9 14:42:45 server snort[1916]: PID path stat checked out ok, PID
path set to /var/run/

Second, snort is not able to write to its own log file. It needs the
write privilege for this (append no longer cuts it) as found through the
AVC denial.

Error logs from Snort:
Apr  9 14:42:45 server snort[1916]: FATAL ERROR: spo_unified2.c(320)
Could not open /var/log/snort//merged.log: Permission denied

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 snort.fc | 1 +
 snort.te | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/snort.fc b/snort.fc
index 591b9a1..2b1ea6b 100644
--- a/snort.fc
+++ b/snort.fc
@@ -10,3 +10,4 @@
 /var/log/snort(/.*)?	gen_context(system_u:object_r:snort_log_t,s0)
 
 /var/run/snort.*	--	gen_context(system_u:object_r:snort_var_run_t,s0)
+/var/run/snort(/.*)?	gen_context(system_u:object_r:snort_var_run_t,s0)
diff --git a/snort.te b/snort.te
index 1af72df..2d78724 100644
--- a/snort.te
+++ b/snort.te
@@ -23,6 +23,7 @@ files_tmp_file(snort_tmp_t)
 
 type snort_var_run_t;
 files_pid_file(snort_var_run_t)
+init_daemon_run_dir(snort_var_run_t, "snort")
 
 ########################################
 #
@@ -43,9 +44,9 @@ allow snort_t snort_etc_t:file read_file_perms;
 allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;
 
 manage_dirs_pattern(snort_t, snort_log_t, snort_log_t)
-append_files_pattern(snort_t, snort_log_t, snort_log_t)
 create_files_pattern(snort_t, snort_log_t, snort_log_t)
 setattr_files_pattern(snort_t, snort_log_t, snort_log_t)
+write_files_pattern(snort_t, snort_log_t, snort_log_t)
 logging_log_filetrans(snort_t, snort_log_t, { file dir })
 
 manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t)
-- 
1.8.3.2

[refpolicy] [PATCH 2/2] fcron socket support

[Sven Vermeulen]

The fcron daemon creates a socket file in /var/run (called fcron.fifo)
which is used by the fcrondyn application to interact with the fcron
daemon. This application allows admins to list the defined jobs, run
jobs immediately, remove jobs, etc.

Without this, fcrondyn cannot connect to the cron daemon; fcron also
logs this at start-up:

fcron[23724]: Cannot bind socket to '/var/run/fcron.fifo': Permission
denied

Through this patch, we allow the crond daemon to create this socket and
update the admin role to allow the admin domain to stream_connect
through this socket to the crond_t domain.

Changes since v1:
- Moved named file transition outside tunable_policy
- Use user domain instead of role in cron_admin's stream_connect_pattern

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 cron.if | 5 +++++
 cron.te | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/cron.if b/cron.if
index 1303b30..7496a64 100644
--- a/cron.if
+++ b/cron.if
@@ -277,6 +277,11 @@ interface(`cron_admin_role',`
 		dontaudit $2 cronjob_t:process { ptrace signal_perms };
 	')
 
+	tunable_policy(`crond_fcron',`
+		# Support for fcrondyn
+		stream_connect_pattern($2, crond_var_run_t, crond_var_run_t, crond_t)
+	')
+
 	optional_policy(`
 		gen_require(`
 			class dbus send_msg;
diff --git a/cron.te b/cron.te
index bd8a5cc..89a6620 100644
--- a/cron.te
+++ b/cron.te
@@ -232,6 +232,7 @@ logging_log_filetrans(crond_t, cron_log_t, file)
 
 manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
 files_pid_filetrans(crond_t, crond_var_run_t, file)
+files_pid_filetrans(crond_t, crond_var_run_t, sock_file, "fcron.fifo")
 
 manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
 
@@ -347,6 +348,7 @@ tunable_policy(`allow_polyinstantiation',`
 
 tunable_policy(`fcron_crond',`
 	allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms;
+	allow crond_t crond_var_run_t:sock_file manage_sock_file_perms;
 ')
 
 optional_policy(`
-- 
1.8.3.2

[refpolicy] [PATCH 1/2] Snort policy updates

[Christopher J. PeBenito]

On 04/21/2014 11:08 AM, Sven Vermeulen wrote:
> When snort starts up, its init script creates the /var/run/snort directory.
> However, the policy did not have a file transition for this, which results
> in the /var/run/snort directory to be initrc_var_run_t.
> 
> By supporting a file transition to snort_var_run_t the PID file can be
> hosted inside its own directory as intended.

Merged.


> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  snort.fc | 1 +
>  snort.te | 3 ++-
>  2 files changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/snort.fc b/snort.fc
> index 591b9a1..2b1ea6b 100644
> --- a/snort.fc
> +++ b/snort.fc
> @@ -10,3 +10,4 @@
>  /var/log/snort(/.*)?	gen_context(system_u:object_r:snort_log_t,s0)
>  
>  /var/run/snort.*	--	gen_context(system_u:object_r:snort_var_run_t,s0)
> +/var/run/snort(/.*)?	gen_context(system_u:object_r:snort_var_run_t,s0)
> diff --git a/snort.te b/snort.te
> index 1af72df..2d78724 100644
> --- a/snort.te
> +++ b/snort.te
> @@ -23,6 +23,7 @@ files_tmp_file(snort_tmp_t)
>  
>  type snort_var_run_t;
>  files_pid_file(snort_var_run_t)
> +init_daemon_run_dir(snort_var_run_t, "snort")
>  
>  ########################################
>  #
> @@ -43,9 +44,9 @@ allow snort_t snort_etc_t:file read_file_perms;
>  allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;
>  
>  manage_dirs_pattern(snort_t, snort_log_t, snort_log_t)
> -append_files_pattern(snort_t, snort_log_t, snort_log_t)
>  create_files_pattern(snort_t, snort_log_t, snort_log_t)
>  setattr_files_pattern(snort_t, snort_log_t, snort_log_t)
> +write_files_pattern(snort_t, snort_log_t, snort_log_t)
>  logging_log_filetrans(snort_t, snort_log_t, { file dir })
>  
>  manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t)
 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 2/2] fcron socket support

[Christopher J. PeBenito]

On 04/21/2014 11:08 AM, Sven Vermeulen wrote:
> The fcron daemon creates a socket file in /var/run (called fcron.fifo)
> which is used by the fcrondyn application to interact with the fcron
> daemon. This application allows admins to list the defined jobs, run
> jobs immediately, remove jobs, etc.
> 
> Without this, fcrondyn cannot connect to the cron daemon; fcron also
> logs this at start-up:
> 
> fcron[23724]: Cannot bind socket to '/var/run/fcron.fifo': Permission
> denied
> 
> Through this patch, we allow the crond daemon to create this socket and
> update the admin role to allow the admin domain to stream_connect
> through this socket to the crond_t domain.
> 
> Changes since v1:
> - Moved named file transition outside tunable_policy
> - Use user domain instead of role in cron_admin's stream_connect_pattern

Merged.  I moved the file transition back into the tunable, but dropped the name.  I don't think the name is necessary in this case.  I also added a missing type require for the interface change.

 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  cron.if | 5 +++++
>  cron.te | 2 ++
>  2 files changed, 7 insertions(+)
> 
> diff --git a/cron.if b/cron.if
> index 1303b30..7496a64 100644
> --- a/cron.if
> +++ b/cron.if
> @@ -277,6 +277,11 @@ interface(`cron_admin_role',`
>  		dontaudit $2 cronjob_t:process { ptrace signal_perms };
>  	')
>  
> +	tunable_policy(`crond_fcron',`
> +		# Support for fcrondyn
> +		stream_connect_pattern($2, crond_var_run_t, crond_var_run_t, crond_t)
> +	')
> +
>  	optional_policy(`
>  		gen_require(`
>  			class dbus send_msg;
> diff --git a/cron.te b/cron.te
> index bd8a5cc..89a6620 100644
> --- a/cron.te
> +++ b/cron.te
> @@ -232,6 +232,7 @@ logging_log_filetrans(crond_t, cron_log_t, file)
>  
>  manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
>  files_pid_filetrans(crond_t, crond_var_run_t, file)
> +files_pid_filetrans(crond_t, crond_var_run_t, sock_file, "fcron.fifo")
>  
>  manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
>  
> @@ -347,6 +348,7 @@ tunable_policy(`allow_polyinstantiation',`
>  
>  tunable_policy(`fcron_crond',`
>  	allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms;
> +	allow crond_t crond_var_run_t:sock_file manage_sock_file_perms;
>  ')
>  
>  optional_policy(`
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com