From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH v2] Introduce cron_admin interface
Date: Fri, 17 Jul 2015 09:30:41 -0400 [thread overview]
Message-ID: <55A90381.9030803@tresys.com> (raw)
In-Reply-To: <1437052184-29159-1-git-send-email-jason@perfinion.com>
On 7/16/2015 9:09 AM, Jason Zaman wrote:
> ---
> Changes from v1:
> allow admin of cronjob_t domain.
> user cronjob domains are unchanged and not allowed
> cron.if | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 53 insertions(+)
Merged.
> diff --git a/cron.if b/cron.if
> index cc225d1..a76e902 100644
> --- a/cron.if
> +++ b/cron.if
> @@ -838,3 +838,56 @@ interface(`cron_dontaudit_write_system_job_tmp_files',`
>
> dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
> ')
> +
> +########################################
> +## <summary>
> +## All of the rules required to
> +## administrate a cron environment.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`cron_admin',`
> + gen_require(`
> + type crond_t, cronjob_t, crond_initrc_exec_t;
> + type cron_var_lib_t, system_cronjob_var_lib_t;
> + type crond_tmp_t, admin_crontab_tmp_t;
> + type crontab_tmp_t, system_cronjob_tmp_t;
> + type cron_var_run_t, system_cronjob_var_run_t, crond_var_run_t;
> + type cron_log_t, system_cronjob_lock_t, user_cron_spool_log_t;
> + attribute cron_spool_type;
> + ')
> +
> + allow $1 { crond_t cronjob_t }:process { ptrace signal_perms };
> + ps_process_pattern($1, { crond_t cronjob_t })
> +
> + init_startstop_service($1, $2, crond_t, crond_initrc_exec_t)
> +
> + files_search_var_lib($1)
> + admin_pattern($1, { cron_var_lib_t system_cronjob_var_lib_t })
> +
> + files_search_tmp($1)
> + admin_pattern($1, { crond_tmp_t admin_crontab_tmp_t })
> + admin_pattern($1, { crontab_tmp_t system_cronjob_tmp_t })
> +
> + files_search_pids($1)
> + admin_pattern($1, { cron_var_run_t crond_var_run_t system_cronjob_var_run_t })
> +
> + files_search_locks($1)
> + admin_pattern($1, system_cronjob_lock_t)
> +
> + logging_search_logs($1)
> + admin_pattern($1, { cron_log_t user_cron_spool_log_t })
> +
> + files_search_spool($1)
> + admin_pattern($1, cron_spool_type)
> +')
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
prev parent reply other threads:[~2015-07-17 13:30 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-16 13:09 [refpolicy] [PATCH v2] Introduce cron_admin interface Jason Zaman
2015-07-17 13:30 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55A90381.9030803@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.