Description: cron patches
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-02-21

Index: refpolicy-2.20210115/policy/modules/services/cron.if
===================================================================
--- refpolicy-2.20210115.orig/policy/modules/services/cron.if
+++ refpolicy-2.20210115/policy/modules/services/cron.if
@@ -21,23 +21,33 @@ template(`cron_common_crontab_template',
 	# Declarations
 	#
 
-	type $1_t, crontab_domain;
-	userdom_user_application_domain($1_t, crontab_exec_t)
+	type $1_crontab_t, crontab_domain;
+	userdom_user_application_domain($1_crontab_t, crontab_exec_t)
 
-	type $1_tmp_t;
-	userdom_user_tmp_file($1_tmp_t)
+	type $1_crontab_tmp_t;
+	userdom_user_tmp_file($1_crontab_tmp_t)
+
+	type $1_cron_spool_t, cron_spool_type;
 
 	##############################
 	#
 	# Local policy
 	#
 
-	manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
-	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-	files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
+	manage_dirs_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t)
+	manage_files_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t)
+	files_tmp_filetrans($1_crontab_t, $1_crontab_tmp_t, { dir file })
+
+	auth_domtrans_chk_passwd($1_crontab_t)
+	auth_use_nsswitch($1_crontab_t)
+	allow $1_crontab_t self:capability fsetid;
+
+	files_type($1_cron_spool_t)
+	ubac_constrained($1_cron_spool_t)
+	mta_system_content($1_cron_spool_t)
 
-	auth_domtrans_chk_passwd($1_t)
-	auth_use_nsswitch($1_t)
+	manage_files_pattern($1_crontab_t, { cron_spool_t $1_cron_spool_t }, $1_cron_spool_t)
+	filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t, file)
 ')
 
 ########################################
@@ -58,9 +68,11 @@ template(`cron_common_crontab_template',
 #
 interface(`cron_role',`
 	gen_require(`
+ifdef(`cronjob_domain', `
 		type cronjob_t;
+')
 		type crontab_exec_t, crond_t;
-		type crontab_t, user_cron_spool_t, crond_tmp_t;
+		type $2_crontab_t, $2_cron_spool_t, crond_tmp_t;
 		bool cron_userdomain_transition;
 	')
 
@@ -69,64 +81,60 @@ interface(`cron_role',`
 	# Declarations
 	#
 
-	role $1 types { cronjob_t crontab_t };
+ifdef(`cronjob_domain', `
+	role $1 types { cronjob_t };
+')
+	role $1 types { $2_crontab_t };
 
 	##############################
 	#
 	# Local policy
 	#
 
-	domtrans_pattern($2_t, crontab_exec_t, crontab_t)
+	domtrans_pattern($2_t, crontab_exec_t, $2_crontab_t)
 
 	dontaudit crond_t $2_t:process { noatsecure rlimitinh siginh };
 	allow $2_t crond_t:process sigchld;
 
-	allow $2_t user_cron_spool_t:file rw_inherited_file_perms;
+	allow $2_t $2_cron_spool_t:file rw_inherited_file_perms;
 
-	allow $2_t crontab_t:process { ptrace signal_perms };
-	ps_process_pattern($2_t, crontab_t)
+	allow $2_t $2_crontab_t:process { ptrace signal_perms };
+	ps_process_pattern($2_t, $2_crontab_t)
 
-	corecmd_exec_bin(crontab_t)
-	corecmd_exec_shell(crontab_t)
+	corecmd_exec_bin($2_crontab_t)
+	corecmd_exec_shell($2_crontab_t)
 
-	tunable_policy(`cron_userdomain_transition',`
+	ifndef(`cronjob_domain', `
 		allow crond_t $2_t:process transition;
 		allow crond_t $2_t:fd use;
 		allow crond_t $2_t:key manage_key_perms;
 
-		allow $2_t user_cron_spool_t:file entrypoint;
+		allow $2_t $2_cron_spool_t:file entrypoint;
 		allow $2_t crond_tmp_t:file rw_inherited_file_perms;
 
 		allow $2_t crond_t:fifo_file rw_fifo_file_perms;
+	')
 
-		allow $2_t cronjob_t:process { ptrace signal_perms };
-		ps_process_pattern($2_t, cronjob_t)
+	tunable_policy(`cron_userdomain_transition',`
+		allow crond_t $2_t:process transition;
+		allow crond_t $2_t:fd use;
+		allow crond_t $2_t:key manage_key_perms;
+		allow $2_t $2_cron_spool_t:file entrypoint;
 	',`
 		dontaudit crond_t $2_t:process transition;
 		dontaudit crond_t $2_t:fd use;
 		dontaudit crond_t $2_t:key manage_key_perms;
 
-		dontaudit $2_t user_cron_spool_t:file entrypoint;
+		dontaudit $2_t $2_cron_spool_t:file entrypoint;
 
 		dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms;
-
-		dontaudit $2_t cronjob_t:process { ptrace signal_perms };
-	')
-
-	optional_policy(`
-		gen_require(`
-			class dbus send_msg;
-		')
-
-		dbus_stub(cronjob_t)
-
-		allow cronjob_t $2_t:dbus send_msg;
 	')
 ')
 
 ########################################
 ## <summary>
 ##	Role access for unconfined cron.
+##	Only used if cronjob_domain is set
 ## </summary>
 ## <param name="role">
 ##	<summary>
@@ -192,7 +200,7 @@ interface(`cron_unconfined_role',`
 		dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
 
 		dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms };
-')
+	')
 
 	optional_policy(`
 		gen_require(`
@@ -314,11 +322,8 @@ interface(`cron_admin_role',`
 interface(`cron_system_entry',`
 	gen_require(`
 		type crond_t, system_cronjob_t;
-		type user_cron_spool_log_t;
 	')
 
-	rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t)
-
 	domtrans_pattern(system_cronjob_t, $2, $1)
 	domtrans_pattern(crond_t, $2, $1)
 
@@ -992,7 +997,7 @@ interface(`cron_admin',`
 		type crond_tmp_t, admin_crontab_tmp_t;
 		type crontab_tmp_t, system_cronjob_tmp_t;
 		type cron_runtime_t, system_cronjob_runtime_t, crond_runtime_t;
-		type cron_log_t, system_cronjob_lock_t, user_cron_spool_log_t;
+		type cron_log_t, system_cronjob_lock_t;
 		attribute cron_spool_type;
 	')
 
@@ -1015,7 +1020,7 @@ interface(`cron_admin',`
 	admin_pattern($1, system_cronjob_lock_t)
 
 	logging_search_logs($1)
-	admin_pattern($1, { cron_log_t user_cron_spool_log_t })
+	admin_pattern($1, { cron_log_t })
 
 	files_search_spool($1)
 	admin_pattern($1, cron_spool_type)
Index: refpolicy-2.20210115/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20210115.orig/policy/modules/services/cron.te
+++ refpolicy-2.20210115/policy/modules/services/cron.te
@@ -25,7 +25,9 @@ gen_tunable(cron_can_relabel, false)
 ##	the generic cronjob domain.
 ##	</p>
 ## </desc>
-gen_tunable(cron_userdomain_transition, false)
+ifndef(`cronjob_domain', `
+gen_tunable(cron_userdomain_transition, true)
+')
 
 ## <desc>
 ##	<p>
@@ -81,9 +83,11 @@ init_unit_file(crond_unit_t)
 type crontab_exec_t;
 application_executable_file(crontab_exec_t)
 
-cron_common_crontab_template(admin_crontab)
-
-cron_common_crontab_template(crontab)
+cron_common_crontab_template(user)
+cron_common_crontab_template(staff)
+cron_common_crontab_template(unconfined)
+cron_common_crontab_template(sysadm)
+typealias user_crontab_t alias { crontab_t };
 
 type system_cron_spool_t, cron_spool_type;
 files_type(system_cron_spool_t)
@@ -105,25 +109,13 @@ files_tmp_file(system_cronjob_tmp_t)
 type system_cronjob_var_lib_t;
 files_type(system_cronjob_var_lib_t)
 
-type user_cron_spool_t, cron_spool_type;
-files_type(user_cron_spool_t)
-ubac_constrained(user_cron_spool_t)
-
-type user_cron_spool_log_t;
-logging_log_file(user_cron_spool_log_t)
-ubac_constrained(user_cron_spool_log_t)
-
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
 ')
 
 optional_policy(`
-	mta_system_content(cron_spool_t)
 	mta_system_content(crond_tmp_t)
 	mta_system_content(crond_runtime_t)
-	mta_system_content(system_cron_spool_t)
-	mta_system_content(user_cron_spool_t)
-	mta_system_content(user_cron_spool_log_t)
 ')
 
 ##############################
@@ -135,9 +127,6 @@ allow crontab_domain self:capability { c
 allow crontab_domain self:process { getcap setsched signal_perms };
 allow crontab_domain self:fifo_file rw_fifo_file_perms;
 
-manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
-filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
-
 allow crontab_domain cron_spool_t:dir setattr_dir_perms;
 
 allow crontab_domain crond_t:process signal;
@@ -184,30 +173,11 @@ tunable_policy(`fcron_crond',`
 
 ########################################
 #
-# Admin local policy
-#
-
-allow admin_crontab_t self:capability fsetid;
-allow admin_crontab_t crond_t:process signal;
-
-selinux_get_fs_mount(admin_crontab_t)
-selinux_validate_context(admin_crontab_t)
-selinux_compute_access_vector(admin_crontab_t)
-selinux_compute_create_context(admin_crontab_t)
-selinux_compute_relabel_context(admin_crontab_t)
-selinux_compute_user_contexts(admin_crontab_t)
-
-tunable_policy(`fcron_crond',`
-	allow admin_crontab_t self:process setfscreate;
-')
-
-########################################
-#
 # Daemon local policy
 #
 
-allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice };
-dontaudit crond_t self:capability { sys_resource sys_tty_config };
+allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice sys_resource };
+dontaudit crond_t self:capability { sys_tty_config };
 
 allow crond_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow crond_t self:fd use;
@@ -221,6 +191,7 @@ allow crond_t self:msg { send receive };
 allow crond_t self:key { search write link };
 dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
 
+allow crond_t cron_spool_type:file read_file_perms;
 allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
 logging_log_filetrans(crond_t, cron_log_t, file)
 
@@ -244,8 +215,6 @@ manage_files_pattern(crond_t, user_cron_
 manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
 allow crond_t user_cron_spool_t:dir watch;
 
-manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)
-
 allow crond_t system_cronjob_t:process transition;
 allow crond_t system_cronjob_t:fd use;
 allow crond_t system_cronjob_t:key manage_key_perms;
Index: refpolicy-2.20210115/policy/modules/services/cron.fc
===================================================================
--- refpolicy-2.20210115.orig/policy/modules/services/cron.fc
+++ refpolicy-2.20210115/policy/modules/services/cron.fc
@@ -38,8 +38,7 @@
 /run/.*cron.*	--	gen_context(system_u:object_r:crond_runtime_t,s0)
 
 /var/spool/anacron(/.*)?	gen_context(system_u:object_r:system_cron_spool_t,s0)
-/var/spool/at(/.*)?	gen_context(system_u:object_r:user_cron_spool_t,s0)
-/var/spool/at/atspool(/.*)?	gen_context(system_u:object_r:user_cron_spool_log_t,s0)
+/var/spool/at(/.*)?	gen_context(system_u:object_r:system_cron_spool_t,s0)
 
 /var/spool/cron	-d	gen_context(system_u:object_r:cron_spool_t,s0)
 #/var/spool/cron/root	--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
