Description: cron patches
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-02-21

Index: refpolicy-2.20170903/policy/modules/contrib/cron.if
===================================================================
--- refpolicy-2.20170903.orig/policy/modules/contrib/cron.if
+++ refpolicy-2.20170903/policy/modules/contrib/cron.if
@@ -21,23 +21,33 @@ template(`cron_common_crontab_template',
 	# Declarations
 	#
 
-	type $1_t, crontab_domain;
-	userdom_user_application_domain($1_t, crontab_exec_t)
+	type $1_crontab_t, crontab_domain;
+	userdom_user_application_domain($1_crontab_t, crontab_exec_t)
 
-	type $1_tmp_t;
-	userdom_user_tmp_file($1_tmp_t)
+	type $1_crontab_tmp_t;
+	userdom_user_tmp_file($1_crontab_tmp_t)
+
+	type $1_cron_spool_t, cron_spool_type;
 
 	##############################
 	#
 	# Local policy
 	#
 
-	manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
-	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-	files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
+	manage_dirs_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t)
+	manage_files_pattern($1_crontab_t, $1_crontab_tmp_t, $1_crontab_tmp_t)
+	files_tmp_filetrans($1_crontab_t, $1_crontab_tmp_t, { dir file })
+
+	auth_domtrans_chk_passwd($1_crontab_t)
+	auth_use_nsswitch($1_crontab_t)
+	allow $1_crontab_t self:capability fsetid;
+
+	files_type($1_cron_spool_t)
+	ubac_constrained($1_cron_spool_t)
+	mta_system_content($1_cron_spool_t)
 
-	auth_domtrans_chk_passwd($1_t)
-	auth_use_nsswitch($1_t)
+	manage_files_pattern($1_crontab_t, { cron_spool_t user_cron_spool_t }, $1_cron_spool_t)
+	filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t, file)
 ')
 
 ########################################
@@ -58,9 +68,11 @@ template(`cron_common_crontab_template',
 #
 interface(`cron_role',`
 	gen_require(`
+ifdef(`cronjob_domain', `
 		type cronjob_t;
+')
 		type crontab_exec_t, crond_t;
-		type crontab_t, user_cron_spool_t;
+		type $2_crontab_t, $2_cron_spool_t;
 		bool cron_userdomain_transition;
 	')
 
@@ -69,60 +81,51 @@ interface(`cron_role',`
 	# Declarations
 	#
 
+ifdef(`cronjob_domain', `
 	role $1 types { cronjob_t };
-	role $1 types { crontab_t };
+')
+	role $1 types { $2_crontab_t };
 
 	##############################
 	#
 	# Local policy
 	#
 
-	domtrans_pattern($2_t, crontab_exec_t, crontab_t)
+	domtrans_pattern($2_t, crontab_exec_t, $2_crontab_t)
 
 	dontaudit crond_t $2_t:process { noatsecure siginh rlimitinh };
 	allow $2_t crond_t:process sigchld;
 
-	allow $2_t user_cron_spool_t:file { getattr read write ioctl };
+	allow $2_t $2_cron_spool_t:file { getattr read write ioctl };
 
-	allow $2_t crontab_t:process { ptrace signal_perms };
-	ps_process_pattern($2_t, crontab_t)
+	allow $2_t $2_crontab_t:process { ptrace signal_perms };
+	ps_process_pattern($2_t, $2_crontab_t)
 
-	corecmd_exec_bin(crontab_t)
-	corecmd_exec_shell(crontab_t)
+	corecmd_exec_bin($2_crontab_t)
+	corecmd_exec_shell($2_crontab_t)
 
+ifndef(`cronjob_domain', `
 	tunable_policy(`cron_userdomain_transition',`
+')
 		allow crond_t $2_t:process transition;
 		allow crond_t $2_t:fd use;
 		allow crond_t $2_t:key manage_key_perms;
 
-		allow $2_t user_cron_spool_t:file entrypoint;
+		allow $2_t $2_cron_spool_t:file entrypoint;
 
 		allow $2_t crond_t:fifo_file rw_fifo_file_perms;
-
-		allow $2_t cronjob_t:process { ptrace signal_perms };
-		ps_process_pattern($2_t, cronjob_t)
+ifndef(`cronjob_domain', `
 	',`
 		dontaudit crond_t $2_t:process transition;
 		dontaudit crond_t $2_t:fd use;
 		dontaudit crond_t $2_t:key manage_key_perms;
 
-		dontaudit $2_t user_cron_spool_t:file entrypoint;
+		dontaudit $2_t $2_cron_spool_t:file entrypoint;
 
 		dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms;
-
-		dontaudit $2_t cronjob_t:process { ptrace signal_perms };
-	')
-
-	optional_policy(`
-		gen_require(`
-			class dbus send_msg;
-		')
-
-		dbus_stub(cronjob_t)
-
-		allow cronjob_t $2_t:dbus send_msg;
 	')
 ')
+')
 
 ########################################
 ## <summary>
@@ -139,6 +142,7 @@ interface(`cron_role',`
 ##	</summary>
 ## </param>
 #
+ifdef(`cronjob_domain', `
 interface(`cron_unconfined_role',`
 	gen_require(`
 		type unconfined_cronjob_t, crontab_t, crontab_exec_t;
@@ -204,6 +208,7 @@ interface(`cron_unconfined_role',`
 		allow unconfined_cronjob_t $2:dbus send_msg;
 	')
 ')
+')
 
 ########################################
 ## <summary>
Index: refpolicy-2.20170903/policy/modules/contrib/cron.te
===================================================================
--- refpolicy-2.20170903.orig/policy/modules/contrib/cron.te
+++ refpolicy-2.20170903/policy/modules/contrib/cron.te
@@ -25,7 +25,9 @@ gen_tunable(cron_can_relabel, false)
 ##	the generic cronjob domain.
 ##	</p>
 ## </desc>
-gen_tunable(cron_userdomain_transition, false)
+ifndef(`cronjob_domain', `
+gen_tunable(cron_userdomain_transition, true)
+')
 
 ## <desc>
 ##	<p>
@@ -83,15 +85,16 @@ files_pid_file(crond_var_run_t)
 type crontab_exec_t;
 application_executable_file(crontab_exec_t)
 
-cron_common_crontab_template(admin_crontab)
-typealias admin_crontab_t alias sysadm_crontab_t;
-typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t;
-
-cron_common_crontab_template(crontab)
-typealias crontab_t alias { user_crontab_t staff_crontab_t };
-typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
-typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
-typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+cron_common_crontab_template(sysadm)
+typealias sysadm_crontab_t alias admin_crontab_t;
+typealias sysadm_crontab_tmp_t alias admin_crontab_tmp_t;
+
+cron_common_crontab_template(user)
+cron_common_crontab_template(staff)
+cron_common_crontab_template(unconfined)
+typealias user_crontab_t alias { crontab_t };
+typealias sysadm_crontab_t alias { auditadm_crontab_t secadm_crontab_t };
+typealias sysadm_crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
 
 type system_cron_spool_t, cron_spool_type;
 files_type(system_cron_spool_t)
@@ -113,11 +116,7 @@ files_type(system_cronjob_var_lib_t)
 type system_cronjob_var_run_t;
 files_pid_file(system_cronjob_var_run_t)
 
-type user_cron_spool_t, cron_spool_type;
-typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
-typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
-files_type(user_cron_spool_t)
-ubac_constrained(user_cron_spool_t)
+typealias sysadm_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
 
 type user_cron_spool_log_t;
 logging_log_file(user_cron_spool_log_t)
@@ -145,9 +144,6 @@ allow crontab_domain self:capability { c
 allow crontab_domain self:process { getcap setsched signal_perms };
 allow crontab_domain self:fifo_file rw_fifo_file_perms;
 
-manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
-filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
-
 allow crontab_domain cron_spool_t:dir setattr_dir_perms;
 
 allow crontab_domain crond_t:process signal;
@@ -218,8 +214,8 @@ tunable_policy(`fcron_crond',`
 # Daemon local policy
 #
 
-allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice };
-dontaudit crond_t self:capability { sys_resource sys_tty_config };
+allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice sys_resource };
+dontaudit crond_t self:capability { sys_tty_config };
 
 allow crond_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow crond_t self:fd use;
@@ -233,6 +229,7 @@ allow crond_t self:msg { send receive };
 allow crond_t self:key { search write link };
 dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
 
+allow crond_t cron_spool_type:file read_file_perms;
 allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
 logging_log_filetrans(crond_t, cron_log_t, file)
 
