crontab policy

[Russell Coker <russell@xxxxxxxxxxxx>]

The attached patch is needed to allow the "crontab -u" checks to operate 
correctly.  Without this the check always returns 0 and crontab will allow 
root to create crontabs for anyone regardless of SE Linux context.

Note that it may be necessary to go further.  I am operating under the 
assumption that if you want to grant a particular crontab domain the access 
to create crontab files for other users then you will grant extra access to 
the crontab domain as well as the "passwd crontab" access to the parent 
domain in the policy.  Maybe we should allow all $1_crontab_t domains to 
perform the security checks?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--- macros/program/crontab_macros.te.orig	2005-06-30 14:30:43.000000000 +1000
+++ macros/program/crontab_macros.te	2005-06-30 14:35:37.000000000 +1000
@@ -41,8 +41,6 @@
 # Use capabilities dac_override is to create the file in the directory
 # under /tmp
 allow $1_crontab_t $1_crontab_t:capability { setuid setgid chown dac_override };
-dontaudit $1_crontab_t proc_t:dir search;
-dontaudit $1_crontab_t selinux_config_t:dir search;
 
 # Type for temporary files.
 file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file })
@@ -65,6 +63,11 @@
 
 # for the checks used by crontab -u
 dontaudit $1_crontab_t security_t:dir search;
+allow $1_crontab_t proc_t:dir search;
+allow $1_crontab_t proc_t:{ file lnk_file } { getattr read };
+allow $1_crontab_t selinux_config_t:dir search;
+allow $1_crontab_t selinux_config_t:file { getattr read };
+dontaudit $1_crontab_t self:dir search;
 
 # crontab signals crond by updating the mtime on the spooldir
 allow $1_crontab_t cron_spool_t:dir setattr;