diff options
author | Chris PeBenito <chpebeni@linux.microsoft.com> | 2024-02-23 16:06:03 -0500 |
---|---|---|
committer | Kenton Groombridge <concord@gentoo.org> | 2024-05-14 13:40:50 -0400 |
commit | 39ffa538a206a67bdaa5afbd7af3457cdf7c23ee (patch) | |
tree | 5a37fd0aa7b014436dcac19fc99486f06faefffa /policy | |
parent | uml: Remove excessive access from user domains on uml_exec_t. (diff) | |
download | hardened-refpolicy-39ffa538a206a67bdaa5afbd7af3457cdf7c23ee.tar.gz hardened-refpolicy-39ffa538a206a67bdaa5afbd7af3457cdf7c23ee.tar.bz2 hardened-refpolicy-39ffa538a206a67bdaa5afbd7af3457cdf7c23ee.zip |
cron: Use raw entrypoint rule for system_cronjob_t.
By using domain_entry_file() to provide the entrypoint permission, it makes
the spool file an executable, with unexpected access.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Diffstat (limited to 'policy')
-rw-r--r-- | policy/modules/services/cron.te | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index 9df1e306..e8b714c8 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -91,7 +91,6 @@ files_type(system_cron_spool_t) type system_cronjob_t alias system_crond_t; init_daemon_domain(system_cronjob_t, anacron_exec_t) corecmd_shell_entry_type(system_cronjob_t) -domain_entry_file(system_cronjob_t, system_cron_spool_t) type system_cronjob_lock_t alias system_crond_lock_t; files_lock_file(system_cronjob_lock_t) @@ -464,6 +463,7 @@ allow system_cronjob_t cron_runtime_t:file manage_file_perms; files_runtime_filetrans(system_cronjob_t, cron_runtime_t, file) manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t) +allow system_cronjob_t system_cron_spool_t:file entrypoint; allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; allow system_cronjob_t system_cronjob_lock_t:lnk_file manage_lnk_file_perms; |