first pass at a spamassassin/spamc/spamd policy

[Colin Walters <walters@verbum.org>]

[-- Attachment #1: Type: text/plain, Size: 940 bytes --]

Hi,

Attached is a first attempt at a spamassassin policy.  It is not going
to be sufficient for most typical users though, because we don't
currently have a clean way to transition from procmail_t to e.g.
user_spamc_t.

Russell and I discussed this issue on IRC last night, and he was of the
opinion that we should create a shell script wrapper for procmail which
looked at the type of the home directory of the user we're delivering
to, and computing and transitioning to a new type (e.g. user_procmail_t)
based on that.  Once that's in place, we would have a rule like:

ifdef(`procmail.te',`
domain_auto_trans($1_procmail_t, spamc_exec_t, $1_spamc_t)
')
in spamassassin_macros.te.

One other issue I ran into; what's a good way to specify that a program
may interact with the user?  Right now I'm doing:

allow $1_$2_t privfd:fd use;
allow $1_$2_t userpty_type:chr_file rw_file_perms;

But this seems a bit unclean.  Any suggestions?



[-- Attachment #2: spamassassin_macros.te --]
[-- Type: text/plain, Size: 3238 bytes --]

#
# Macros for spamassassin domains.
#
# Author: Colin Walters <walters@verbum.org>

# spamassassin_domain(domain_prefix)
#
# Define derived domains for various spamassassin tools when executed
# by a user domain.
#
# The type declarations for the executable types of these programs are
# provided separately in domains/program/spamassassin.te and
# domains/program/spamc.te.
#
undefine(`spamassassin_domain')
ifdef(`spamassassin.te', `define(`using_spamassassin', `')')
ifdef(`spamd.te', `define(`using_spamassassin', `')')
ifdef(`spamc.te', `define(`using_spamassassin', `')')

ifdef(`using_spamassassin',`

#######
# Macros used internally in these spamassassin macros.
#

###
# Define a domain for a spamassassin-like program (spamc/spamassassin).
#
# Note: most of this should really be in a generic macro like
# base_user_program($1, foo)
define(`spamassassin_program_domain',`
type $1_$2_t, domain, privlog;
domain_auto_trans($1_t, $2_exec_t, $1_$2_t)

role $1_r types $1_$2_t;
general_domain_access($1_$2_t)

base_file_read_access($1_$2_t)
normal_config_file_read_access($1_$2_t)
uses_shlib($1_$2_t)
read_locale($1_$2_t)
dontaudit $1_$2_t var_t:dir search;
allow $1_$2_t privfd:fd use;
allow $1_$2_t userpty_type:chr_file rw_file_perms;
') dnl end spamassassin_program_domain

###
# Give privileges to a domain for accessing ~/.spamassassin
# and a few other misc things like /dev/random.
# This is granted to /usr/bin/spamassassin and
# /usr/sbin/spamd, but NOT spamc (because it does not need it).
#
define(`spamassassin_agent_privs',`
allow $1 { home_root_t user_home_dir_type sysadm_home_dir_t }:dir { search getattr };
file_type_auto_trans($1, $2_home_dir_t, $2_home_spamassassin_t)
create_dir_file($1, $2_home_spamassassin_t)

allow $1 random_device_t:chr_file r_file_perms;
')

#######
# Define the main spamassassin macro.  This itself creates a
# domain for /usr/bin/spamassassin, and also spamc/spamd if
# applicable.
#
define(`spamassassin_domain',`
spamassassin_program_domain($1, spamassassin)

# For perl libraries.
allow $1_spamassassin_t lib_t:file rx_file_perms;
# Ignore perl digging in /proc and /var.
dontaudit $1_spamassassin_t proc_t:dir search;
dontaudit $1_spamassassin_t { sysctl_t sysctl_kernel_t }:dir search;

# The type of ~/.spamassassin
type $1_home_spamassassin_t, file_type, sysadmfile;
create_dir_file($1_t, $1_home_spamassassin_t)
allow $1_t $1_home_spamassassin_t:notdevfile_class_set { relabelfrom relabelto };
allow $1_t $1_home_spamassassin_t:dir { relabelfrom relabelto };

spamassassin_agent_privs($1_spamassassin_t, $1)

# Uncomment if you have spamassassin do DNS lookups
#can_network($1_spamassassin_t)

###
# Define the domain for /usr/bin/spamc
#
ifdef(`spamc.te',`
spamassassin_program_domain($1, spamc)
can_network($1_spamc_t)

# Allow connecting to a local spamd
ifdef(`spamd.te',`
can_tcp_connect($1_spamc_t, spamd_t)
') dnl endif spamd.te
') dnl endif spamc.te

###
# Define the domain for /usr/sbin/spamd
#
ifdef(`spamd.te',`

spamassassin_agent_privs(spamd_t, $1)

') dnl endif spamd.te

') dnl end spamassassin_domain

', `

define(`spamassassin_domain',`')

')

[-- Attachment #3: spamassassin.te --]
[-- Type: text/plain, Size: 218 bytes --]

#DESC SpamAssassin
#
# Author: Colin Walters <walters@debian.org>
# X-Debian-Packages: spamassassin

type spamassassin_exec_t, file_type, sysadmfile, exec_type;

# Everything else is in spamassassin_macros.te.

[-- Attachment #4: spamc.te --]
[-- Type: text/plain, Size: 222 bytes --]

#DESC Spamc - Spamassassin client
#
# Author: Colin Walters <walters@debian.org>
# X-Debian-Packages: spamc
#

type spamc_exec_t, file_type, sysadmfile, exec_type;

# Everything else is in spamassassin_macros.te.

[-- Attachment #5: spamd.te --]
[-- Type: text/plain, Size: 1025 bytes --]

#DESC Spamd - Spamassassin daemon
#
# Author: Colin Walters <walters@debian.org>
# X-Debian-Packages: spamassassin
#

daemon_domain(spamd)

tmp_domain(spamd)
allow spamd_t tmp_t:dir { getattr read };

type spamd_port_t, port_type;
allow spamd_t spamd_port_t:tcp_socket name_bind;

general_domain_access(spamd_t)
base_file_read_access(spamd_t)
normal_config_file_read_access(spamd_t)
uses_shlib(spamd_t)

# Various Perl bits
allow spamd_t lib_t:file rx_file_perms;
dontaudit spamd_t { sysctl_t sysctl_kernel_t }:dir search;
dontaudit spamd_t { shadow_t }:file read;
dontaudit spamd_t sysadm_devpts_t:chr_file { read write };
dontaudit spamd_t initrc_var_run_t:file { read write lock };

can_network(spamd_t)
allow spamd_t self:capability { net_bind_service };

# Spamassassin, when run as root and using per-user config files,
# setuids to the user running spamc.  Comment this if you are not
# using this ability.
allow spamd_t self:capability { setuid setgid dac_override dac_read_search };

[-- Attachment #6: spamassassin-general.patch --]
[-- Type: text/plain, Size: 1009 bytes --]

--- policy-1.0/macros/user_macros.te	2003-07-07 09:19:28.000000000 -0400
+++ selinux-policy-1.0/macros/user_macros.te	2003-07-15 03:04:34.000000000 -0400
@@ -155,6 +155,7 @@
 ifdef(`crontab.te', `crontab_domain($1)')
 ifdef(`ssh.te', `ssh_domain($1)')
 ifdef(`irc.te', `irc_domain($1)')
+ifdef(`using_spamassassin', `spamassassin_domain($1)')
 ifdef(`uml.te', `uml_domain($1)')
 ifdef(`clamav.te', `user_clamscan_domain($1)')
 ifdef(`fingerd.te', `fingerd_macro($1)')
--- policy-1.0/net_contexts	2003-07-10 10:44:59.000000000 -0400
+++ selinux-policy-1.0/net_contexts	2003-07-15 13:27:56.000000000 -0400
@@ -75,6 +75,7 @@
 portcon udp 5323 system_u:object_r:imaze_port_t
 ')
 ifdef(`ircd.te', `portcon tcp 6667 system_u:object_r:ircd_port_t')
+ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t')
 ifdef(`apache.te', `define(`use_http_cache')')
 ifdef(`squid.te', `define(`use_http_cache')')
 ifdef(`use_http_cache', `portcon tcp 8080  system_u:object_r:http_cache_port_t')