* [PATCH] mailman3 V2
@ 2022-02-19 8:08 Russell Coker
0 siblings, 0 replies; only message in thread
From: Russell Coker @ 2022-02-19 8:08 UTC (permalink / raw)
To: selinux-refpolicy
Updated patch based on feedback from Dominick Grift in Feb 2021.
I think this is ready for merging.
Signed-off-by: Russell Coker <russell@coker.com.au>
Index: refpolicy-2.20220219/policy/modules/services/mailman.if
===================================================================
--- refpolicy-2.20220219.orig/policy/modules/services/mailman.if
+++ refpolicy-2.20220219/policy/modules/services/mailman.if
@@ -109,6 +109,44 @@ interface(`mailman_domtrans_cgi',`
#######################################
## <summary>
+## Talk to mailman_cgi_t via Unix domain socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain talking to mailman
+## </summary>
+## </param>
+#
+interface(`mailman_stream_connect_cgi',`
+ gen_require(`
+ type mailman_cgi_t, mailman_runtime_t;
+ ')
+
+ files_search_runtime($1)
+ stream_connect_pattern($1, mailman_runtime_t, mailman_runtime_t, mailman_cgi_t)
+')
+
+#######################################
+## <summary>
+## Manage mailman runtime files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to manage the files
+## </summary>
+## </param>
+#
+interface(`mailman_manage_runtime_files',`
+ gen_require(`
+ type mailman_runtime_t;
+ ')
+
+ files_search_runtime($1)
+ manage_files_pattern($1, mailman_runtime_t, mailman_runtime_t)
+')
+
+#######################################
+## <summary>
## Execute mailman in the caller domain.
## </summary>
## <param name="domain">
@@ -186,6 +224,24 @@ interface(`mailman_read_data_files',`
#######################################
## <summary>
+## map mailman data content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_map_data_files',`
+ gen_require(`
+ type mailman_data_t;
+ ')
+
+ allow $1 mailman_data_t:file map;
+')
+
+#######################################
+## <summary>
## Create, read, write, and delete
## mailman data files.
## </summary>
@@ -342,3 +398,21 @@ interface(`mailman_domtrans_queue',`
libs_search_lib($1)
domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
')
+
+#######################################
+## <summary>
+## Manage mailman lock dir
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to manage it.
+## </summary>
+## </param>
+#
+interface(`mailman_manage_lockdir',`
+ gen_require(`
+ type mailman_lock_t;
+ ')
+
+ allow $1 mailman_lock_t:dir manage_dir_perms;
+')
Index: refpolicy-2.20220219/policy/modules/services/mailman.te
===================================================================
--- refpolicy-2.20220219.orig/policy/modules/services/mailman.te
+++ refpolicy-2.20220219/policy/modules/services/mailman.te
@@ -10,6 +10,7 @@ attribute mailman_domain;
attribute_role mailman_roles;
mailman_domain_template(cgi)
+init_daemon_domain(mailman_cgi_t, mailman_cgi_exec_t)
type mailman_data_t;
files_type(mailman_data_t)
@@ -26,11 +27,18 @@ files_lock_file(mailman_lock_t)
type mailman_runtime_t alias mailman_var_run_t;
files_runtime_file(mailman_runtime_t)
+type mailman_cgi_tmpfs_t;
+files_tmpfs_file(mailman_cgi_tmpfs_t)
+
+type mailman_queue_tmpfs_t;
+files_tmpfs_file(mailman_queue_tmpfs_t)
+
mailman_domain_template(mail)
init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)
role mailman_roles types mailman_mail_t;
mailman_domain_template(queue)
+init_daemon_domain(mailman_queue_t, mailman_queue_exec_t)
########################################
#
@@ -89,13 +97,16 @@ miscfiles_read_localization(mailman_doma
# CGI local policy
#
-allow mailman_cgi_t self:unix_dgram_socket { create connect };
+allow mailman_cgi_t self:process { signal signull sigkill };
+allow mailman_cgi_t self:fifo_file rw_fifo_file_perms;
+allow mailman_cgi_t self:capability { dac_override setgid setuid };
+allow mailman_cgi_t self:unix_dgram_socket create_socket_perms;
allow mailman_cgi_t mailman_archive_t:dir search_dir_perms;
allow mailman_cgi_t mailman_archive_t:file read_file_perms;
allow mailman_cgi_t mailman_data_t:dir rw_dir_perms;
-allow mailman_cgi_t mailman_data_t:file manage_file_perms;
+allow mailman_cgi_t mailman_data_t:file { map manage_file_perms };
allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms;
allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms;
@@ -104,11 +115,27 @@ allow mailman_cgi_t mailman_lock_t:file
allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms };
allow mailman_cgi_t mailman_log_t:dir search_dir_perms;
+allow mailman_cgi_t mailman_runtime_t:dir rw_dir_perms;
+allow mailman_cgi_t mailman_runtime_t:file read_file_perms;
+allow mailman_cgi_t mailman_runtime_t:sock_file manage_file_perms;
+
+fs_tmpfs_filetrans(mailman_cgi_t, mailman_cgi_tmpfs_t, file)
+allow mailman_cgi_t mailman_cgi_tmpfs_t:file { map manage_file_perms };
+
kernel_read_crypto_sysctls(mailman_cgi_t)
+kernel_read_net_sysctls(mailman_cgi_t)
kernel_read_system_state(mailman_cgi_t)
+kernel_read_vm_overcommit_sysctl(mailman_cgi_t)
+# need SELinuxContext=system_u:system_r:mailman_cgi_t:s0 in the systemd
+# service file for the correct context on running /usr/bin/uwsgi for
+# mailman3-web
+corecmd_bin_entry_type(mailman_cgi_t)
corecmd_exec_bin(mailman_cgi_t)
+corenet_tcp_bind_generic_node(mailman_cgi_t)
+corenet_tcp_connect_all_unreserved_ports(mailman_cgi_t)
+
dev_read_urand(mailman_cgi_t)
files_search_locks(mailman_cgi_t)
@@ -120,9 +147,9 @@ libs_dontaudit_write_lib_dirs(mailman_cg
logging_search_logs(mailman_cgi_t)
+miscfiles_read_generic_certs(mailman_cgi_t)
miscfiles_read_localization(mailman_cgi_t)
-
optional_policy(`
apache_sigchld(mailman_cgi_t)
apache_use_fds(mailman_cgi_t)
@@ -133,6 +160,15 @@ optional_policy(`
')
optional_policy(`
+ cron_rw_inherited_tmp_files(mailman_cgi_t)
+ cron_system_entry(mailman_cgi_t, mailman_cgi_exec_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(mailman_cgi_t)
+')
+
+optional_policy(`
postfix_read_config(mailman_cgi_t)
')
@@ -142,7 +178,9 @@ optional_policy(`
#
allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config };
-allow mailman_mail_t self:process { signal signull setsched };
+allow mailman_mail_t self:process { execmem signal signull setsched };
+allow mailman_mail_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
+allow mailman_mail_t self:fifo_file rw_file_perms;
allow mailman_mail_t mailman_archive_t:dir manage_dir_perms;
allow mailman_mail_t mailman_archive_t:file manage_file_perms;
@@ -167,8 +205,12 @@ manage_files_pattern(mailman_mail_t, mai
manage_dirs_pattern(mailman_mail_t, mailman_runtime_t, mailman_runtime_t)
files_runtime_filetrans(mailman_mail_t, mailman_runtime_t, { file dir })
+kernel_read_network_state(mailman_mail_t)
kernel_read_system_state(mailman_mail_t)
+corenet_tcp_bind_all_unreserved_ports(mailman_mail_t)
+corenet_tcp_bind_generic_node(mailman_mail_t)
+corenet_tcp_connect_http_port(mailman_mail_t)
corenet_tcp_connect_smtp_port(mailman_mail_t)
corenet_sendrecv_spamd_client_packets(mailman_mail_t)
corenet_sendrecv_innd_client_packets(mailman_mail_t)
@@ -193,6 +235,7 @@ libs_read_lib_files(mailman_mail_t)
logging_search_logs(mailman_mail_t)
+miscfiles_read_generic_certs(mailman_mail_t)
miscfiles_read_localization(mailman_mail_t)
mta_use_mailserver_fds(mailman_mail_t)
@@ -200,14 +243,26 @@ mta_dontaudit_rw_delivery_tcp_sockets(ma
mta_dontaudit_rw_queue(mailman_mail_t)
optional_policy(`
+ apache_search_config(mailman_mail_t)
+')
+
+optional_policy(`
courier_read_spool(mailman_mail_t)
')
optional_policy(`
cron_read_pipes(mailman_mail_t)
+ cron_rw_inherited_tmp_files(mailman_mail_t)
+ cron_search_spool(mailman_mail_t)
+ cron_system_entry(mailman_mail_t, mailman_mail_exec_t)
+')
+
+optional_policy(`
+ corenet_tcp_connect_mysqld_port(mailman_mail_t)
')
optional_policy(`
+ postfix_read_config(mailman_mail_t)
postfix_search_spool(mailman_mail_t)
postfix_rw_inherited_master_pipes(mailman_mail_t)
')
@@ -217,15 +272,18 @@ optional_policy(`
# Queue local policy
#
-allow mailman_queue_t self:capability { setgid setuid };
+allow mailman_queue_t self:capability { dac_override setgid setuid };
allow mailman_queue_t self:process { setsched signal_perms };
allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
+allow mailman_queue_t mailman_runtime_t:dir rw_dir_perms;
+allow mailman_queue_t mailman_runtime_t:file manage_file_perms;
+
allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;
allow mailman_queue_t mailman_archive_t:file manage_file_perms;
allow mailman_queue_t mailman_data_t:dir rw_dir_perms;
-allow mailman_queue_t mailman_data_t:file manage_file_perms;
+allow mailman_queue_t mailman_data_t:file { map manage_file_perms };
allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms;
allow mailman_queue_t mailman_lock_t:dir rw_dir_perms;
@@ -234,15 +292,25 @@ allow mailman_queue_t mailman_lock_t:fil
allow mailman_queue_t mailman_log_t:dir list_dir_perms;
allow mailman_queue_t mailman_log_t:file manage_file_perms;
+fs_tmpfs_filetrans(mailman_queue_t, mailman_queue_tmpfs_t, file)
+allow mailman_queue_t mailman_queue_tmpfs_t:file { map manage_file_perms };
+
+kernel_read_network_state(mailman_queue_t)
kernel_read_system_state(mailman_queue_t)
+kernel_search_vm_sysctl(mailman_queue_t)
auth_domtrans_chk_passwd(mailman_queue_t)
corecmd_read_bin_files(mailman_queue_t)
corenet_sendrecv_innd_client_packets(mailman_queue_t)
+corenet_tcp_bind_all_unreserved_ports(mailman_queue_t)
+corenet_tcp_bind_generic_node(mailman_queue_t)
+corenet_tcp_connect_generic_port(mailman_queue_t)
+corenet_tcp_connect_http_port(mailman_queue_t)
corenet_tcp_connect_innd_port(mailman_queue_t)
files_dontaudit_search_runtime(mailman_queue_t)
+files_read_usr_files(mailman_queue_t)
files_search_locks(mailman_queue_t)
miscfiles_read_localization(mailman_queue_t)
@@ -251,14 +319,24 @@ seutil_dontaudit_search_config(mailman_q
userdom_search_user_home_dirs(mailman_queue_t)
-cron_rw_tmp_files(mailman_queue_t)
-
optional_policy(`
apache_read_config(mailman_queue_t)
')
optional_policy(`
+ cron_rw_tmp_files(mailman_queue_t)
+ cron_search_spool(mailman_queue_t)
cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
+ cron_use_fds(mailman_queue_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(mailman_queue_t)
+ mysql_tcp_connect(mailman_queue_t)
+')
+
+optional_policy(`
+ postfix_read_config(mailman_queue_t)
')
optional_policy(`
Index: refpolicy-2.20220219/policy/modules/services/apache.te
===================================================================
--- refpolicy-2.20220219.orig/policy/modules/services/apache.te
+++ refpolicy-2.20220219/policy/modules/services/apache.te
@@ -815,6 +815,7 @@ optional_policy(`
')
optional_policy(`
+ mailman_stream_connect_cgi(httpd_t)
mailman_signal_cgi(httpd_t)
mailman_domtrans_cgi(httpd_t)
mailman_read_data_files(httpd_t)
Index: refpolicy-2.20220219/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20220219.orig/policy/modules/services/cron.te
+++ refpolicy-2.20220219/policy/modules/services/cron.te
@@ -604,6 +604,12 @@ optional_policy(`
')
optional_policy(`
+ mailman_domtrans_queue(system_cronjob_t)
+ # for flock
+ mailman_manage_runtime_files(system_cronjob_t)
+')
+
+optional_policy(`
mrtg_append_create_logs(system_cronjob_t)
mrtg_read_config(system_cronjob_t)
')
Index: refpolicy-2.20220219/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20220219.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20220219/policy/modules/system/systemd.te
@@ -1796,6 +1796,10 @@ optional_policy(`
')
optional_policy(`
+ mailman_manage_lockdir(systemd_tmpfiles_t)
+')
+
+optional_policy(`
xfs_create_tmp_dirs(systemd_tmpfiles_t)
')
Index: refpolicy-2.20220219/policy/modules/services/mailman.fc
===================================================================
--- refpolicy-2.20220219.orig/policy/modules/services/mailman.fc
+++ refpolicy-2.20220219/policy/modules/services/mailman.fc
@@ -20,6 +20,7 @@
/usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman3/bin/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
@@ -28,3 +29,4 @@
/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/share/mailman3-web/manage.py -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-02-19 8:08 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-19 8:08 [PATCH] mailman3 V2 Russell Coker
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.