From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.9 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D5A04C2BA19 for ; Sun, 5 Apr 2020 09:04:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 89BA920675 for ; Sun, 5 Apr 2020 09:04:38 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="flSADgIP" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726509AbgDEJEi (ORCPT ); Sun, 5 Apr 2020 05:04:38 -0400 Received: from smtp.sws.net.au ([46.4.88.250]:45384 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726308AbgDEJEh (ORCPT ); Sun, 5 Apr 2020 05:04:37 -0400 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id B3847EE24 for ; Sun, 5 Apr 2020 19:04:33 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1586077474; bh=DiB0lOQNgy72XxX8hLR6hFT/4Eqd7BCnK6G6dqPEb9E=; l=11243; h=Date:From:To:Subject:From; b=flSADgIPyukXd4lXnggPeUxhrGJLWJUZ2q+K6iZ8uA94RDBvCwelUw0vGpRwXEzCd b2KRb0u8L3ATHpTN9Z4k5kFmhZlvukkfOr23b2bt3NX0j0d09V7xph+p4EgF6/6/VF jbdhgaBVlK+0xiDYD4PzSXtFSuNHPNoec9YHSyVk= Received: by xev.coker.com.au (Postfix, from userid 1001) id 37608FF29FF; Sun, 5 Apr 2020 19:04:28 +1000 (AEST) Date: Sun, 5 Apr 2020 19:04:28 +1000 From: Russell Coker To: "selinux-refpolicy@vger.kernel.org" Subject: latest ver of trivial mail server patch Message-ID: <20200405090428.GD177560@xev> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Yes mmap is the standard way of accessing the mail spool. Removed spamd_gpg_t because there's no point to it, the separation doesn't provide an actual benefit. Made the other requested changes. Signed-off-by: Russell Coker Index: refpolicy-2.20200405/policy/modules/services/mailman.fc =================================================================== --- refpolicy-2.20200405.orig/policy/modules/services/mailman.fc +++ refpolicy-2.20200405/policy/modules/services/mailman.fc @@ -1,6 +1,7 @@ /etc/cron\.(daily|monthly)/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) /etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) +/etc/mailman/postfix-to-mailman.py -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) /usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) /usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) Index: refpolicy-2.20200405/policy/modules/services/mailman.if =================================================================== --- refpolicy-2.20200405.orig/policy/modules/services/mailman.if +++ refpolicy-2.20200405/policy/modules/services/mailman.if @@ -319,6 +319,7 @@ interface(`mailman_read_archive',` files_search_var_lib($1) allow $1 mailman_archive_t:dir list_dir_perms; read_files_pattern($1, mailman_archive_t, mailman_archive_t) + allow $1 mailman_archive_t:file map; read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t) ') Index: refpolicy-2.20200405/policy/modules/services/mailman.te =================================================================== --- refpolicy-2.20200405.orig/policy/modules/services/mailman.te +++ refpolicy-2.20200405/policy/modules/services/mailman.te @@ -182,6 +182,7 @@ corecmd_exec_bin(mailman_mail_t) files_search_locks(mailman_mail_t) fs_rw_anon_inodefs_files(mailman_mail_t) +fs_search_tmpfs(mailman_mail_t) # this is far from ideal, but systemd reduces the importance of initrc_t init_signal_script(mailman_mail_t) Index: refpolicy-2.20200405/policy/modules/services/mta.if =================================================================== --- refpolicy-2.20200405.orig/policy/modules/services/mta.if +++ refpolicy-2.20200405/policy/modules/services/mta.if @@ -251,6 +251,7 @@ interface(`mta_manage_mail_home_rw_conte userdom_search_user_home_dirs($1) manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t) manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t) + allow $1 mail_home_rw_t:file map; manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t) ') @@ -867,6 +868,7 @@ interface(`mta_read_spool_files',` files_search_spool($1) read_files_pattern($1, mail_spool_t, mail_spool_t) + allow $1 mail_spool_t:file map; ') ######################################## @@ -949,6 +951,7 @@ interface(`mta_manage_spool',` files_search_spool($1) manage_dirs_pattern($1, mail_spool_t, mail_spool_t) manage_files_pattern($1, mail_spool_t, mail_spool_t) + allow $1 mail_spool_t:file map; manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') Index: refpolicy-2.20200405/policy/modules/services/spamassassin.if =================================================================== --- refpolicy-2.20200405.orig/policy/modules/services/spamassassin.if +++ refpolicy-2.20200405/policy/modules/services/spamassassin.if @@ -433,3 +433,41 @@ interface(`spamassassin_admin',` # sa-update spamassassin_run_update($1, $2) ') + +######################################## +## +## reload SA service +## +## +## +## Domain allowed access. +## +## +## +# +interface(`spamassassin_service_reload',` + gen_require(` + type spamassassin_unit_t; + ') + + allow $1 spamassassin_unit_t:service reload; +') + +######################################## +## +## Get SA service status +## +## +## +## Domain allowed access. +## +## +## +# +interface(`spamassassin_service_status',` + gen_require(` + type spamassassin_unit_t; + ') + + allow $1 spamassassin_unit_t:service status; +') Index: refpolicy-2.20200405/policy/modules/services/spamassassin.te =================================================================== --- refpolicy-2.20200405.orig/policy/modules/services/spamassassin.te +++ refpolicy-2.20200405/policy/modules/services/spamassassin.te @@ -22,6 +22,7 @@ gen_tunable(spamassassin_can_network, fa gen_tunable(spamd_enable_home_dirs, false) type spamd_update_t; +typealias spamd_update_t alias { spamd_gpg_t }; type spamd_update_exec_t; init_system_domain(spamd_update_t, spamd_update_exec_t) @@ -62,9 +63,6 @@ files_type(spamd_compiled_t) type spamd_etc_t; files_config_file(spamd_etc_t) -type spamd_gpg_t; -domain_type(spamd_gpg_t) - type spamd_home_t; userdom_user_home_content(spamd_home_t) @@ -199,11 +197,13 @@ corenet_all_recvfrom_unlabeled(spamc_t) corenet_all_recvfrom_netlabel(spamc_t) corenet_tcp_sendrecv_generic_if(spamc_t) corenet_tcp_sendrecv_generic_node(spamc_t) +corenet_udp_bind_generic_node(spamc_t) corenet_sendrecv_all_client_packets(spamc_t) corenet_tcp_connect_all_ports(spamc_t) corecmd_exec_bin(spamc_t) +corecmd_exec_shell(spamc_t) dev_read_rand(spamc_t) dev_read_urand(spamc_t) @@ -256,6 +256,8 @@ optional_policy(` optional_policy(` mta_send_mail(spamc_t) + mta_getattr_spool(spamc_t) + mta_read_spool_files(spamc_t) mta_read_config(spamc_t) mta_read_queue(spamc_t) sendmail_rw_pipes(spamc_t) @@ -351,6 +353,7 @@ corenet_udp_bind_imaze_port(spamd_t) corenet_dontaudit_udp_bind_all_ports(spamd_t) +corecmd_exec_shell(spamd_t) corecmd_exec_bin(spamd_t) dev_read_sysfs(spamd_t) @@ -358,6 +361,7 @@ dev_read_urand(spamd_t) domain_use_interactive_fds(spamd_t) +files_map_etc_files(spamd_t) files_read_usr_files(spamd_t) files_read_etc_runtime_files(spamd_t) @@ -372,6 +376,7 @@ libs_use_shared_libs(spamd_t) logging_send_syslog_msg(spamd_t) +miscfiles_read_generic_certs(spamd_t) miscfiles_read_localization(spamd_t) sysnet_use_ldap(spamd_t) @@ -487,6 +492,8 @@ manage_dirs_pattern(spamd_update_t, spam manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) +kernel_read_crypto_sysctls(spamd_update_t) +kernel_search_fs_sysctls(spamd_update_t) kernel_read_system_state(spamd_update_t) corecmd_exec_bin(spamd_update_t) @@ -512,6 +519,7 @@ fs_getattr_xattr_fs(spamd_update_t) auth_use_nsswitch(spamd_update_t) auth_dontaudit_read_shadow(spamd_update_t) +miscfiles_read_generic_certs(spamd_update_t) miscfiles_read_localization(spamd_update_t) userdom_use_inherited_user_terminals(spamd_update_t) @@ -523,35 +531,5 @@ optional_policy(` ') optional_policy(` - gpg_spec_domtrans(spamd_update_t, spamd_gpg_t) - gpg_entry_type(spamd_gpg_t) - role system_r types spamd_gpg_t; - - allow spamd_gpg_t self:capability { dac_override dac_read_search }; - allow spamd_gpg_t self:unix_stream_socket { connect create }; - - allow spamd_gpg_t spamd_update_t:fd use; - allow spamd_gpg_t spamd_update_t:process sigchld; - allow spamd_gpg_t spamd_update_t:fifo_file { getattr write }; - allow spamd_gpg_t spamd_var_lib_t:dir rw_dir_perms; - allow spamd_gpg_t spamd_var_lib_t:file manage_file_perms; - allow spamd_gpg_t spamd_update_tmp_t:file read_file_perms; - - # fips - kernel_read_crypto_sysctls(spamd_gpg_t) - - domain_use_interactive_fds(spamd_gpg_t) - - files_read_etc_files(spamd_gpg_t) - files_read_usr_files(spamd_gpg_t) - files_search_var_lib(spamd_gpg_t) - files_search_pids(spamd_gpg_t) - files_search_tmp(spamd_gpg_t) - - init_use_fds(spamd_gpg_t) - init_rw_inherited_stream_socket(spamd_gpg_t) - - miscfiles_read_localization(spamd_gpg_t) - - userdom_use_inherited_user_terminals(spamd_gpg_t) + gpg_exec(spamd_update_t) ') Index: refpolicy-2.20200405/policy/modules/services/clamav.te =================================================================== --- refpolicy-2.20200405.orig/policy/modules/services/clamav.te +++ refpolicy-2.20200405/policy/modules/services/clamav.te @@ -146,6 +146,7 @@ auth_use_nsswitch(clamd_t) logging_send_syslog_msg(clamd_t) +miscfiles_read_generic_certs(clamd_t) miscfiles_read_localization(clamd_t) tunable_policy(`clamd_use_jit',` @@ -235,6 +236,7 @@ auth_use_nsswitch(freshclam_t) logging_send_syslog_msg(freshclam_t) +miscfiles_read_generic_certs(freshclam_t) miscfiles_read_localization(freshclam_t) tunable_policy(`clamd_use_jit',` Index: refpolicy-2.20200405/policy/modules/services/dkim.te =================================================================== --- refpolicy-2.20200405.orig/policy/modules/services/dkim.te +++ refpolicy-2.20200405/policy/modules/services/dkim.te @@ -44,6 +44,8 @@ files_pid_filetrans(dkim_milter_t, dkim_ files_read_usr_files(dkim_milter_t) files_search_spool(dkim_milter_t) +miscfiles_read_generic_certs(dkim_milter_t) + optional_policy(` mta_read_config(dkim_milter_t) ') Index: refpolicy-2.20200405/policy/modules/services/dovecot.te =================================================================== --- refpolicy-2.20200405.orig/policy/modules/services/dovecot.te +++ refpolicy-2.20200405/policy/modules/services/dovecot.te @@ -173,6 +173,7 @@ files_read_usr_files(dovecot_t) fs_getattr_all_fs(dovecot_t) fs_getattr_all_dirs(dovecot_t) +fs_read_tmpfs_symlinks(dovecot_t) fs_search_auto_mountpoints(dovecot_t) fs_list_inotifyfs(dovecot_t) @@ -269,7 +270,12 @@ selinux_get_fs_mount(dovecot_auth_t) auth_domtrans_chk_passwd(dovecot_auth_t) auth_use_nsswitch(dovecot_auth_t) +fs_search_tmpfs(dovecot_auth_t) +fs_read_tmpfs_symlinks(dovecot_auth_t) + init_rw_utmp(dovecot_auth_t) +init_rw_inherited_stream_socket(dovecot_auth_t) +init_use_fds(dovecot_auth_t) logging_send_audit_msgs(dovecot_auth_t) Index: refpolicy-2.20200405/policy/modules/services/postfix.te =================================================================== --- refpolicy-2.20200405.orig/policy/modules/services/postfix.te +++ refpolicy-2.20200405/policy/modules/services/postfix.te @@ -336,6 +336,7 @@ optional_policy(` ') optional_policy(` + mysql_read_config(postfix_master_t) mysql_stream_connect(postfix_master_t) ') @@ -427,6 +428,10 @@ optional_policy(` ') optional_policy(` + mysql_read_config(postfix_cleanup_t) +') + +optional_policy(` dbus_send_system_bus(postfix_cleanup_t) dbus_system_bus_client(postfix_cleanup_t) init_dbus_chat(postfix_cleanup_t) @@ -648,6 +653,7 @@ mta_rw_user_mail_stream_sockets(postfix_ optional_policy(` apache_dontaudit_rw_fifo_file(postfix_postdrop_t) + apache_use_fds(postfix_postdrop_t) ') optional_policy(` @@ -826,6 +832,10 @@ optional_policy(` ') optional_policy(` + mysql_read_config(postfix_smtpd_t) +') + +optional_policy(` postgrey_stream_connect(postfix_smtpd_t) ')