* [PATCH] mailman3 V3
@ 2022-03-09 4:54 Russell Coker
2022-03-14 13:47 ` Chris PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2022-03-09 4:54 UTC (permalink / raw)
To: selinux-refpolicy
Fixed the issues Chris raised with the previous patch. I think this is
ready to merge.
Signed-off-by: Russell Coker <russell@coker.com.au>
Index: refpolicy-2.20220309/policy/modules/services/mailman.if
===================================================================
--- refpolicy-2.20220309.orig/policy/modules/services/mailman.if
+++ refpolicy-2.20220309/policy/modules/services/mailman.if
@@ -109,6 +109,44 @@ interface(`mailman_domtrans_cgi',`
#######################################
## <summary>
+## Talk to mailman_cgi_t via Unix domain socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain talking to mailman
+## </summary>
+## </param>
+#
+interface(`mailman_stream_connect_cgi',`
+ gen_require(`
+ type mailman_cgi_t, mailman_runtime_t;
+ ')
+
+ files_search_runtime($1)
+ stream_connect_pattern($1, mailman_runtime_t, mailman_runtime_t, mailman_cgi_t)
+')
+
+#######################################
+## <summary>
+## Manage mailman runtime files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to manage the files
+## </summary>
+## </param>
+#
+interface(`mailman_manage_runtime_files',`
+ gen_require(`
+ type mailman_runtime_t;
+ ')
+
+ files_search_runtime($1)
+ manage_files_pattern($1, mailman_runtime_t, mailman_runtime_t)
+')
+
+#######################################
+## <summary>
## Execute mailman in the caller domain.
## </summary>
## <param name="domain">
@@ -186,6 +224,24 @@ interface(`mailman_read_data_files',`
#######################################
## <summary>
+## map mailman data content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_map_data_files',`
+ gen_require(`
+ type mailman_data_t;
+ ')
+
+ allow $1 mailman_data_t:file map;
+')
+
+#######################################
+## <summary>
## Create, read, write, and delete
## mailman data files.
## </summary>
@@ -342,3 +398,21 @@ interface(`mailman_domtrans_queue',`
libs_search_lib($1)
domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
')
+
+#######################################
+## <summary>
+## Manage mailman lock dir
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to manage it.
+## </summary>
+## </param>
+#
+interface(`mailman_manage_lockdir',`
+ gen_require(`
+ type mailman_lock_t;
+ ')
+
+ allow $1 mailman_lock_t:dir manage_dir_perms;
+')
Index: refpolicy-2.20220309/policy/modules/services/mailman.te
===================================================================
--- refpolicy-2.20220309.orig/policy/modules/services/mailman.te
+++ refpolicy-2.20220309/policy/modules/services/mailman.te
@@ -10,6 +10,7 @@ attribute mailman_domain;
attribute_role mailman_roles;
mailman_domain_template(cgi)
+init_daemon_domain(mailman_cgi_t, mailman_cgi_exec_t)
type mailman_data_t;
files_type(mailman_data_t)
@@ -22,15 +23,25 @@ logging_log_file(mailman_log_t)
type mailman_lock_t;
files_lock_file(mailman_lock_t)
+optional_policy(`
+ systemd_tmpfilesd_managed(mailman_lock_t)
+')
type mailman_runtime_t alias mailman_var_run_t;
files_runtime_file(mailman_runtime_t)
+type mailman_cgi_tmpfs_t;
+files_tmpfs_file(mailman_cgi_tmpfs_t)
+
+type mailman_queue_tmpfs_t;
+files_tmpfs_file(mailman_queue_tmpfs_t)
+
mailman_domain_template(mail)
init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)
role mailman_roles types mailman_mail_t;
mailman_domain_template(queue)
+init_daemon_domain(mailman_queue_t, mailman_queue_exec_t)
########################################
#
@@ -89,13 +100,16 @@ miscfiles_read_localization(mailman_doma
# CGI local policy
#
-allow mailman_cgi_t self:unix_dgram_socket { create connect };
+allow mailman_cgi_t self:process { signal signull sigkill };
+allow mailman_cgi_t self:fifo_file rw_fifo_file_perms;
+allow mailman_cgi_t self:capability { dac_override setgid setuid };
+allow mailman_cgi_t self:unix_dgram_socket create_socket_perms;
allow mailman_cgi_t mailman_archive_t:dir search_dir_perms;
allow mailman_cgi_t mailman_archive_t:file read_file_perms;
allow mailman_cgi_t mailman_data_t:dir rw_dir_perms;
-allow mailman_cgi_t mailman_data_t:file manage_file_perms;
+allow mailman_cgi_t mailman_data_t:file { map manage_file_perms };
allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms;
allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms;
@@ -104,11 +118,27 @@ allow mailman_cgi_t mailman_lock_t:file
allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms };
allow mailman_cgi_t mailman_log_t:dir search_dir_perms;
+allow mailman_cgi_t mailman_runtime_t:dir rw_dir_perms;
+allow mailman_cgi_t mailman_runtime_t:file read_file_perms;
+allow mailman_cgi_t mailman_runtime_t:sock_file manage_file_perms;
+
+fs_tmpfs_filetrans(mailman_cgi_t, mailman_cgi_tmpfs_t, file)
+allow mailman_cgi_t mailman_cgi_tmpfs_t:file { map manage_file_perms };
+
kernel_read_crypto_sysctls(mailman_cgi_t)
+kernel_read_net_sysctls(mailman_cgi_t)
kernel_read_system_state(mailman_cgi_t)
+kernel_read_vm_overcommit_sysctl(mailman_cgi_t)
+# need SELinuxContext=system_u:system_r:mailman_cgi_t:s0 in the systemd
+# service file for the correct context on running /usr/bin/uwsgi for
+# mailman3-web
+corecmd_bin_entry_type(mailman_cgi_t)
corecmd_exec_bin(mailman_cgi_t)
+corenet_tcp_bind_generic_node(mailman_cgi_t)
+corenet_tcp_connect_all_unreserved_ports(mailman_cgi_t)
+
dev_read_urand(mailman_cgi_t)
files_search_locks(mailman_cgi_t)
@@ -120,9 +150,9 @@ libs_dontaudit_write_lib_dirs(mailman_cg
logging_search_logs(mailman_cgi_t)
+miscfiles_read_generic_certs(mailman_cgi_t)
miscfiles_read_localization(mailman_cgi_t)
-
optional_policy(`
apache_sigchld(mailman_cgi_t)
apache_use_fds(mailman_cgi_t)
@@ -133,6 +163,15 @@ optional_policy(`
')
optional_policy(`
+ cron_rw_inherited_tmp_files(mailman_cgi_t)
+ cron_system_entry(mailman_cgi_t, mailman_cgi_exec_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(mailman_cgi_t)
+')
+
+optional_policy(`
postfix_read_config(mailman_cgi_t)
')
@@ -142,7 +181,9 @@ optional_policy(`
#
allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config };
-allow mailman_mail_t self:process { signal signull setsched };
+allow mailman_mail_t self:process { execmem signal signull setsched };
+allow mailman_mail_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
+allow mailman_mail_t self:fifo_file rw_file_perms;
allow mailman_mail_t mailman_archive_t:dir manage_dir_perms;
allow mailman_mail_t mailman_archive_t:file manage_file_perms;
@@ -167,8 +208,12 @@ manage_files_pattern(mailman_mail_t, mai
manage_dirs_pattern(mailman_mail_t, mailman_runtime_t, mailman_runtime_t)
files_runtime_filetrans(mailman_mail_t, mailman_runtime_t, { file dir })
+kernel_read_network_state(mailman_mail_t)
kernel_read_system_state(mailman_mail_t)
+corenet_tcp_bind_all_unreserved_ports(mailman_mail_t)
+corenet_tcp_bind_generic_node(mailman_mail_t)
+corenet_tcp_connect_http_port(mailman_mail_t)
corenet_tcp_connect_smtp_port(mailman_mail_t)
corenet_sendrecv_spamd_client_packets(mailman_mail_t)
corenet_sendrecv_innd_client_packets(mailman_mail_t)
@@ -193,6 +238,7 @@ libs_read_lib_files(mailman_mail_t)
logging_search_logs(mailman_mail_t)
+miscfiles_read_generic_certs(mailman_mail_t)
miscfiles_read_localization(mailman_mail_t)
mta_use_mailserver_fds(mailman_mail_t)
@@ -200,14 +246,26 @@ mta_dontaudit_rw_delivery_tcp_sockets(ma
mta_dontaudit_rw_queue(mailman_mail_t)
optional_policy(`
+ apache_search_config(mailman_mail_t)
+')
+
+optional_policy(`
courier_read_spool(mailman_mail_t)
')
optional_policy(`
cron_read_pipes(mailman_mail_t)
+ cron_rw_inherited_tmp_files(mailman_mail_t)
+ cron_search_spool(mailman_mail_t)
+ cron_system_entry(mailman_mail_t, mailman_mail_exec_t)
')
optional_policy(`
+ corenet_tcp_connect_mysqld_port(mailman_mail_t)
+')
+
+optional_policy(`
+ postfix_read_config(mailman_mail_t)
postfix_search_spool(mailman_mail_t)
postfix_rw_inherited_master_pipes(mailman_mail_t)
')
@@ -217,15 +275,18 @@ optional_policy(`
# Queue local policy
#
-allow mailman_queue_t self:capability { setgid setuid };
+allow mailman_queue_t self:capability { dac_override setgid setuid };
allow mailman_queue_t self:process { setsched signal_perms };
allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
+allow mailman_queue_t mailman_runtime_t:dir rw_dir_perms;
+allow mailman_queue_t mailman_runtime_t:file manage_file_perms;
+
allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;
allow mailman_queue_t mailman_archive_t:file manage_file_perms;
allow mailman_queue_t mailman_data_t:dir rw_dir_perms;
-allow mailman_queue_t mailman_data_t:file manage_file_perms;
+allow mailman_queue_t mailman_data_t:file { map manage_file_perms };
allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms;
allow mailman_queue_t mailman_lock_t:dir rw_dir_perms;
@@ -234,15 +295,25 @@ allow mailman_queue_t mailman_lock_t:fil
allow mailman_queue_t mailman_log_t:dir list_dir_perms;
allow mailman_queue_t mailman_log_t:file manage_file_perms;
+fs_tmpfs_filetrans(mailman_queue_t, mailman_queue_tmpfs_t, file)
+allow mailman_queue_t mailman_queue_tmpfs_t:file { map manage_file_perms };
+
+kernel_read_network_state(mailman_queue_t)
kernel_read_system_state(mailman_queue_t)
+kernel_search_vm_sysctl(mailman_queue_t)
auth_domtrans_chk_passwd(mailman_queue_t)
corecmd_read_bin_files(mailman_queue_t)
corenet_sendrecv_innd_client_packets(mailman_queue_t)
+corenet_tcp_bind_all_unreserved_ports(mailman_queue_t)
+corenet_tcp_bind_generic_node(mailman_queue_t)
+corenet_tcp_connect_generic_port(mailman_queue_t)
+corenet_tcp_connect_http_port(mailman_queue_t)
corenet_tcp_connect_innd_port(mailman_queue_t)
files_dontaudit_search_runtime(mailman_queue_t)
+files_read_usr_files(mailman_queue_t)
files_search_locks(mailman_queue_t)
miscfiles_read_localization(mailman_queue_t)
@@ -251,14 +322,24 @@ seutil_dontaudit_search_config(mailman_q
userdom_search_user_home_dirs(mailman_queue_t)
-cron_rw_tmp_files(mailman_queue_t)
-
optional_policy(`
apache_read_config(mailman_queue_t)
')
optional_policy(`
+ cron_rw_tmp_files(mailman_queue_t)
+ cron_search_spool(mailman_queue_t)
cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
+ cron_use_fds(mailman_queue_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(mailman_queue_t)
+ mysql_tcp_connect(mailman_queue_t)
+')
+
+optional_policy(`
+ postfix_read_config(mailman_queue_t)
')
optional_policy(`
Index: refpolicy-2.20220309/policy/modules/services/apache.te
===================================================================
--- refpolicy-2.20220309.orig/policy/modules/services/apache.te
+++ refpolicy-2.20220309/policy/modules/services/apache.te
@@ -815,8 +815,10 @@ optional_policy(`
')
optional_policy(`
+ mailman_stream_connect_cgi(httpd_t)
mailman_signal_cgi(httpd_t)
mailman_domtrans_cgi(httpd_t)
+ mailman_map_data_files(httpd_t)
mailman_read_data_files(httpd_t)
mailman_search_data(httpd_t)
mailman_read_archive(httpd_t)
Index: refpolicy-2.20220309/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20220309.orig/policy/modules/services/cron.te
+++ refpolicy-2.20220309/policy/modules/services/cron.te
@@ -604,6 +604,12 @@ optional_policy(`
')
optional_policy(`
+ mailman_domtrans_queue(system_cronjob_t)
+ # for flock
+ mailman_manage_runtime_files(system_cronjob_t)
+')
+
+optional_policy(`
mrtg_append_create_logs(system_cronjob_t)
mrtg_read_config(system_cronjob_t)
')
Index: refpolicy-2.20220309/policy/modules/services/mailman.fc
===================================================================
--- refpolicy-2.20220309.orig/policy/modules/services/mailman.fc
+++ refpolicy-2.20220309/policy/modules/services/mailman.fc
@@ -20,6 +20,7 @@
/usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman3/bin/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
@@ -28,3 +29,4 @@
/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/share/mailman3-web/manage.py -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] mailman3 V3
2022-03-09 4:54 [PATCH] mailman3 V3 Russell Coker
@ 2022-03-14 13:47 ` Chris PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2022-03-14 13:47 UTC (permalink / raw)
To: Russell Coker, selinux-refpolicy
On 3/8/22 23:54, Russell Coker wrote:
> Fixed the issues Chris raised with the previous patch. I think this is
> ready to merge.
>
> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> Index: refpolicy-2.20220309/policy/modules/services/mailman.if
> ===================================================================
> --- refpolicy-2.20220309.orig/policy/modules/services/mailman.if
> +++ refpolicy-2.20220309/policy/modules/services/mailman.if
> @@ -109,6 +109,44 @@ interface(`mailman_domtrans_cgi',`
>
> #######################################
> ## <summary>
> +## Talk to mailman_cgi_t via Unix domain socket
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain talking to mailman
> +## </summary>
> +## </param>
> +#
> +interface(`mailman_stream_connect_cgi',`
> + gen_require(`
> + type mailman_cgi_t, mailman_runtime_t;
> + ')
> +
> + files_search_runtime($1)
> + stream_connect_pattern($1, mailman_runtime_t, mailman_runtime_t, mailman_cgi_t)
> +')
> +
> +#######################################
> +## <summary>
> +## Manage mailman runtime files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to manage the files
> +## </summary>
> +## </param>
> +#
> +interface(`mailman_manage_runtime_files',`
> + gen_require(`
> + type mailman_runtime_t;
> + ')
> +
> + files_search_runtime($1)
> + manage_files_pattern($1, mailman_runtime_t, mailman_runtime_t)
> +')
> +
> +#######################################
> +## <summary>
> ## Execute mailman in the caller domain.
> ## </summary>
> ## <param name="domain">
> @@ -186,6 +224,24 @@ interface(`mailman_read_data_files',`
>
> #######################################
> ## <summary>
> +## map mailman data content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mailman_map_data_files',`
> + gen_require(`
> + type mailman_data_t;
> + ')
> +
> + allow $1 mailman_data_t:file map;
> +')
> +
> +#######################################
> +## <summary>
> ## Create, read, write, and delete
> ## mailman data files.
> ## </summary>
> @@ -342,3 +398,21 @@ interface(`mailman_domtrans_queue',`
> libs_search_lib($1)
> domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
> ')
> +
> +#######################################
> +## <summary>
> +## Manage mailman lock dir
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to manage it.
> +## </summary>
> +## </param>
> +#
> +interface(`mailman_manage_lockdir',`
> + gen_require(`
> + type mailman_lock_t;
> + ')
> +
> + allow $1 mailman_lock_t:dir manage_dir_perms;
> +')
> Index: refpolicy-2.20220309/policy/modules/services/mailman.te
> ===================================================================
> --- refpolicy-2.20220309.orig/policy/modules/services/mailman.te
> +++ refpolicy-2.20220309/policy/modules/services/mailman.te
> @@ -10,6 +10,7 @@ attribute mailman_domain;
> attribute_role mailman_roles;
>
> mailman_domain_template(cgi)
> +init_daemon_domain(mailman_cgi_t, mailman_cgi_exec_t)
>
> type mailman_data_t;
> files_type(mailman_data_t)
> @@ -22,15 +23,25 @@ logging_log_file(mailman_log_t)
>
> type mailman_lock_t;
> files_lock_file(mailman_lock_t)
> +optional_policy(`
> + systemd_tmpfilesd_managed(mailman_lock_t)
> +')
>
> type mailman_runtime_t alias mailman_var_run_t;
> files_runtime_file(mailman_runtime_t)
>
> +type mailman_cgi_tmpfs_t;
> +files_tmpfs_file(mailman_cgi_tmpfs_t)
> +
> +type mailman_queue_tmpfs_t;
> +files_tmpfs_file(mailman_queue_tmpfs_t)
> +
> mailman_domain_template(mail)
> init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)
> role mailman_roles types mailman_mail_t;
>
> mailman_domain_template(queue)
> +init_daemon_domain(mailman_queue_t, mailman_queue_exec_t)
>
> ########################################
> #
> @@ -89,13 +100,16 @@ miscfiles_read_localization(mailman_doma
> # CGI local policy
> #
>
> -allow mailman_cgi_t self:unix_dgram_socket { create connect };
> +allow mailman_cgi_t self:process { signal signull sigkill };
> +allow mailman_cgi_t self:fifo_file rw_fifo_file_perms;
> +allow mailman_cgi_t self:capability { dac_override setgid setuid };
> +allow mailman_cgi_t self:unix_dgram_socket create_socket_perms;
>
> allow mailman_cgi_t mailman_archive_t:dir search_dir_perms;
> allow mailman_cgi_t mailman_archive_t:file read_file_perms;
>
> allow mailman_cgi_t mailman_data_t:dir rw_dir_perms;
> -allow mailman_cgi_t mailman_data_t:file manage_file_perms;
> +allow mailman_cgi_t mailman_data_t:file { map manage_file_perms };
> allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms;
>
> allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms;
> @@ -104,11 +118,27 @@ allow mailman_cgi_t mailman_lock_t:file
> allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms };
> allow mailman_cgi_t mailman_log_t:dir search_dir_perms;
>
> +allow mailman_cgi_t mailman_runtime_t:dir rw_dir_perms;
> +allow mailman_cgi_t mailman_runtime_t:file read_file_perms;
> +allow mailman_cgi_t mailman_runtime_t:sock_file manage_file_perms;
> +
> +fs_tmpfs_filetrans(mailman_cgi_t, mailman_cgi_tmpfs_t, file)
> +allow mailman_cgi_t mailman_cgi_tmpfs_t:file { map manage_file_perms };
> +
> kernel_read_crypto_sysctls(mailman_cgi_t)
> +kernel_read_net_sysctls(mailman_cgi_t)
> kernel_read_system_state(mailman_cgi_t)
> +kernel_read_vm_overcommit_sysctl(mailman_cgi_t)
>
> +# need SELinuxContext=system_u:system_r:mailman_cgi_t:s0 in the systemd
> +# service file for the correct context on running /usr/bin/uwsgi for
> +# mailman3-web
> +corecmd_bin_entry_type(mailman_cgi_t)
> corecmd_exec_bin(mailman_cgi_t)
>
> +corenet_tcp_bind_generic_node(mailman_cgi_t)
> +corenet_tcp_connect_all_unreserved_ports(mailman_cgi_t)
> +
> dev_read_urand(mailman_cgi_t)
>
> files_search_locks(mailman_cgi_t)
> @@ -120,9 +150,9 @@ libs_dontaudit_write_lib_dirs(mailman_cg
>
> logging_search_logs(mailman_cgi_t)
>
> +miscfiles_read_generic_certs(mailman_cgi_t)
> miscfiles_read_localization(mailman_cgi_t)
>
> -
> optional_policy(`
> apache_sigchld(mailman_cgi_t)
> apache_use_fds(mailman_cgi_t)
> @@ -133,6 +163,15 @@ optional_policy(`
> ')
>
> optional_policy(`
> + cron_rw_inherited_tmp_files(mailman_cgi_t)
> + cron_system_entry(mailman_cgi_t, mailman_cgi_exec_t)
> +')
> +
> +optional_policy(`
> + mysql_stream_connect(mailman_cgi_t)
> +')
> +
> +optional_policy(`
> postfix_read_config(mailman_cgi_t)
> ')
>
> @@ -142,7 +181,9 @@ optional_policy(`
> #
>
> allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config };
> -allow mailman_mail_t self:process { signal signull setsched };
> +allow mailman_mail_t self:process { execmem signal signull setsched };
> +allow mailman_mail_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
> +allow mailman_mail_t self:fifo_file rw_file_perms;
>
> allow mailman_mail_t mailman_archive_t:dir manage_dir_perms;
> allow mailman_mail_t mailman_archive_t:file manage_file_perms;
> @@ -167,8 +208,12 @@ manage_files_pattern(mailman_mail_t, mai
> manage_dirs_pattern(mailman_mail_t, mailman_runtime_t, mailman_runtime_t)
> files_runtime_filetrans(mailman_mail_t, mailman_runtime_t, { file dir })
>
> +kernel_read_network_state(mailman_mail_t)
> kernel_read_system_state(mailman_mail_t)
>
> +corenet_tcp_bind_all_unreserved_ports(mailman_mail_t)
> +corenet_tcp_bind_generic_node(mailman_mail_t)
> +corenet_tcp_connect_http_port(mailman_mail_t)
> corenet_tcp_connect_smtp_port(mailman_mail_t)
> corenet_sendrecv_spamd_client_packets(mailman_mail_t)
> corenet_sendrecv_innd_client_packets(mailman_mail_t)
> @@ -193,6 +238,7 @@ libs_read_lib_files(mailman_mail_t)
>
> logging_search_logs(mailman_mail_t)
>
> +miscfiles_read_generic_certs(mailman_mail_t)
> miscfiles_read_localization(mailman_mail_t)
>
> mta_use_mailserver_fds(mailman_mail_t)
> @@ -200,14 +246,26 @@ mta_dontaudit_rw_delivery_tcp_sockets(ma
> mta_dontaudit_rw_queue(mailman_mail_t)
>
> optional_policy(`
> + apache_search_config(mailman_mail_t)
> +')
> +
> +optional_policy(`
> courier_read_spool(mailman_mail_t)
> ')
>
> optional_policy(`
> cron_read_pipes(mailman_mail_t)
> + cron_rw_inherited_tmp_files(mailman_mail_t)
> + cron_search_spool(mailman_mail_t)
> + cron_system_entry(mailman_mail_t, mailman_mail_exec_t)
> ')
>
> optional_policy(`
> + corenet_tcp_connect_mysqld_port(mailman_mail_t)
> +')
> +
> +optional_policy(`
> + postfix_read_config(mailman_mail_t)
> postfix_search_spool(mailman_mail_t)
> postfix_rw_inherited_master_pipes(mailman_mail_t)
> ')
> @@ -217,15 +275,18 @@ optional_policy(`
> # Queue local policy
> #
>
> -allow mailman_queue_t self:capability { setgid setuid };
> +allow mailman_queue_t self:capability { dac_override setgid setuid };
> allow mailman_queue_t self:process { setsched signal_perms };
> allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
>
> +allow mailman_queue_t mailman_runtime_t:dir rw_dir_perms;
> +allow mailman_queue_t mailman_runtime_t:file manage_file_perms;
> +
> allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;
> allow mailman_queue_t mailman_archive_t:file manage_file_perms;
>
> allow mailman_queue_t mailman_data_t:dir rw_dir_perms;
> -allow mailman_queue_t mailman_data_t:file manage_file_perms;
> +allow mailman_queue_t mailman_data_t:file { map manage_file_perms };
> allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms;
>
> allow mailman_queue_t mailman_lock_t:dir rw_dir_perms;
> @@ -234,15 +295,25 @@ allow mailman_queue_t mailman_lock_t:fil
> allow mailman_queue_t mailman_log_t:dir list_dir_perms;
> allow mailman_queue_t mailman_log_t:file manage_file_perms;
>
> +fs_tmpfs_filetrans(mailman_queue_t, mailman_queue_tmpfs_t, file)
> +allow mailman_queue_t mailman_queue_tmpfs_t:file { map manage_file_perms };
> +
> +kernel_read_network_state(mailman_queue_t)
> kernel_read_system_state(mailman_queue_t)
> +kernel_search_vm_sysctl(mailman_queue_t)
>
> auth_domtrans_chk_passwd(mailman_queue_t)
>
> corecmd_read_bin_files(mailman_queue_t)
> corenet_sendrecv_innd_client_packets(mailman_queue_t)
> +corenet_tcp_bind_all_unreserved_ports(mailman_queue_t)
> +corenet_tcp_bind_generic_node(mailman_queue_t)
> +corenet_tcp_connect_generic_port(mailman_queue_t)
> +corenet_tcp_connect_http_port(mailman_queue_t)
> corenet_tcp_connect_innd_port(mailman_queue_t)
>
> files_dontaudit_search_runtime(mailman_queue_t)
> +files_read_usr_files(mailman_queue_t)
> files_search_locks(mailman_queue_t)
>
> miscfiles_read_localization(mailman_queue_t)
> @@ -251,14 +322,24 @@ seutil_dontaudit_search_config(mailman_q
>
> userdom_search_user_home_dirs(mailman_queue_t)
>
> -cron_rw_tmp_files(mailman_queue_t)
> -
> optional_policy(`
> apache_read_config(mailman_queue_t)
> ')
>
> optional_policy(`
> + cron_rw_tmp_files(mailman_queue_t)
> + cron_search_spool(mailman_queue_t)
> cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
> + cron_use_fds(mailman_queue_t)
> +')
> +
> +optional_policy(`
> + mysql_stream_connect(mailman_queue_t)
> + mysql_tcp_connect(mailman_queue_t)
> +')
> +
> +optional_policy(`
> + postfix_read_config(mailman_queue_t)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20220309/policy/modules/services/apache.te
> ===================================================================
> --- refpolicy-2.20220309.orig/policy/modules/services/apache.te
> +++ refpolicy-2.20220309/policy/modules/services/apache.te
> @@ -815,8 +815,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + mailman_stream_connect_cgi(httpd_t)
> mailman_signal_cgi(httpd_t)
> mailman_domtrans_cgi(httpd_t)
> + mailman_map_data_files(httpd_t)
> mailman_read_data_files(httpd_t)
> mailman_search_data(httpd_t)
> mailman_read_archive(httpd_t)
> Index: refpolicy-2.20220309/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20220309.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20220309/policy/modules/services/cron.te
> @@ -604,6 +604,12 @@ optional_policy(`
> ')
>
> optional_policy(`
> + mailman_domtrans_queue(system_cronjob_t)
> + # for flock
> + mailman_manage_runtime_files(system_cronjob_t)
> +')
> +
> +optional_policy(`
> mrtg_append_create_logs(system_cronjob_t)
> mrtg_read_config(system_cronjob_t)
> ')
> Index: refpolicy-2.20220309/policy/modules/services/mailman.fc
> ===================================================================
> --- refpolicy-2.20220309.orig/policy/modules/services/mailman.fc
> +++ refpolicy-2.20220309/policy/modules/services/mailman.fc
> @@ -20,6 +20,7 @@
>
> /usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
> /usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
> +/usr/lib/mailman3/bin/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
> /usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
> /usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> /usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> @@ -28,3 +29,4 @@
> /usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
>
> /usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> +/usr/share/mailman3-web/manage.py -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-03-14 13:47 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-09 4:54 [PATCH] mailman3 V3 Russell Coker
2022-03-14 13:47 ` Chris PeBenito
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).