Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp5583924ybv; Tue, 11 Feb 2020 19:13:24 -0800 (PST) X-Google-Smtp-Source: APXvYqydSKup8cYTY5rxnAIOQAZ/55VYUCkUGAGQRojB0yI+FTU4SXbtBt9w+hoELMqelrxpTv82 X-Received: by 2002:a9d:7d87:: with SMTP id j7mr7374580otn.159.1581477204003; Tue, 11 Feb 2020 19:13:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581477204; cv=none; d=google.com; s=arc-20160816; b=kFHPjfMR2fIjK/uRwR6AqPZiiVdGFFOCAG48qLYRxgLpD1Bb6SYwbLFd+DJc+B0PLK nxP92g46EmqC+EPktG0uhg9luAK+1JQ9O4AQixBDykNUi9KOBL2GpW7RGfSsoQxd5tEm jfhl5DYGekALRpn1w2am6UB6+9DGU1mh+0wlAjf0v9M8rdep36xN0asKWUHOwuXmYnzb KKiN1Mm4N2q1fcVbbfb8lby1SnMdX8TmV+E+7K+E2pau52rDNq2pGf4zNfytVLxF10LH HgBuRJo7ysv05Hu4x99cpFn1hqbvK3RuEARqp0PKUnMEU816l4p975VwB7ahU+gdYZvY a5mw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:reply-to:to:from:dkim-signature; bh=gRPzgiECXQgmE8RATjgG57DB3kjwGUrCRshdBRseScE=; b=rocNJFT2+Mjl7fHIX9+q7aLDhQRmAKMxJx1rFRtgxqOhN2AxqnFABrgCOLGxnGqETx EpvJjT9edd7ASCSrWV/eYU9DO94l3lUPFEABZxLWGZskLZqXHt8f/jncClv8gtABt+Z2 fwVhJLhbuEZUHYS67TH6sDJbJmoagW1LeVENbOfTfwBT6fiHi1YC/EzqJj3R9IYViigv e/grcYEne+3x1Krd90900+r/zdMeVSk+tNwLjmnnL6lwTJeEULAL0K9pE0cRZJWvC6kP 5RmT9ev7ee1z3nnNeZEBAf2ETdemhcXezIyyOoAFGWIoXpj9SyYE9cVnJFy0wwX60lqU CkTg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=mnQsgMyA; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f23si2810209oto.205.2020.02.11.19.13.21; Tue, 11 Feb 2020 19:13:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=mnQsgMyA; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727641AbgBLDNV (ORCPT + 13 others); Tue, 11 Feb 2020 22:13:21 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:44906 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727602AbgBLDNV (ORCPT ); Tue, 11 Feb 2020 22:13:21 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id D24D2ED69 for ; Wed, 12 Feb 2020 14:13:18 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1581477199; bh=gRPzgiECXQgmE8RATjgG57DB3kjwGUrCRshdBRseScE=; l=10560; h=From:To:Reply-To:Subject:Date:From; b=mnQsgMyAdyxXbdikcwgXFtHPTTmwAE1nEHRGXHiabYvnq8sB5HKuRkE9he4tSxD7G Q0TFWojbmPh+1Yxm3u4Xs2DJToXRpiLJpJFFvHoD5aYiNHyXa8JgIY2XMi53S9zpF3 M2qsp2KQe8h7QOXSSw+zIhwCfihlF/Ps4bMmoQl8= Received: by xev.coker.com.au (Postfix, from userid 1001) id 2196EF2C8BB; Wed, 12 Feb 2020 14:13:14 +1100 (AEDT) From: Russell Coker To: "selinux-refpolicy@vger.kernel.org" Reply-To: russell@coker.com.au Subject: trivial mail server patch Date: Wed, 12 Feb 2020 14:13:13 +1100 Message-ID: <2790872.6eiCcbVEAQ@xev> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="nextPart21966632.53F8HSx9Kg" Content-Transfer-Encoding: 7Bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org This is a multi-part message in MIME format. --nextPart21966632.53F8HSx9Kg Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" This patch against git refpolicy has a bunch of trivial patches related to mail servers. I think it's ready for merging. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ --nextPart21966632.53F8HSx9Kg Content-Disposition: attachment; filename="mta.diff" Content-Transfer-Encoding: 7Bit Content-Type: text/x-patch; charset="UTF-8"; name="mta.diff" Index: refpolicy-2.20200209/policy/modules/services/mailman.fc =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/mailman.fc +++ refpolicy-2.20200209/policy/modules/services/mailman.fc @@ -23,6 +23,7 @@ /usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) /usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) /usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/etc/mailman/postfix-to-mailman.py -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) /usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) Index: refpolicy-2.20200209/policy/modules/services/mailman.if =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/mailman.if +++ refpolicy-2.20200209/policy/modules/services/mailman.if @@ -319,6 +319,7 @@ interface(`mailman_read_archive',` files_search_var_lib($1) allow $1 mailman_archive_t:dir list_dir_perms; read_files_pattern($1, mailman_archive_t, mailman_archive_t) + allow $1 mailman_archive_t:file map; read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t) ') Index: refpolicy-2.20200209/policy/modules/services/mailman.te =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/mailman.te +++ refpolicy-2.20200209/policy/modules/services/mailman.te @@ -182,6 +182,7 @@ corecmd_exec_bin(mailman_mail_t) files_search_locks(mailman_mail_t) fs_rw_anon_inodefs_files(mailman_mail_t) +fs_search_tmpfs(mailman_mail_t) # this is far from ideal, but systemd reduces the importance of initrc_t init_signal_script(mailman_mail_t) Index: refpolicy-2.20200209/policy/modules/services/mta.if =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/mta.if +++ refpolicy-2.20200209/policy/modules/services/mta.if @@ -251,6 +251,7 @@ interface(`mta_manage_mail_home_rw_conte userdom_search_user_home_dirs($1) manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t) manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t) + allow $1 mail_home_rw_t:file map; manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t) ') @@ -867,6 +868,7 @@ interface(`mta_read_spool_files',` files_search_spool($1) read_files_pattern($1, mail_spool_t, mail_spool_t) + allow $1 mail_spool_t:file map; ') ######################################## @@ -949,6 +951,7 @@ interface(`mta_manage_spool',` files_search_spool($1) manage_dirs_pattern($1, mail_spool_t, mail_spool_t) manage_files_pattern($1, mail_spool_t, mail_spool_t) + allow $1 mail_spool_t:file map; manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') Index: refpolicy-2.20200209/policy/modules/services/spamassassin.if =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/spamassassin.if +++ refpolicy-2.20200209/policy/modules/services/spamassassin.if @@ -433,3 +433,22 @@ interface(`spamassassin_admin',` # sa-update spamassassin_run_update($1, $2) ') + +######################################## +## +## Get SA service status +## +## +## +## Domain allowed access. +## +## +## +# +interface(`spamassassin_service_reload',` + gen_require(` + type spamassassin_unit_t; + ') + + allow $1 spamassassin_unit_t:service { status reload }; +') Index: refpolicy-2.20200209/policy/modules/services/spamassassin.te =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/spamassassin.te +++ refpolicy-2.20200209/policy/modules/services/spamassassin.te @@ -22,6 +22,7 @@ gen_tunable(spamassassin_can_network, fa gen_tunable(spamd_enable_home_dirs, false) type spamd_update_t; +typealias spamd_update_t alias { spamd_gpg_t }; type spamd_update_exec_t; init_system_domain(spamd_update_t, spamd_update_exec_t) @@ -62,9 +63,6 @@ files_type(spamd_compiled_t) type spamd_etc_t; files_config_file(spamd_etc_t) -type spamd_gpg_t; -domain_type(spamd_gpg_t) - type spamd_home_t; userdom_user_home_content(spamd_home_t) @@ -351,6 +349,7 @@ corenet_udp_bind_imaze_port(spamd_t) corenet_dontaudit_udp_bind_all_ports(spamd_t) +corecmd_exec_shell(spamd_t) corecmd_exec_bin(spamd_t) dev_read_sysfs(spamd_t) @@ -358,6 +357,7 @@ dev_read_urand(spamd_t) domain_use_interactive_fds(spamd_t) +files_map_etc_files(spamd_t) files_read_usr_files(spamd_t) files_read_etc_runtime_files(spamd_t) @@ -372,6 +372,7 @@ libs_use_shared_libs(spamd_t) logging_send_syslog_msg(spamd_t) +miscfiles_read_generic_certs(spamd_t) miscfiles_read_localization(spamd_t) sysnet_use_ldap(spamd_t) @@ -487,6 +488,8 @@ manage_dirs_pattern(spamd_update_t, spam manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) +kernel_read_crypto_sysctls(spamd_update_t) +kernel_search_fs_sysctls(spamd_update_t) kernel_read_system_state(spamd_update_t) corecmd_exec_bin(spamd_update_t) @@ -512,6 +515,7 @@ fs_getattr_xattr_fs(spamd_update_t) auth_use_nsswitch(spamd_update_t) auth_dontaudit_read_shadow(spamd_update_t) +miscfiles_read_generic_certs(spamd_update_t) miscfiles_read_localization(spamd_update_t) userdom_use_inherited_user_terminals(spamd_update_t) @@ -523,35 +527,5 @@ optional_policy(` ') optional_policy(` - gpg_spec_domtrans(spamd_update_t, spamd_gpg_t) - gpg_entry_type(spamd_gpg_t) - role system_r types spamd_gpg_t; - - allow spamd_gpg_t self:capability { dac_override dac_read_search }; - allow spamd_gpg_t self:unix_stream_socket { connect create }; - - allow spamd_gpg_t spamd_update_t:fd use; - allow spamd_gpg_t spamd_update_t:process sigchld; - allow spamd_gpg_t spamd_update_t:fifo_file { getattr write }; - allow spamd_gpg_t spamd_var_lib_t:dir rw_dir_perms; - allow spamd_gpg_t spamd_var_lib_t:file manage_file_perms; - allow spamd_gpg_t spamd_update_tmp_t:file read_file_perms; - - # fips - kernel_read_crypto_sysctls(spamd_gpg_t) - - domain_use_interactive_fds(spamd_gpg_t) - - files_read_etc_files(spamd_gpg_t) - files_read_usr_files(spamd_gpg_t) - files_search_var_lib(spamd_gpg_t) - files_search_pids(spamd_gpg_t) - files_search_tmp(spamd_gpg_t) - - init_use_fds(spamd_gpg_t) - init_rw_inherited_stream_socket(spamd_gpg_t) - - miscfiles_read_localization(spamd_gpg_t) - - userdom_use_inherited_user_terminals(spamd_gpg_t) + gpg_exec(spamd_update_t) ') Index: refpolicy-2.20200209/policy/modules/services/clamav.te =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/clamav.te +++ refpolicy-2.20200209/policy/modules/services/clamav.te @@ -146,6 +146,7 @@ auth_use_nsswitch(clamd_t) logging_send_syslog_msg(clamd_t) +miscfiles_read_generic_certs(clamd_t) miscfiles_read_localization(clamd_t) tunable_policy(`clamd_use_jit',` @@ -235,6 +236,7 @@ auth_use_nsswitch(freshclam_t) logging_send_syslog_msg(freshclam_t) +miscfiles_read_generic_certs(freshclam_t) miscfiles_read_localization(freshclam_t) tunable_policy(`clamd_use_jit',` Index: refpolicy-2.20200209/policy/modules/services/dkim.te =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/dkim.te +++ refpolicy-2.20200209/policy/modules/services/dkim.te @@ -44,6 +44,8 @@ files_pid_filetrans(dkim_milter_t, dkim_ files_read_usr_files(dkim_milter_t) files_search_spool(dkim_milter_t) +miscfiles_read_generic_certs(dkim_milter_t) + optional_policy(` mta_read_config(dkim_milter_t) ') Index: refpolicy-2.20200209/policy/modules/services/dovecot.te =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/dovecot.te +++ refpolicy-2.20200209/policy/modules/services/dovecot.te @@ -173,6 +173,7 @@ files_read_usr_files(dovecot_t) fs_getattr_all_fs(dovecot_t) fs_getattr_all_dirs(dovecot_t) +fs_read_tmpfs_symlinks(dovecot_t) fs_search_auto_mountpoints(dovecot_t) fs_list_inotifyfs(dovecot_t) @@ -269,7 +270,12 @@ selinux_get_fs_mount(dovecot_auth_t) auth_domtrans_chk_passwd(dovecot_auth_t) auth_use_nsswitch(dovecot_auth_t) +fs_search_tmpfs(dovecot_auth_t) +fs_read_tmpfs_symlinks(dovecot_auth_t) + init_rw_utmp(dovecot_auth_t) +init_rw_inherited_stream_socket(dovecot_auth_t) +init_use_fds(dovecot_auth_t) logging_send_audit_msgs(dovecot_auth_t) Index: refpolicy-2.20200209/policy/modules/services/postfix.te =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/postfix.te +++ refpolicy-2.20200209/policy/modules/services/postfix.te @@ -336,6 +336,7 @@ optional_policy(` ') optional_policy(` + mysql_read_config(postfix_master_t) mysql_stream_connect(postfix_master_t) ') @@ -427,6 +428,10 @@ optional_policy(` ') optional_policy(` + mysql_read_config(postfix_cleanup_t) +') + +optional_policy(` dbus_send_system_bus(postfix_cleanup_t) dbus_system_bus_client(postfix_cleanup_t) init_dbus_chat(postfix_cleanup_t) @@ -648,6 +653,7 @@ mta_rw_user_mail_stream_sockets(postfix_ optional_policy(` apache_dontaudit_rw_fifo_file(postfix_postdrop_t) + apache_use_fds(postfix_postdrop_t) ') optional_policy(` @@ -826,6 +832,10 @@ optional_policy(` ') optional_policy(` + mysql_read_config(postfix_smtpd_t) +') + +optional_policy(` postgrey_stream_connect(postfix_smtpd_t) ') --nextPart21966632.53F8HSx9Kg--