Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp5583924ybv;
        Tue, 11 Feb 2020 19:13:24 -0800 (PST)
X-Google-Smtp-Source: APXvYqydSKup8cYTY5rxnAIOQAZ/55VYUCkUGAGQRojB0yI+FTU4SXbtBt9w+hoELMqelrxpTv82
X-Received: by 2002:a9d:7d87:: with SMTP id j7mr7374580otn.159.1581477204003;
        Tue, 11 Feb 2020 19:13:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1581477204; cv=none;
        d=google.com; s=arc-20160816;
        b=kFHPjfMR2fIjK/uRwR6AqPZiiVdGFFOCAG48qLYRxgLpD1Bb6SYwbLFd+DJc+B0PLK
         nxP92g46EmqC+EPktG0uhg9luAK+1JQ9O4AQixBDykNUi9KOBL2GpW7RGfSsoQxd5tEm
         jfhl5DYGekALRpn1w2am6UB6+9DGU1mh+0wlAjf0v9M8rdep36xN0asKWUHOwuXmYnzb
         KKiN1Mm4N2q1fcVbbfb8lby1SnMdX8TmV+E+7K+E2pau52rDNq2pGf4zNfytVLxF10LH
         HgBuRJo7ysv05Hu4x99cpFn1hqbvK3RuEARqp0PKUnMEU816l4p975VwB7ahU+gdYZvY
         a5mw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:reply-to:to:from:dkim-signature;
        bh=gRPzgiECXQgmE8RATjgG57DB3kjwGUrCRshdBRseScE=;
        b=rocNJFT2+Mjl7fHIX9+q7aLDhQRmAKMxJx1rFRtgxqOhN2AxqnFABrgCOLGxnGqETx
         EpvJjT9edd7ASCSrWV/eYU9DO94l3lUPFEABZxLWGZskLZqXHt8f/jncClv8gtABt+Z2
         fwVhJLhbuEZUHYS67TH6sDJbJmoagW1LeVENbOfTfwBT6fiHi1YC/EzqJj3R9IYViigv
         e/grcYEne+3x1Krd90900+r/zdMeVSk+tNwLjmnnL6lwTJeEULAL0K9pE0cRZJWvC6kP
         5RmT9ev7ee1z3nnNeZEBAf2ETdemhcXezIyyOoAFGWIoXpj9SyYE9cVnJFy0wwX60lqU
         CkTg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=mnQsgMyA;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f23si2810209oto.205.2020.02.11.19.13.21;
        Tue, 11 Feb 2020 19:13:23 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=mnQsgMyA;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727641AbgBLDNV (ORCPT <rfc822;refpolicysuse@gmail.com>
        + 13 others); Tue, 11 Feb 2020 22:13:21 -0500
Received: from smtp.sws.net.au ([46.4.88.250]:44906 "EHLO smtp.sws.net.au"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727602AbgBLDNV (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Tue, 11 Feb 2020 22:13:21 -0500
Received: from xev.coker.com.au (localhost [127.0.0.1])
        by smtp.sws.net.au (Postfix) with ESMTP id D24D2ED69
        for <selinux-refpolicy@vger.kernel.org>; Wed, 12 Feb 2020 14:13:18 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1581477199;
        bh=gRPzgiECXQgmE8RATjgG57DB3kjwGUrCRshdBRseScE=; l=10560;
        h=From:To:Reply-To:Subject:Date:From;
        b=mnQsgMyAdyxXbdikcwgXFtHPTTmwAE1nEHRGXHiabYvnq8sB5HKuRkE9he4tSxD7G
         Q0TFWojbmPh+1Yxm3u4Xs2DJToXRpiLJpJFFvHoD5aYiNHyXa8JgIY2XMi53S9zpF3
         M2qsp2KQe8h7QOXSSw+zIhwCfihlF/Ps4bMmoQl8=
Received: by xev.coker.com.au (Postfix, from userid 1001)
        id 2196EF2C8BB; Wed, 12 Feb 2020 14:13:14 +1100 (AEDT)
From:   Russell Coker <russell@coker.com.au>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Reply-To: russell@coker.com.au
Subject: trivial mail server patch
Date:   Wed, 12 Feb 2020 14:13:13 +1100
Message-ID: <2790872.6eiCcbVEAQ@xev>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="nextPart21966632.53F8HSx9Kg"
Content-Transfer-Encoding: 7Bit
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

This is a multi-part message in MIME format.

--nextPart21966632.53F8HSx9Kg
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"

This patch against git refpolicy has a bunch of trivial patches related to 
mail servers.  I think it's ready for merging.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

--nextPart21966632.53F8HSx9Kg
Content-Disposition: attachment; filename="mta.diff"
Content-Transfer-Encoding: 7Bit
Content-Type: text/x-patch; charset="UTF-8"; name="mta.diff"

Index: refpolicy-2.20200209/policy/modules/services/mailman.fc
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/services/mailman.fc
+++ refpolicy-2.20200209/policy/modules/services/mailman.fc
@@ -23,6 +23,7 @@
 /usr/lib/mailman/mail/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 /usr/lib/mailman/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 /usr/lib/mailman/scripts/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/etc/mailman/postfix-to-mailman.py	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 
 /usr/mailman/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 
Index: refpolicy-2.20200209/policy/modules/services/mailman.if
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/services/mailman.if
+++ refpolicy-2.20200209/policy/modules/services/mailman.if
@@ -319,6 +319,7 @@ interface(`mailman_read_archive',`
 	files_search_var_lib($1)
 	allow $1 mailman_archive_t:dir list_dir_perms;
 	read_files_pattern($1, mailman_archive_t, mailman_archive_t)
+	allow $1 mailman_archive_t:file map;
 	read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t)
 ')
 
Index: refpolicy-2.20200209/policy/modules/services/mailman.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/services/mailman.te
+++ refpolicy-2.20200209/policy/modules/services/mailman.te
@@ -182,6 +182,7 @@ corecmd_exec_bin(mailman_mail_t)
 files_search_locks(mailman_mail_t)
 
 fs_rw_anon_inodefs_files(mailman_mail_t)
+fs_search_tmpfs(mailman_mail_t)
 
 # this is far from ideal, but systemd reduces the importance of initrc_t
 init_signal_script(mailman_mail_t)
Index: refpolicy-2.20200209/policy/modules/services/mta.if
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/services/mta.if
+++ refpolicy-2.20200209/policy/modules/services/mta.if
@@ -251,6 +251,7 @@ interface(`mta_manage_mail_home_rw_conte
 	userdom_search_user_home_dirs($1)
 	manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
 	manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+	allow $1 mail_home_rw_t:file map;
 	manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
 ')
 
@@ -867,6 +868,7 @@ interface(`mta_read_spool_files',`
 
 	files_search_spool($1)
 	read_files_pattern($1, mail_spool_t, mail_spool_t)
+	allow $1 mail_spool_t:file map;
 ')
 
 ########################################
@@ -949,6 +951,7 @@ interface(`mta_manage_spool',`
 	files_search_spool($1)
 	manage_dirs_pattern($1, mail_spool_t, mail_spool_t)
 	manage_files_pattern($1, mail_spool_t, mail_spool_t)
+	allow $1 mail_spool_t:file map;
 	manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
 ')
 
Index: refpolicy-2.20200209/policy/modules/services/spamassassin.if
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/services/spamassassin.if
+++ refpolicy-2.20200209/policy/modules/services/spamassassin.if
@@ -433,3 +433,22 @@ interface(`spamassassin_admin',`
 	# sa-update
 	spamassassin_run_update($1, $2)
 ')
+
+########################################
+## <summary>
+##	Get SA service status
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`spamassassin_service_reload',`
+	gen_require(`
+		type spamassassin_unit_t;
+	')
+
+	allow $1 spamassassin_unit_t:service { status reload };
+')
Index: refpolicy-2.20200209/policy/modules/services/spamassassin.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/services/spamassassin.te
+++ refpolicy-2.20200209/policy/modules/services/spamassassin.te
@@ -22,6 +22,7 @@ gen_tunable(spamassassin_can_network, fa
 gen_tunable(spamd_enable_home_dirs, false)
 
 type spamd_update_t;
+typealias spamd_update_t alias { spamd_gpg_t };
 type spamd_update_exec_t;
 init_system_domain(spamd_update_t, spamd_update_exec_t)
 
@@ -62,9 +63,6 @@ files_type(spamd_compiled_t)
 type spamd_etc_t;
 files_config_file(spamd_etc_t)
 
-type spamd_gpg_t;
-domain_type(spamd_gpg_t)
-
 type spamd_home_t;
 userdom_user_home_content(spamd_home_t)
 
@@ -351,6 +349,7 @@ corenet_udp_bind_imaze_port(spamd_t)
 
 corenet_dontaudit_udp_bind_all_ports(spamd_t)
 
+corecmd_exec_shell(spamd_t)
 corecmd_exec_bin(spamd_t)
 
 dev_read_sysfs(spamd_t)
@@ -358,6 +357,7 @@ dev_read_urand(spamd_t)
 
 domain_use_interactive_fds(spamd_t)
 
+files_map_etc_files(spamd_t)
 files_read_usr_files(spamd_t)
 files_read_etc_runtime_files(spamd_t)
 
@@ -372,6 +372,7 @@ libs_use_shared_libs(spamd_t)
 
 logging_send_syslog_msg(spamd_t)
 
+miscfiles_read_generic_certs(spamd_t)
 miscfiles_read_localization(spamd_t)
 
 sysnet_use_ldap(spamd_t)
@@ -487,6 +488,8 @@ manage_dirs_pattern(spamd_update_t, spam
 manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
 manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
 
+kernel_read_crypto_sysctls(spamd_update_t)
+kernel_search_fs_sysctls(spamd_update_t)
 kernel_read_system_state(spamd_update_t)
 
 corecmd_exec_bin(spamd_update_t)
@@ -512,6 +515,7 @@ fs_getattr_xattr_fs(spamd_update_t)
 auth_use_nsswitch(spamd_update_t)
 auth_dontaudit_read_shadow(spamd_update_t)
 
+miscfiles_read_generic_certs(spamd_update_t)
 miscfiles_read_localization(spamd_update_t)
 
 userdom_use_inherited_user_terminals(spamd_update_t)
@@ -523,35 +527,5 @@ optional_policy(`
 ')
 
 optional_policy(`
-	gpg_spec_domtrans(spamd_update_t, spamd_gpg_t)
-	gpg_entry_type(spamd_gpg_t)
-	role system_r types spamd_gpg_t;
-
-	allow spamd_gpg_t self:capability { dac_override dac_read_search };
-	allow spamd_gpg_t self:unix_stream_socket { connect create };
-
-	allow spamd_gpg_t spamd_update_t:fd use;
-	allow spamd_gpg_t spamd_update_t:process sigchld;
-	allow spamd_gpg_t spamd_update_t:fifo_file { getattr write };
-	allow spamd_gpg_t spamd_var_lib_t:dir rw_dir_perms;
-	allow spamd_gpg_t spamd_var_lib_t:file manage_file_perms;
-	allow spamd_gpg_t spamd_update_tmp_t:file read_file_perms;
-
-	# fips
-	kernel_read_crypto_sysctls(spamd_gpg_t)
-
-	domain_use_interactive_fds(spamd_gpg_t)
-
-	files_read_etc_files(spamd_gpg_t)
-	files_read_usr_files(spamd_gpg_t)
-	files_search_var_lib(spamd_gpg_t)
-	files_search_pids(spamd_gpg_t)
-	files_search_tmp(spamd_gpg_t)
-
-	init_use_fds(spamd_gpg_t)
-	init_rw_inherited_stream_socket(spamd_gpg_t)
-
-	miscfiles_read_localization(spamd_gpg_t)
-
-	userdom_use_inherited_user_terminals(spamd_gpg_t)
+	gpg_exec(spamd_update_t)
 ')
Index: refpolicy-2.20200209/policy/modules/services/clamav.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/services/clamav.te
+++ refpolicy-2.20200209/policy/modules/services/clamav.te
@@ -146,6 +146,7 @@ auth_use_nsswitch(clamd_t)
 
 logging_send_syslog_msg(clamd_t)
 
+miscfiles_read_generic_certs(clamd_t)
 miscfiles_read_localization(clamd_t)
 
 tunable_policy(`clamd_use_jit',`
@@ -235,6 +236,7 @@ auth_use_nsswitch(freshclam_t)
 
 logging_send_syslog_msg(freshclam_t)
 
+miscfiles_read_generic_certs(freshclam_t)
 miscfiles_read_localization(freshclam_t)
 
 tunable_policy(`clamd_use_jit',`
Index: refpolicy-2.20200209/policy/modules/services/dkim.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/services/dkim.te
+++ refpolicy-2.20200209/policy/modules/services/dkim.te
@@ -44,6 +44,8 @@ files_pid_filetrans(dkim_milter_t, dkim_
 files_read_usr_files(dkim_milter_t)
 files_search_spool(dkim_milter_t)
 
+miscfiles_read_generic_certs(dkim_milter_t)
+
 optional_policy(`
 	mta_read_config(dkim_milter_t)
 ')
Index: refpolicy-2.20200209/policy/modules/services/dovecot.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/services/dovecot.te
+++ refpolicy-2.20200209/policy/modules/services/dovecot.te
@@ -173,6 +173,7 @@ files_read_usr_files(dovecot_t)
 
 fs_getattr_all_fs(dovecot_t)
 fs_getattr_all_dirs(dovecot_t)
+fs_read_tmpfs_symlinks(dovecot_t)
 fs_search_auto_mountpoints(dovecot_t)
 fs_list_inotifyfs(dovecot_t)
 
@@ -269,7 +270,12 @@ selinux_get_fs_mount(dovecot_auth_t)
 auth_domtrans_chk_passwd(dovecot_auth_t)
 auth_use_nsswitch(dovecot_auth_t)
 
+fs_search_tmpfs(dovecot_auth_t)
+fs_read_tmpfs_symlinks(dovecot_auth_t)
+
 init_rw_utmp(dovecot_auth_t)
+init_rw_inherited_stream_socket(dovecot_auth_t)
+init_use_fds(dovecot_auth_t)
 
 logging_send_audit_msgs(dovecot_auth_t)
 
Index: refpolicy-2.20200209/policy/modules/services/postfix.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/services/postfix.te
+++ refpolicy-2.20200209/policy/modules/services/postfix.te
@@ -336,6 +336,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	mysql_read_config(postfix_master_t)
 	mysql_stream_connect(postfix_master_t)
 ')
 
@@ -427,6 +428,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	mysql_read_config(postfix_cleanup_t)
+')
+
+optional_policy(`
 	dbus_send_system_bus(postfix_cleanup_t)
 	dbus_system_bus_client(postfix_cleanup_t)
 	init_dbus_chat(postfix_cleanup_t)
@@ -648,6 +653,7 @@ mta_rw_user_mail_stream_sockets(postfix_
 
 optional_policy(`
 	apache_dontaudit_rw_fifo_file(postfix_postdrop_t)
+	apache_use_fds(postfix_postdrop_t)
 ')
 
 optional_policy(`
@@ -826,6 +832,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	mysql_read_config(postfix_smtpd_t)
+')
+
+optional_policy(`
 	postgrey_stream_connect(postfix_smtpd_t)
 ')
 

--nextPart21966632.53F8HSx9Kg--