Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3863613ybv;
        Sun, 16 Feb 2020 07:34:57 -0800 (PST)
X-Google-Smtp-Source: APXvYqzIcoGy9Ub4Ek10BjPdmHwrxXegcbyRmYV+KpmSe2kEtFefMWZINNcfQQJr3TqKlkT8/KSA
X-Received: by 2002:aca:48d0:: with SMTP id v199mr7351183oia.10.1581867297230;
        Sun, 16 Feb 2020 07:34:57 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1581867297; cv=none;
        d=google.com; s=arc-20160816;
        b=KvGWWDf8xIiE8fC1k2dHV5AWwzd1qwuhUtSnB3Vl/T46NXh4IADUswoR3ieJ33LPBI
         1Tpi2WFo3bCy//lfobbEs+ffwbhdKQz3GArP9eSsJCmU2B+gX8KZeX9zxiIs6o17Fm+6
         2AVP9piozQDBR6WHMeFpD3SHyPNQz9bQOwkrK9pRgDVNp7a6vzNE+T34HvBCfYzCOu7D
         Gyx5xNRsQmBPgfb+HVbJNDJmCeTR7VbP9MRrQGfiarCyx3b1iriN5H0Es4bZBWqV6ORr
         dvWoAVuXAAGIii61/BxSDR/zPAFZ3f5ESSJi1Dbx3zDtwTaeeJWzfMNRWd6a7YJ5ZihD
         eMOw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:to:subject:dkim-signature;
        bh=9+bG8jRED6dkwC+aZfXhAdr+PdwrSx3baQteuq6JSOY=;
        b=iR9AT/BMFmqfoX5JGQ0c26QWkTC7xHGOdLtQ6BXEHZR1D4Osal7B7fyZRvKs+wZ+Y3
         R7EsZGCz21EJrkIFIeFmZq6Po0nL8SI+5knuRBkixl9PUe0fqoUOS8LdJ+QWPpG7fKw7
         AXKP4DdnciR/P3Bhksrn1+WhPNEHrhAeJtcWSkDVC4raWivL6qfvkBX+7rp+rY24zkL5
         E3+V21OGIaYErtmgmPG7HO1Ipy0uOkzcuRj9oqMmhoeYTfjHyYji7KKH7+TntvXNrtX2
         B/YWYmgTHxdIUZpGRRNLONW0PHICG6XJXKT616b9KrhD1tZJlu4QLPJzYDFUms8HzAOM
         Y/GA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=B2mCoH3+;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 7si5290332oix.49.2020.02.16.07.34.55;
        Sun, 16 Feb 2020 07:34:57 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=B2mCoH3+;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728350AbgBPPes (ORCPT <rfc822;refpolicysuse@gmail.com>
        + 13 others); Sun, 16 Feb 2020 10:34:48 -0500
Received: from mail-qt1-f175.google.com ([209.85.160.175]:37664 "EHLO
        mail-qt1-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726171AbgBPPer (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Sun, 16 Feb 2020 10:34:47 -0500
Received: by mail-qt1-f175.google.com with SMTP id w47so10396259qtk.4
        for <selinux-refpolicy@vger.kernel.org>; Sun, 16 Feb 2020 07:34:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ieee.org; s=google;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-language:content-transfer-encoding;
        bh=9+bG8jRED6dkwC+aZfXhAdr+PdwrSx3baQteuq6JSOY=;
        b=B2mCoH3+dt41ldX07dxoXe+fv5qMl9p7IatU4POHQYA1ieuBAPhLFH0VJZT8jSwQKv
         23cuRCUPKIiElmaG02tKGLiibMkRRmd+/zyS1k8oGrWGZmKjqXoAT1gBzqLStDyfpVad
         qgp858kwf8xV5EFMT7QbvqWPgLDQrXTfphmBQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=9+bG8jRED6dkwC+aZfXhAdr+PdwrSx3baQteuq6JSOY=;
        b=VFZR2/WkADBmzSJ4ZMU8Beixpl8O7Fw6uQMLulk4Fmk/pHpzPY4CVJ2PYUQVVHxiA/
         qp8uohim9VrkVWOKlkeTwdWXlLcg0elxanKwJYLChY47Q3+me/2BFStDH2PXfOjCx8q+
         R6eVA3R9Sr5KCNmM6uL0Xs7rhOA0MRP1UrDOigpdAa32c9n2Ep0II0b3dmx9og4c00cE
         cUbMS72H9kob32TJH70u1ZXyOatklTWaQmlwq16rHr6+9KymiA70p1XR2GvjywLngHPx
         Q4dBElfDntn+nta05HHJZC6BcikMyW+iw9bZFk9zSOr1LMTWKQvF8RxWFJ3Vui56Q5mr
         Ee3A==
X-Gm-Message-State: APjAAAU36Xp4ELeJGb83oVKYO42Uv1V/N4AwDco903yY69TiPC08usLs
        uobIvIKfKwb1JP0ZVeCVRKccGRKZAQs=
X-Received: by 2002:ac8:176b:: with SMTP id u40mr10274357qtk.272.1581867286279;
        Sun, 16 Feb 2020 07:34:46 -0800 (PST)
Received: from fedora.pebenito.net (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247])
        by smtp.gmail.com with ESMTPSA id 21sm7049368qkf.4.2020.02.16.07.34.45
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Sun, 16 Feb 2020 07:34:45 -0800 (PST)
Subject: Re: trivial mail server patch
To:     russell@coker.com.au,
        "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
References: <2790872.6eiCcbVEAQ@xev>
From:   Chris PeBenito <pebenito@ieee.org>
Message-ID: <dce05326-5a6d-ed01-9f1a-dadd1bb99419@ieee.org>
Date:   Sun, 16 Feb 2020 10:23:56 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.3.1
MIME-Version: 1.0
In-Reply-To: <2790872.6eiCcbVEAQ@xev>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On 2/11/20 10:13 PM, Russell Coker wrote:
> This patch against git refpolicy has a bunch of trivial patches related to
> mail servers.  I think it's ready for merging.

Please inline patch and add signed-off-by

> --- refpolicy-2.20200209.orig/policy/modules/services/mailman.fc
> +++ refpolicy-2.20200209/policy/modules/services/mailman.fc
> @@ -23,6 +23,7 @@
>  /usr/lib/mailman/mail/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
>  /usr/lib/mailman/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
>  /usr/lib/mailman/scripts/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> +/etc/mailman/postfix-to-mailman.py	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)

Please move up with other /etc lines.



> --- refpolicy-2.20200209.orig/policy/modules/services/mta.if
> +++ refpolicy-2.20200209/policy/modules/services/mta.if
> @@ -251,6 +251,7 @@ interface(`mta_manage_mail_home_rw_conte
>  	userdom_search_user_home_dirs($1)
>  	manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
>  	manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
> +	allow $1 mail_home_rw_t:file map;
>  	manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
>  ')
>  
> @@ -867,6 +868,7 @@ interface(`mta_read_spool_files',`
>  
>  	files_search_spool($1)
>  	read_files_pattern($1, mail_spool_t, mail_spool_t)
> +	allow $1 mail_spool_t:file map;
>  ')
>  
>  ########################################
> @@ -949,6 +951,7 @@ interface(`mta_manage_spool',`
>  	files_search_spool($1)
>  	manage_dirs_pattern($1, mail_spool_t, mail_spool_t)
>  	manage_files_pattern($1, mail_spool_t, mail_spool_t)
> +	allow $1 mail_spool_t:file map;
>  	manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
>  ')

So you're saying that in general these files are all mmaped?


> Index: refpolicy-2.20200209/policy/modules/services/spamassassin.if
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/services/spamassassin.if
> +++ refpolicy-2.20200209/policy/modules/services/spamassassin.if
> @@ -433,3 +433,22 @@ interface(`spamassassin_admin',`
>  	# sa-update
>  	spamassassin_run_update($1, $2)
>  ')
> +
> +########################################
> +## <summary>
> +##	Get SA service status
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`spamassassin_service_reload',`
> +	gen_require(`
> +		type spamassassin_unit_t;
> +	')
> +
> +	allow $1 spamassassin_unit_t:service { status reload };
> +')

Need 2 interfaces

> Index: refpolicy-2.20200209/policy/modules/services/spamassassin.te
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/services/spamassassin.te
> +++ refpolicy-2.20200209/policy/modules/services/spamassassin.te
> @@ -22,6 +22,7 @@ gen_tunable(spamassassin_can_network, fa
>  gen_tunable(spamd_enable_home_dirs, false)
>  
>  type spamd_update_t;
> +typealias spamd_update_t alias { spamd_gpg_t };
>  type spamd_update_exec_t;
>  init_system_domain(spamd_update_t, spamd_update_exec_t)
>  
> @@ -62,9 +63,6 @@ files_type(spamd_compiled_t)
>  type spamd_etc_t;
>  files_config_file(spamd_etc_t)
>  
> -type spamd_gpg_t;
> -domain_type(spamd_gpg_t)

Why are you dropping this?


-- 
Chris PeBenito