Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp2227818ybb; Sun, 5 Apr 2020 02:07:54 -0700 (PDT) X-Google-Smtp-Source: APiQypJgkdJ5PvFGFqJC9/wsO94fGPGji8HsLrXvCx5ks2VcISOgjDnzQFDRW5GU8IS7HP7TRSYS X-Received: by 2002:aca:ec49:: with SMTP id k70mr9130453oih.80.1586077673978; Sun, 05 Apr 2020 02:07:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586077673; cv=none; d=google.com; s=arc-20160816; b=hZxiAVfnGvC4J0YmpCLly1aVNqb2y4k175OZnl04oFjndJ7gWY2F5ccjDRg9+rxqTO D9gn49GJZeahxziCeTkD3q13whpEfT+IZF8oswMYqYeO+t7AXaGRLgHJE3rIGLWsKQac NqrJvAN1pZRT6oLq/yUDZWfVYxRZvxmCAhA6lo2heBPtpOEXjbjR1SvIbB3h0ETMz2Yl Jhhe/2Gf3UCSO8vy2WJFGz13qczXBUdST3ohAWidPxQJn3U38XSZtC/IfzWfzsWpLh3g RviE4GPx2CfJi7XAUPH/IgmZM1Hqt+YnaZ3VeeYw1DUNohJSFJdp0k74bsE/QXYodLTS cP0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-disposition:mime-version :message-id:subject:to:from:date:dkim-signature; bh=DiB0lOQNgy72XxX8hLR6hFT/4Eqd7BCnK6G6dqPEb9E=; b=rskYcRrPYYzbo5jFqx02/cXciOcRcbrinMcaIHHaeCSZbLnVGqAfo80fMeGDniCfxS oCATmCLCRKFON8PNgYzipsURzvlAAwVSu4h5TA9z3nvMLoDgLRYrgYl2nDDwEjAOHz3+ sVHMtPFout1ddGD50+kSekwnyq4Cf+iCZBXE50iHl1RA4Vawdb18zckww/XwHSeOFnBD W5V3/IeWuCufJbKSCRng88nbCUL4iW289PzUIXPpDpJ1XAfu/puj/avxlF6I+x7CUiaP 0IW6f4d+iJv7ouGeJEO67ijTe4RFXUIGAWNsBQpj9i6lm4zQbNJ69rX3tFJ/AmUqedeI 49sQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=flSADgIP; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e53si6375820ote.156.2020.04.05.02.07.50; Sun, 05 Apr 2020 02:07:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=flSADgIP; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726509AbgDEJEi (ORCPT + 13 others); Sun, 5 Apr 2020 05:04:38 -0400 Received: from smtp.sws.net.au ([46.4.88.250]:45384 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726308AbgDEJEh (ORCPT ); Sun, 5 Apr 2020 05:04:37 -0400 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id B3847EE24 for ; Sun, 5 Apr 2020 19:04:33 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1586077474; bh=DiB0lOQNgy72XxX8hLR6hFT/4Eqd7BCnK6G6dqPEb9E=; l=11243; h=Date:From:To:Subject:From; b=flSADgIPyukXd4lXnggPeUxhrGJLWJUZ2q+K6iZ8uA94RDBvCwelUw0vGpRwXEzCd b2KRb0u8L3ATHpTN9Z4k5kFmhZlvukkfOr23b2bt3NX0j0d09V7xph+p4EgF6/6/VF jbdhgaBVlK+0xiDYD4PzSXtFSuNHPNoec9YHSyVk= Received: by xev.coker.com.au (Postfix, from userid 1001) id 37608FF29FF; Sun, 5 Apr 2020 19:04:28 +1000 (AEST) Date: Sun, 5 Apr 2020 19:04:28 +1000 From: Russell Coker To: "selinux-refpolicy@vger.kernel.org" Subject: latest ver of trivial mail server patch Message-ID: <20200405090428.GD177560@xev> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Yes mmap is the standard way of accessing the mail spool. Removed spamd_gpg_t because there's no point to it, the separation doesn't provide an actual benefit. Made the other requested changes. Signed-off-by: Russell Coker Index: refpolicy-2.20200405/policy/modules/services/mailman.fc =================================================================== --- refpolicy-2.20200405.orig/policy/modules/services/mailman.fc +++ refpolicy-2.20200405/policy/modules/services/mailman.fc @@ -1,6 +1,7 @@ /etc/cron\.(daily|monthly)/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) /etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) +/etc/mailman/postfix-to-mailman.py -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) /usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) /usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) Index: refpolicy-2.20200405/policy/modules/services/mailman.if =================================================================== --- refpolicy-2.20200405.orig/policy/modules/services/mailman.if +++ refpolicy-2.20200405/policy/modules/services/mailman.if @@ -319,6 +319,7 @@ interface(`mailman_read_archive',` files_search_var_lib($1) allow $1 mailman_archive_t:dir list_dir_perms; read_files_pattern($1, mailman_archive_t, mailman_archive_t) + allow $1 mailman_archive_t:file map; read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t) ') Index: refpolicy-2.20200405/policy/modules/services/mailman.te =================================================================== --- refpolicy-2.20200405.orig/policy/modules/services/mailman.te +++ refpolicy-2.20200405/policy/modules/services/mailman.te @@ -182,6 +182,7 @@ corecmd_exec_bin(mailman_mail_t) files_search_locks(mailman_mail_t) fs_rw_anon_inodefs_files(mailman_mail_t) +fs_search_tmpfs(mailman_mail_t) # this is far from ideal, but systemd reduces the importance of initrc_t init_signal_script(mailman_mail_t) Index: refpolicy-2.20200405/policy/modules/services/mta.if =================================================================== --- refpolicy-2.20200405.orig/policy/modules/services/mta.if +++ refpolicy-2.20200405/policy/modules/services/mta.if @@ -251,6 +251,7 @@ interface(`mta_manage_mail_home_rw_conte userdom_search_user_home_dirs($1) manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t) manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t) + allow $1 mail_home_rw_t:file map; manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t) ') @@ -867,6 +868,7 @@ interface(`mta_read_spool_files',` files_search_spool($1) read_files_pattern($1, mail_spool_t, mail_spool_t) + allow $1 mail_spool_t:file map; ') ######################################## @@ -949,6 +951,7 @@ interface(`mta_manage_spool',` files_search_spool($1) manage_dirs_pattern($1, mail_spool_t, mail_spool_t) manage_files_pattern($1, mail_spool_t, mail_spool_t) + allow $1 mail_spool_t:file map; manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') Index: refpolicy-2.20200405/policy/modules/services/spamassassin.if =================================================================== --- refpolicy-2.20200405.orig/policy/modules/services/spamassassin.if +++ refpolicy-2.20200405/policy/modules/services/spamassassin.if @@ -433,3 +433,41 @@ interface(`spamassassin_admin',` # sa-update spamassassin_run_update($1, $2) ') + +######################################## +## +## reload SA service +## +## +## +## Domain allowed access. +## +## +## +# +interface(`spamassassin_service_reload',` + gen_require(` + type spamassassin_unit_t; + ') + + allow $1 spamassassin_unit_t:service reload; +') + +######################################## +## +## Get SA service status +## +## +## +## Domain allowed access. +## +## +## +# +interface(`spamassassin_service_status',` + gen_require(` + type spamassassin_unit_t; + ') + + allow $1 spamassassin_unit_t:service status; +') Index: refpolicy-2.20200405/policy/modules/services/spamassassin.te =================================================================== --- refpolicy-2.20200405.orig/policy/modules/services/spamassassin.te +++ refpolicy-2.20200405/policy/modules/services/spamassassin.te @@ -22,6 +22,7 @@ gen_tunable(spamassassin_can_network, fa gen_tunable(spamd_enable_home_dirs, false) type spamd_update_t; +typealias spamd_update_t alias { spamd_gpg_t }; type spamd_update_exec_t; init_system_domain(spamd_update_t, spamd_update_exec_t) @@ -62,9 +63,6 @@ files_type(spamd_compiled_t) type spamd_etc_t; files_config_file(spamd_etc_t) -type spamd_gpg_t; -domain_type(spamd_gpg_t) - type spamd_home_t; userdom_user_home_content(spamd_home_t) @@ -199,11 +197,13 @@ corenet_all_recvfrom_unlabeled(spamc_t) corenet_all_recvfrom_netlabel(spamc_t) corenet_tcp_sendrecv_generic_if(spamc_t) corenet_tcp_sendrecv_generic_node(spamc_t) +corenet_udp_bind_generic_node(spamc_t) corenet_sendrecv_all_client_packets(spamc_t) corenet_tcp_connect_all_ports(spamc_t) corecmd_exec_bin(spamc_t) +corecmd_exec_shell(spamc_t) dev_read_rand(spamc_t) dev_read_urand(spamc_t) @@ -256,6 +256,8 @@ optional_policy(` optional_policy(` mta_send_mail(spamc_t) + mta_getattr_spool(spamc_t) + mta_read_spool_files(spamc_t) mta_read_config(spamc_t) mta_read_queue(spamc_t) sendmail_rw_pipes(spamc_t) @@ -351,6 +353,7 @@ corenet_udp_bind_imaze_port(spamd_t) corenet_dontaudit_udp_bind_all_ports(spamd_t) +corecmd_exec_shell(spamd_t) corecmd_exec_bin(spamd_t) dev_read_sysfs(spamd_t) @@ -358,6 +361,7 @@ dev_read_urand(spamd_t) domain_use_interactive_fds(spamd_t) +files_map_etc_files(spamd_t) files_read_usr_files(spamd_t) files_read_etc_runtime_files(spamd_t) @@ -372,6 +376,7 @@ libs_use_shared_libs(spamd_t) logging_send_syslog_msg(spamd_t) +miscfiles_read_generic_certs(spamd_t) miscfiles_read_localization(spamd_t) sysnet_use_ldap(spamd_t) @@ -487,6 +492,8 @@ manage_dirs_pattern(spamd_update_t, spam manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) +kernel_read_crypto_sysctls(spamd_update_t) +kernel_search_fs_sysctls(spamd_update_t) kernel_read_system_state(spamd_update_t) corecmd_exec_bin(spamd_update_t) @@ -512,6 +519,7 @@ fs_getattr_xattr_fs(spamd_update_t) auth_use_nsswitch(spamd_update_t) auth_dontaudit_read_shadow(spamd_update_t) +miscfiles_read_generic_certs(spamd_update_t) miscfiles_read_localization(spamd_update_t) userdom_use_inherited_user_terminals(spamd_update_t) @@ -523,35 +531,5 @@ optional_policy(` ') optional_policy(` - gpg_spec_domtrans(spamd_update_t, spamd_gpg_t) - gpg_entry_type(spamd_gpg_t) - role system_r types spamd_gpg_t; - - allow spamd_gpg_t self:capability { dac_override dac_read_search }; - allow spamd_gpg_t self:unix_stream_socket { connect create }; - - allow spamd_gpg_t spamd_update_t:fd use; - allow spamd_gpg_t spamd_update_t:process sigchld; - allow spamd_gpg_t spamd_update_t:fifo_file { getattr write }; - allow spamd_gpg_t spamd_var_lib_t:dir rw_dir_perms; - allow spamd_gpg_t spamd_var_lib_t:file manage_file_perms; - allow spamd_gpg_t spamd_update_tmp_t:file read_file_perms; - - # fips - kernel_read_crypto_sysctls(spamd_gpg_t) - - domain_use_interactive_fds(spamd_gpg_t) - - files_read_etc_files(spamd_gpg_t) - files_read_usr_files(spamd_gpg_t) - files_search_var_lib(spamd_gpg_t) - files_search_pids(spamd_gpg_t) - files_search_tmp(spamd_gpg_t) - - init_use_fds(spamd_gpg_t) - init_rw_inherited_stream_socket(spamd_gpg_t) - - miscfiles_read_localization(spamd_gpg_t) - - userdom_use_inherited_user_terminals(spamd_gpg_t) + gpg_exec(spamd_update_t) ') Index: refpolicy-2.20200405/policy/modules/services/clamav.te =================================================================== --- refpolicy-2.20200405.orig/policy/modules/services/clamav.te +++ refpolicy-2.20200405/policy/modules/services/clamav.te @@ -146,6 +146,7 @@ auth_use_nsswitch(clamd_t) logging_send_syslog_msg(clamd_t) +miscfiles_read_generic_certs(clamd_t) miscfiles_read_localization(clamd_t) tunable_policy(`clamd_use_jit',` @@ -235,6 +236,7 @@ auth_use_nsswitch(freshclam_t) logging_send_syslog_msg(freshclam_t) +miscfiles_read_generic_certs(freshclam_t) miscfiles_read_localization(freshclam_t) tunable_policy(`clamd_use_jit',` Index: refpolicy-2.20200405/policy/modules/services/dkim.te =================================================================== --- refpolicy-2.20200405.orig/policy/modules/services/dkim.te +++ refpolicy-2.20200405/policy/modules/services/dkim.te @@ -44,6 +44,8 @@ files_pid_filetrans(dkim_milter_t, dkim_ files_read_usr_files(dkim_milter_t) files_search_spool(dkim_milter_t) +miscfiles_read_generic_certs(dkim_milter_t) + optional_policy(` mta_read_config(dkim_milter_t) ') Index: refpolicy-2.20200405/policy/modules/services/dovecot.te =================================================================== --- refpolicy-2.20200405.orig/policy/modules/services/dovecot.te +++ refpolicy-2.20200405/policy/modules/services/dovecot.te @@ -173,6 +173,7 @@ files_read_usr_files(dovecot_t) fs_getattr_all_fs(dovecot_t) fs_getattr_all_dirs(dovecot_t) +fs_read_tmpfs_symlinks(dovecot_t) fs_search_auto_mountpoints(dovecot_t) fs_list_inotifyfs(dovecot_t) @@ -269,7 +270,12 @@ selinux_get_fs_mount(dovecot_auth_t) auth_domtrans_chk_passwd(dovecot_auth_t) auth_use_nsswitch(dovecot_auth_t) +fs_search_tmpfs(dovecot_auth_t) +fs_read_tmpfs_symlinks(dovecot_auth_t) + init_rw_utmp(dovecot_auth_t) +init_rw_inherited_stream_socket(dovecot_auth_t) +init_use_fds(dovecot_auth_t) logging_send_audit_msgs(dovecot_auth_t) Index: refpolicy-2.20200405/policy/modules/services/postfix.te =================================================================== --- refpolicy-2.20200405.orig/policy/modules/services/postfix.te +++ refpolicy-2.20200405/policy/modules/services/postfix.te @@ -336,6 +336,7 @@ optional_policy(` ') optional_policy(` + mysql_read_config(postfix_master_t) mysql_stream_connect(postfix_master_t) ') @@ -427,6 +428,10 @@ optional_policy(` ') optional_policy(` + mysql_read_config(postfix_cleanup_t) +') + +optional_policy(` dbus_send_system_bus(postfix_cleanup_t) dbus_system_bus_client(postfix_cleanup_t) init_dbus_chat(postfix_cleanup_t) @@ -648,6 +653,7 @@ mta_rw_user_mail_stream_sockets(postfix_ optional_policy(` apache_dontaudit_rw_fifo_file(postfix_postdrop_t) + apache_use_fds(postfix_postdrop_t) ') optional_policy(` @@ -826,6 +832,10 @@ optional_policy(` ') optional_policy(` + mysql_read_config(postfix_smtpd_t) +') + +optional_policy(` postgrey_stream_connect(postfix_smtpd_t) ')