Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1666466ybb; Thu, 9 Apr 2020 06:49:45 -0700 (PDT) X-Google-Smtp-Source: APiQypIFGs8Us8MoQTc9qTM7IKoBTpZiFq4Eoao8ENkCdCPtDV3XQBgvuNOSAdML8RKLSS1Eh3Qi X-Received: by 2002:a05:6214:521:: with SMTP id x1mr59806qvw.147.1586440185253; Thu, 09 Apr 2020 06:49:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586440185; cv=none; d=google.com; s=arc-20160816; b=d22Fq9pijqyjL8VoYXXnFz2dndMRKTh3nvzktV31dhLU802WOOwMjdhtYEmyqWTSgR O0fwt+DOcoS432Fs/BR0FHA/VITFhI6PtFJ1MtBIXOEEwBqrlthLQICDCYtUXBRhTZmY KBpZZj93++dZpdTHSC6RXG1kkqIfePmm35Q+oOzm2h0o3s6hID1tm9Xo2jaDLAVq4WkQ fZ0wDEUrA5/6PLeYbxUFeSQ4AKiKziditrfTWwdPmj7DbYLTpwF68T1jkFAY4AfHF1yv JXUBSdBvu8gD4AMiUyqO756+0YIXbBF/G6apkCjYefTS4BePazBjKC6D30wJv1IrsEJj BTcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:dkim-signature; bh=XhHtXRnRtz88G6MKeoadUrbGhKsGlPasmv5FEFFldDk=; b=X69LUiD0YT/9/3vekNhzNzr33FHuryv77dTt7QDXGRbyXgy+QwbA8Ky6xwkml5MJdZ En59wgTpg+JmqNP7Owgml/cLGkqaS4Rvr+7vnGlvfwj1+kvFFKZ1JJIjJTvxjdHV2K1V f7sy1Gk7bfuzAKWjxWF47dnVoYE3E19E/rByKVohw0AqVQycsRvAqTFamCG1HxorPnAw x97JnlKV9izxmytDOw8PP8gKH1VmRW9XghmxZ53F5pGq1OLIJI14xlGHVJB+DFIlYmmj tyTiTxU44wPlbyU3nATAcrwX61gUhanuSLU9x3EPQTHZ8400zjwcV94eaOUPLJgUpXJl eKuw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=I5ug5nNR; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 70si5792315qkk.278.2020.04.09.06.49.42; Thu, 09 Apr 2020 06:49:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=I5ug5nNR; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726946AbgDINtO (ORCPT + 13 others); Thu, 9 Apr 2020 09:49:14 -0400 Received: from mail-qt1-f182.google.com ([209.85.160.182]:34509 "EHLO mail-qt1-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726641AbgDINtO (ORCPT ); Thu, 9 Apr 2020 09:49:14 -0400 Received: by mail-qt1-f182.google.com with SMTP id 14so2755388qtp.1 for ; Thu, 09 Apr 2020 06:49:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=XhHtXRnRtz88G6MKeoadUrbGhKsGlPasmv5FEFFldDk=; b=I5ug5nNRXp2Iwuy+bSW5gaBg6LlLPEUNxE5Xe0cdP4qGxX/ogKSCdN9l2sPKJvLk3b RbMtU9lHh6DBu4NGyK4DU7r2b2SywshBEs8ysiEzDthtZ/rfJZWhBj4gd4Oum3XNzAq4 0am5QDoagjSB2/Gk4SrXHCZsBHaNyOD8DpQBY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=XhHtXRnRtz88G6MKeoadUrbGhKsGlPasmv5FEFFldDk=; b=ZbixSP+ASv+qmkfWiQIQth4O0zGg4MxPjG+qqkbjAK8uBUO07nR5dpKq7IacVbU9LV WN5kO2HeMhTKHlIP/+VVvrwbJIMxW0nG+fvHotmrVP8uo3chC3UKBmsa5U1W7orAdyuJ wFjwhDwtDCWJwn38SGf19qNLm+93NBUcl3egM3kYfliqVb//B9mAzNpJStxI8l8qLrxc gzaABVlaXddsi9mDFsCuQo3i4qudFFkDhTVLUsPg5poOVFPGNimhSaG/aj8eE8tcuiTy r+chzJSdSX6BD6VWMmsp3xiOE84P9mTQmnbxKZq7wTkyMW7y+aM7ml4KRzyPOhiC4rzt ZmJA== X-Gm-Message-State: AGi0Pubk5MTJ/lkhO5+4Va8wZaFy8kLjiVp/M3qASoY3tu6UtjI90WS6 WQPsRSHsd4aSQNos6XzBcLRe7Ky7/iY= X-Received: by 2002:ac8:7246:: with SMTP id l6mr7008518qtp.298.1586440151862; Thu, 09 Apr 2020 06:49:11 -0700 (PDT) Received: from fedora.pebenito.net (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id l186sm10729136qke.16.2020.04.09.06.49.11 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 09 Apr 2020 06:49:11 -0700 (PDT) Subject: Re: latest ver of trivial mail server patch To: Russell Coker , "selinux-refpolicy@vger.kernel.org" References: <20200405090428.GD177560@xev> From: Chris PeBenito Message-ID: Date: Thu, 9 Apr 2020 09:38:54 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0 MIME-Version: 1.0 In-Reply-To: <20200405090428.GD177560@xev> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 4/5/20 5:04 AM, Russell Coker wrote: > Yes mmap is the standard way of accessing the mail spool. > > Removed spamd_gpg_t because there's no point to it, the separation doesn't > provide an actual benefit. > > Made the other requested changes. > > Signed-off-by: Russell Coker > > > Index: refpolicy-2.20200405/policy/modules/services/mailman.fc > =================================================================== > --- refpolicy-2.20200405.orig/policy/modules/services/mailman.fc > +++ refpolicy-2.20200405/policy/modules/services/mailman.fc > @@ -1,6 +1,7 @@ > /etc/cron\.(daily|monthly)/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) > > /etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) > +/etc/mailman/postfix-to-mailman.py -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) > > /usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) > /usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) > Index: refpolicy-2.20200405/policy/modules/services/mailman.if > =================================================================== > --- refpolicy-2.20200405.orig/policy/modules/services/mailman.if > +++ refpolicy-2.20200405/policy/modules/services/mailman.if > @@ -319,6 +319,7 @@ interface(`mailman_read_archive',` > files_search_var_lib($1) > allow $1 mailman_archive_t:dir list_dir_perms; > read_files_pattern($1, mailman_archive_t, mailman_archive_t) > + allow $1 mailman_archive_t:file map; > read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t) > ') > > Index: refpolicy-2.20200405/policy/modules/services/mailman.te > =================================================================== > --- refpolicy-2.20200405.orig/policy/modules/services/mailman.te > +++ refpolicy-2.20200405/policy/modules/services/mailman.te > @@ -182,6 +182,7 @@ corecmd_exec_bin(mailman_mail_t) > files_search_locks(mailman_mail_t) > > fs_rw_anon_inodefs_files(mailman_mail_t) > +fs_search_tmpfs(mailman_mail_t) > > # this is far from ideal, but systemd reduces the importance of initrc_t > init_signal_script(mailman_mail_t) > Index: refpolicy-2.20200405/policy/modules/services/mta.if > =================================================================== > --- refpolicy-2.20200405.orig/policy/modules/services/mta.if > +++ refpolicy-2.20200405/policy/modules/services/mta.if > @@ -251,6 +251,7 @@ interface(`mta_manage_mail_home_rw_conte > userdom_search_user_home_dirs($1) > manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t) > manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t) > + allow $1 mail_home_rw_t:file map; > manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t) > ') > > @@ -867,6 +868,7 @@ interface(`mta_read_spool_files',` > > files_search_spool($1) > read_files_pattern($1, mail_spool_t, mail_spool_t) > + allow $1 mail_spool_t:file map; > ') > > ######################################## > @@ -949,6 +951,7 @@ interface(`mta_manage_spool',` > files_search_spool($1) > manage_dirs_pattern($1, mail_spool_t, mail_spool_t) > manage_files_pattern($1, mail_spool_t, mail_spool_t) > + allow $1 mail_spool_t:file map; > manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t) > ') > > Index: refpolicy-2.20200405/policy/modules/services/spamassassin.if > =================================================================== > --- refpolicy-2.20200405.orig/policy/modules/services/spamassassin.if > +++ refpolicy-2.20200405/policy/modules/services/spamassassin.if > @@ -433,3 +433,41 @@ interface(`spamassassin_admin',` > # sa-update > spamassassin_run_update($1, $2) > ') > + > +######################################## > +## > +## reload SA service > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`spamassassin_service_reload',` > + gen_require(` > + type spamassassin_unit_t; > + ') > + > + allow $1 spamassassin_unit_t:service reload; > +') > + > +######################################## > +## > +## Get SA service status > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`spamassassin_service_status',` > + gen_require(` > + type spamassassin_unit_t; > + ') > + > + allow $1 spamassassin_unit_t:service status; > +') > Index: refpolicy-2.20200405/policy/modules/services/spamassassin.te > =================================================================== > --- refpolicy-2.20200405.orig/policy/modules/services/spamassassin.te > +++ refpolicy-2.20200405/policy/modules/services/spamassassin.te > @@ -22,6 +22,7 @@ gen_tunable(spamassassin_can_network, fa > gen_tunable(spamd_enable_home_dirs, false) > > type spamd_update_t; > +typealias spamd_update_t alias { spamd_gpg_t }; > type spamd_update_exec_t; > init_system_domain(spamd_update_t, spamd_update_exec_t) > > @@ -62,9 +63,6 @@ files_type(spamd_compiled_t) > type spamd_etc_t; > files_config_file(spamd_etc_t) > > -type spamd_gpg_t; > -domain_type(spamd_gpg_t) > - > type spamd_home_t; > userdom_user_home_content(spamd_home_t) > > @@ -199,11 +197,13 @@ corenet_all_recvfrom_unlabeled(spamc_t) > corenet_all_recvfrom_netlabel(spamc_t) > corenet_tcp_sendrecv_generic_if(spamc_t) > corenet_tcp_sendrecv_generic_node(spamc_t) > +corenet_udp_bind_generic_node(spamc_t) > > corenet_sendrecv_all_client_packets(spamc_t) > corenet_tcp_connect_all_ports(spamc_t) > > corecmd_exec_bin(spamc_t) > +corecmd_exec_shell(spamc_t) > > dev_read_rand(spamc_t) > dev_read_urand(spamc_t) > @@ -256,6 +256,8 @@ optional_policy(` > > optional_policy(` > mta_send_mail(spamc_t) > + mta_getattr_spool(spamc_t) > + mta_read_spool_files(spamc_t) > mta_read_config(spamc_t) > mta_read_queue(spamc_t) > sendmail_rw_pipes(spamc_t) > @@ -351,6 +353,7 @@ corenet_udp_bind_imaze_port(spamd_t) > > corenet_dontaudit_udp_bind_all_ports(spamd_t) > > +corecmd_exec_shell(spamd_t) > corecmd_exec_bin(spamd_t) > > dev_read_sysfs(spamd_t) > @@ -358,6 +361,7 @@ dev_read_urand(spamd_t) > > domain_use_interactive_fds(spamd_t) > > +files_map_etc_files(spamd_t) > files_read_usr_files(spamd_t) > files_read_etc_runtime_files(spamd_t) > > @@ -372,6 +376,7 @@ libs_use_shared_libs(spamd_t) > > logging_send_syslog_msg(spamd_t) > > +miscfiles_read_generic_certs(spamd_t) > miscfiles_read_localization(spamd_t) > > sysnet_use_ldap(spamd_t) > @@ -487,6 +492,8 @@ manage_dirs_pattern(spamd_update_t, spam > manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) > manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) > > +kernel_read_crypto_sysctls(spamd_update_t) > +kernel_search_fs_sysctls(spamd_update_t) > kernel_read_system_state(spamd_update_t) > > corecmd_exec_bin(spamd_update_t) > @@ -512,6 +519,7 @@ fs_getattr_xattr_fs(spamd_update_t) > auth_use_nsswitch(spamd_update_t) > auth_dontaudit_read_shadow(spamd_update_t) > > +miscfiles_read_generic_certs(spamd_update_t) > miscfiles_read_localization(spamd_update_t) > > userdom_use_inherited_user_terminals(spamd_update_t) > @@ -523,35 +531,5 @@ optional_policy(` > ') > > optional_policy(` > - gpg_spec_domtrans(spamd_update_t, spamd_gpg_t) > - gpg_entry_type(spamd_gpg_t) > - role system_r types spamd_gpg_t; > - > - allow spamd_gpg_t self:capability { dac_override dac_read_search }; > - allow spamd_gpg_t self:unix_stream_socket { connect create }; > - > - allow spamd_gpg_t spamd_update_t:fd use; > - allow spamd_gpg_t spamd_update_t:process sigchld; > - allow spamd_gpg_t spamd_update_t:fifo_file { getattr write }; > - allow spamd_gpg_t spamd_var_lib_t:dir rw_dir_perms; > - allow spamd_gpg_t spamd_var_lib_t:file manage_file_perms; > - allow spamd_gpg_t spamd_update_tmp_t:file read_file_perms; > - > - # fips > - kernel_read_crypto_sysctls(spamd_gpg_t) > - > - domain_use_interactive_fds(spamd_gpg_t) > - > - files_read_etc_files(spamd_gpg_t) > - files_read_usr_files(spamd_gpg_t) > - files_search_var_lib(spamd_gpg_t) > - files_search_pids(spamd_gpg_t) > - files_search_tmp(spamd_gpg_t) > - > - init_use_fds(spamd_gpg_t) > - init_rw_inherited_stream_socket(spamd_gpg_t) > - > - miscfiles_read_localization(spamd_gpg_t) > - > - userdom_use_inherited_user_terminals(spamd_gpg_t) > + gpg_exec(spamd_update_t) > ') > Index: refpolicy-2.20200405/policy/modules/services/clamav.te > =================================================================== > --- refpolicy-2.20200405.orig/policy/modules/services/clamav.te > +++ refpolicy-2.20200405/policy/modules/services/clamav.te > @@ -146,6 +146,7 @@ auth_use_nsswitch(clamd_t) > > logging_send_syslog_msg(clamd_t) > > +miscfiles_read_generic_certs(clamd_t) > miscfiles_read_localization(clamd_t) > > tunable_policy(`clamd_use_jit',` > @@ -235,6 +236,7 @@ auth_use_nsswitch(freshclam_t) > > logging_send_syslog_msg(freshclam_t) > > +miscfiles_read_generic_certs(freshclam_t) > miscfiles_read_localization(freshclam_t) > > tunable_policy(`clamd_use_jit',` > Index: refpolicy-2.20200405/policy/modules/services/dkim.te > =================================================================== > --- refpolicy-2.20200405.orig/policy/modules/services/dkim.te > +++ refpolicy-2.20200405/policy/modules/services/dkim.te > @@ -44,6 +44,8 @@ files_pid_filetrans(dkim_milter_t, dkim_ > files_read_usr_files(dkim_milter_t) > files_search_spool(dkim_milter_t) > > +miscfiles_read_generic_certs(dkim_milter_t) > + > optional_policy(` > mta_read_config(dkim_milter_t) > ') > Index: refpolicy-2.20200405/policy/modules/services/dovecot.te > =================================================================== > --- refpolicy-2.20200405.orig/policy/modules/services/dovecot.te > +++ refpolicy-2.20200405/policy/modules/services/dovecot.te > @@ -173,6 +173,7 @@ files_read_usr_files(dovecot_t) > > fs_getattr_all_fs(dovecot_t) > fs_getattr_all_dirs(dovecot_t) > +fs_read_tmpfs_symlinks(dovecot_t) > fs_search_auto_mountpoints(dovecot_t) > fs_list_inotifyfs(dovecot_t) > > @@ -269,7 +270,12 @@ selinux_get_fs_mount(dovecot_auth_t) > auth_domtrans_chk_passwd(dovecot_auth_t) > auth_use_nsswitch(dovecot_auth_t) > > +fs_search_tmpfs(dovecot_auth_t) > +fs_read_tmpfs_symlinks(dovecot_auth_t) > + > init_rw_utmp(dovecot_auth_t) > +init_rw_inherited_stream_socket(dovecot_auth_t) > +init_use_fds(dovecot_auth_t) > > logging_send_audit_msgs(dovecot_auth_t) > > Index: refpolicy-2.20200405/policy/modules/services/postfix.te > =================================================================== > --- refpolicy-2.20200405.orig/policy/modules/services/postfix.te > +++ refpolicy-2.20200405/policy/modules/services/postfix.te > @@ -336,6 +336,7 @@ optional_policy(` > ') > > optional_policy(` > + mysql_read_config(postfix_master_t) > mysql_stream_connect(postfix_master_t) > ') > > @@ -427,6 +428,10 @@ optional_policy(` > ') > > optional_policy(` > + mysql_read_config(postfix_cleanup_t) > +') > + > +optional_policy(` > dbus_send_system_bus(postfix_cleanup_t) > dbus_system_bus_client(postfix_cleanup_t) > init_dbus_chat(postfix_cleanup_t) > @@ -648,6 +653,7 @@ mta_rw_user_mail_stream_sockets(postfix_ > > optional_policy(` > apache_dontaudit_rw_fifo_file(postfix_postdrop_t) > + apache_use_fds(postfix_postdrop_t) > ') > > optional_policy(` > @@ -826,6 +832,10 @@ optional_policy(` > ') > > optional_policy(` > + mysql_read_config(postfix_smtpd_t) > +') > + > +optional_policy(` > postgrey_stream_connect(postfix_smtpd_t) > ') > Merged, though I renamed a couple interfaces and made a trivial syntax change. -- Chris PeBenito