Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1666466ybb;
        Thu, 9 Apr 2020 06:49:45 -0700 (PDT)
X-Google-Smtp-Source: APiQypIFGs8Us8MoQTc9qTM7IKoBTpZiFq4Eoao8ENkCdCPtDV3XQBgvuNOSAdML8RKLSS1Eh3Qi
X-Received: by 2002:a05:6214:521:: with SMTP id x1mr59806qvw.147.1586440185253;
        Thu, 09 Apr 2020 06:49:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1586440185; cv=none;
        d=google.com; s=arc-20160816;
        b=d22Fq9pijqyjL8VoYXXnFz2dndMRKTh3nvzktV31dhLU802WOOwMjdhtYEmyqWTSgR
         O0fwt+DOcoS432Fs/BR0FHA/VITFhI6PtFJ1MtBIXOEEwBqrlthLQICDCYtUXBRhTZmY
         KBpZZj93++dZpdTHSC6RXG1kkqIfePmm35Q+oOzm2h0o3s6hID1tm9Xo2jaDLAVq4WkQ
         fZ0wDEUrA5/6PLeYbxUFeSQ4AKiKziditrfTWwdPmj7DbYLTpwF68T1jkFAY4AfHF1yv
         JXUBSdBvu8gD4AMiUyqO756+0YIXbBF/G6apkCjYefTS4BePazBjKC6D30wJv1IrsEJj
         BTcQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:to:subject:dkim-signature;
        bh=XhHtXRnRtz88G6MKeoadUrbGhKsGlPasmv5FEFFldDk=;
        b=X69LUiD0YT/9/3vekNhzNzr33FHuryv77dTt7QDXGRbyXgy+QwbA8Ky6xwkml5MJdZ
         En59wgTpg+JmqNP7Owgml/cLGkqaS4Rvr+7vnGlvfwj1+kvFFKZ1JJIjJTvxjdHV2K1V
         f7sy1Gk7bfuzAKWjxWF47dnVoYE3E19E/rByKVohw0AqVQycsRvAqTFamCG1HxorPnAw
         x97JnlKV9izxmytDOw8PP8gKH1VmRW9XghmxZ53F5pGq1OLIJI14xlGHVJB+DFIlYmmj
         tyTiTxU44wPlbyU3nATAcrwX61gUhanuSLU9x3EPQTHZ8400zjwcV94eaOUPLJgUpXJl
         eKuw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=I5ug5nNR;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 70si5792315qkk.278.2020.04.09.06.49.42;
        Thu, 09 Apr 2020 06:49:45 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=I5ug5nNR;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726946AbgDINtO (ORCPT <rfc822;toiwoton@gmail.com> + 13 others);
        Thu, 9 Apr 2020 09:49:14 -0400
Received: from mail-qt1-f182.google.com ([209.85.160.182]:34509 "EHLO
        mail-qt1-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726641AbgDINtO (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Thu, 9 Apr 2020 09:49:14 -0400
Received: by mail-qt1-f182.google.com with SMTP id 14so2755388qtp.1
        for <selinux-refpolicy@vger.kernel.org>; Thu, 09 Apr 2020 06:49:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ieee.org; s=google;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-language:content-transfer-encoding;
        bh=XhHtXRnRtz88G6MKeoadUrbGhKsGlPasmv5FEFFldDk=;
        b=I5ug5nNRXp2Iwuy+bSW5gaBg6LlLPEUNxE5Xe0cdP4qGxX/ogKSCdN9l2sPKJvLk3b
         RbMtU9lHh6DBu4NGyK4DU7r2b2SywshBEs8ysiEzDthtZ/rfJZWhBj4gd4Oum3XNzAq4
         0am5QDoagjSB2/Gk4SrXHCZsBHaNyOD8DpQBY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=XhHtXRnRtz88G6MKeoadUrbGhKsGlPasmv5FEFFldDk=;
        b=ZbixSP+ASv+qmkfWiQIQth4O0zGg4MxPjG+qqkbjAK8uBUO07nR5dpKq7IacVbU9LV
         WN5kO2HeMhTKHlIP/+VVvrwbJIMxW0nG+fvHotmrVP8uo3chC3UKBmsa5U1W7orAdyuJ
         wFjwhDwtDCWJwn38SGf19qNLm+93NBUcl3egM3kYfliqVb//B9mAzNpJStxI8l8qLrxc
         gzaABVlaXddsi9mDFsCuQo3i4qudFFkDhTVLUsPg5poOVFPGNimhSaG/aj8eE8tcuiTy
         r+chzJSdSX6BD6VWMmsp3xiOE84P9mTQmnbxKZq7wTkyMW7y+aM7ml4KRzyPOhiC4rzt
         ZmJA==
X-Gm-Message-State: AGi0Pubk5MTJ/lkhO5+4Va8wZaFy8kLjiVp/M3qASoY3tu6UtjI90WS6
        WQPsRSHsd4aSQNos6XzBcLRe7Ky7/iY=
X-Received: by 2002:ac8:7246:: with SMTP id l6mr7008518qtp.298.1586440151862;
        Thu, 09 Apr 2020 06:49:11 -0700 (PDT)
Received: from fedora.pebenito.net (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247])
        by smtp.gmail.com with ESMTPSA id l186sm10729136qke.16.2020.04.09.06.49.11
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Thu, 09 Apr 2020 06:49:11 -0700 (PDT)
Subject: Re: latest ver of trivial mail server patch
To:     Russell Coker <russell@coker.com.au>,
        "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
References: <20200405090428.GD177560@xev>
From:   Chris PeBenito <pebenito@ieee.org>
Message-ID: <c812359b-098b-2d04-ca4b-3878c4e90f20@ieee.org>
Date:   Thu, 9 Apr 2020 09:38:54 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.6.0
MIME-Version: 1.0
In-Reply-To: <20200405090428.GD177560@xev>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On 4/5/20 5:04 AM, Russell Coker wrote:
> Yes mmap is the standard way of accessing the mail spool.
> 
> Removed spamd_gpg_t because there's no point to it, the separation doesn't
> provide an actual benefit.
> 
> Made the other requested changes.
> 
> Signed-off-by: Russell Coker <russell@coker.com.au>
> 
> 
> Index: refpolicy-2.20200405/policy/modules/services/mailman.fc
> ===================================================================
> --- refpolicy-2.20200405.orig/policy/modules/services/mailman.fc
> +++ refpolicy-2.20200405/policy/modules/services/mailman.fc
> @@ -1,6 +1,7 @@
>   /etc/cron\.(daily|monthly)/mailman	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
>   
>   /etc/mailman.*	gen_context(system_u:object_r:mailman_data_t,s0)
> +/etc/mailman/postfix-to-mailman.py	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
>   
>   /usr/lib/mailman/bin/mailmanctl	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
>   /usr/lib/mailman/bin/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> Index: refpolicy-2.20200405/policy/modules/services/mailman.if
> ===================================================================
> --- refpolicy-2.20200405.orig/policy/modules/services/mailman.if
> +++ refpolicy-2.20200405/policy/modules/services/mailman.if
> @@ -319,6 +319,7 @@ interface(`mailman_read_archive',`
>   	files_search_var_lib($1)
>   	allow $1 mailman_archive_t:dir list_dir_perms;
>   	read_files_pattern($1, mailman_archive_t, mailman_archive_t)
> +	allow $1 mailman_archive_t:file map;
>   	read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t)
>   ')
>   
> Index: refpolicy-2.20200405/policy/modules/services/mailman.te
> ===================================================================
> --- refpolicy-2.20200405.orig/policy/modules/services/mailman.te
> +++ refpolicy-2.20200405/policy/modules/services/mailman.te
> @@ -182,6 +182,7 @@ corecmd_exec_bin(mailman_mail_t)
>   files_search_locks(mailman_mail_t)
>   
>   fs_rw_anon_inodefs_files(mailman_mail_t)
> +fs_search_tmpfs(mailman_mail_t)
>   
>   # this is far from ideal, but systemd reduces the importance of initrc_t
>   init_signal_script(mailman_mail_t)
> Index: refpolicy-2.20200405/policy/modules/services/mta.if
> ===================================================================
> --- refpolicy-2.20200405.orig/policy/modules/services/mta.if
> +++ refpolicy-2.20200405/policy/modules/services/mta.if
> @@ -251,6 +251,7 @@ interface(`mta_manage_mail_home_rw_conte
>   	userdom_search_user_home_dirs($1)
>   	manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
>   	manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
> +	allow $1 mail_home_rw_t:file map;
>   	manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
>   ')
>   
> @@ -867,6 +868,7 @@ interface(`mta_read_spool_files',`
>   
>   	files_search_spool($1)
>   	read_files_pattern($1, mail_spool_t, mail_spool_t)
> +	allow $1 mail_spool_t:file map;
>   ')
>   
>   ########################################
> @@ -949,6 +951,7 @@ interface(`mta_manage_spool',`
>   	files_search_spool($1)
>   	manage_dirs_pattern($1, mail_spool_t, mail_spool_t)
>   	manage_files_pattern($1, mail_spool_t, mail_spool_t)
> +	allow $1 mail_spool_t:file map;
>   	manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
>   ')
>   
> Index: refpolicy-2.20200405/policy/modules/services/spamassassin.if
> ===================================================================
> --- refpolicy-2.20200405.orig/policy/modules/services/spamassassin.if
> +++ refpolicy-2.20200405/policy/modules/services/spamassassin.if
> @@ -433,3 +433,41 @@ interface(`spamassassin_admin',`
>   	# sa-update
>   	spamassassin_run_update($1, $2)
>   ')
> +
> +########################################
> +## <summary>
> +##	reload SA service
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`spamassassin_service_reload',`
> +	gen_require(`
> +		type spamassassin_unit_t;
> +	')
> +
> +	allow $1 spamassassin_unit_t:service reload;
> +')
> +
> +########################################
> +## <summary>
> +##	Get SA service status
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`spamassassin_service_status',`
> +	gen_require(`
> +		type spamassassin_unit_t;
> +	')
> +
> +	allow $1 spamassassin_unit_t:service status;
> +')
> Index: refpolicy-2.20200405/policy/modules/services/spamassassin.te
> ===================================================================
> --- refpolicy-2.20200405.orig/policy/modules/services/spamassassin.te
> +++ refpolicy-2.20200405/policy/modules/services/spamassassin.te
> @@ -22,6 +22,7 @@ gen_tunable(spamassassin_can_network, fa
>   gen_tunable(spamd_enable_home_dirs, false)
>   
>   type spamd_update_t;
> +typealias spamd_update_t alias { spamd_gpg_t };
>   type spamd_update_exec_t;
>   init_system_domain(spamd_update_t, spamd_update_exec_t)
>   
> @@ -62,9 +63,6 @@ files_type(spamd_compiled_t)
>   type spamd_etc_t;
>   files_config_file(spamd_etc_t)
>   
> -type spamd_gpg_t;
> -domain_type(spamd_gpg_t)
> -
>   type spamd_home_t;
>   userdom_user_home_content(spamd_home_t)
>   
> @@ -199,11 +197,13 @@ corenet_all_recvfrom_unlabeled(spamc_t)
>   corenet_all_recvfrom_netlabel(spamc_t)
>   corenet_tcp_sendrecv_generic_if(spamc_t)
>   corenet_tcp_sendrecv_generic_node(spamc_t)
> +corenet_udp_bind_generic_node(spamc_t)
>   
>   corenet_sendrecv_all_client_packets(spamc_t)
>   corenet_tcp_connect_all_ports(spamc_t)
>   
>   corecmd_exec_bin(spamc_t)
> +corecmd_exec_shell(spamc_t)
>   
>   dev_read_rand(spamc_t)
>   dev_read_urand(spamc_t)
> @@ -256,6 +256,8 @@ optional_policy(`
>   
>   optional_policy(`
>   	mta_send_mail(spamc_t)
> +	mta_getattr_spool(spamc_t)
> +	mta_read_spool_files(spamc_t)
>   	mta_read_config(spamc_t)
>   	mta_read_queue(spamc_t)
>   	sendmail_rw_pipes(spamc_t)
> @@ -351,6 +353,7 @@ corenet_udp_bind_imaze_port(spamd_t)
>   
>   corenet_dontaudit_udp_bind_all_ports(spamd_t)
>   
> +corecmd_exec_shell(spamd_t)
>   corecmd_exec_bin(spamd_t)
>   
>   dev_read_sysfs(spamd_t)
> @@ -358,6 +361,7 @@ dev_read_urand(spamd_t)
>   
>   domain_use_interactive_fds(spamd_t)
>   
> +files_map_etc_files(spamd_t)
>   files_read_usr_files(spamd_t)
>   files_read_etc_runtime_files(spamd_t)
>   
> @@ -372,6 +376,7 @@ libs_use_shared_libs(spamd_t)
>   
>   logging_send_syslog_msg(spamd_t)
>   
> +miscfiles_read_generic_certs(spamd_t)
>   miscfiles_read_localization(spamd_t)
>   
>   sysnet_use_ldap(spamd_t)
> @@ -487,6 +492,8 @@ manage_dirs_pattern(spamd_update_t, spam
>   manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
>   manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
>   
> +kernel_read_crypto_sysctls(spamd_update_t)
> +kernel_search_fs_sysctls(spamd_update_t)
>   kernel_read_system_state(spamd_update_t)
>   
>   corecmd_exec_bin(spamd_update_t)
> @@ -512,6 +519,7 @@ fs_getattr_xattr_fs(spamd_update_t)
>   auth_use_nsswitch(spamd_update_t)
>   auth_dontaudit_read_shadow(spamd_update_t)
>   
> +miscfiles_read_generic_certs(spamd_update_t)
>   miscfiles_read_localization(spamd_update_t)
>   
>   userdom_use_inherited_user_terminals(spamd_update_t)
> @@ -523,35 +531,5 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> -	gpg_spec_domtrans(spamd_update_t, spamd_gpg_t)
> -	gpg_entry_type(spamd_gpg_t)
> -	role system_r types spamd_gpg_t;
> -
> -	allow spamd_gpg_t self:capability { dac_override dac_read_search };
> -	allow spamd_gpg_t self:unix_stream_socket { connect create };
> -
> -	allow spamd_gpg_t spamd_update_t:fd use;
> -	allow spamd_gpg_t spamd_update_t:process sigchld;
> -	allow spamd_gpg_t spamd_update_t:fifo_file { getattr write };
> -	allow spamd_gpg_t spamd_var_lib_t:dir rw_dir_perms;
> -	allow spamd_gpg_t spamd_var_lib_t:file manage_file_perms;
> -	allow spamd_gpg_t spamd_update_tmp_t:file read_file_perms;
> -
> -	# fips
> -	kernel_read_crypto_sysctls(spamd_gpg_t)
> -
> -	domain_use_interactive_fds(spamd_gpg_t)
> -
> -	files_read_etc_files(spamd_gpg_t)
> -	files_read_usr_files(spamd_gpg_t)
> -	files_search_var_lib(spamd_gpg_t)
> -	files_search_pids(spamd_gpg_t)
> -	files_search_tmp(spamd_gpg_t)
> -
> -	init_use_fds(spamd_gpg_t)
> -	init_rw_inherited_stream_socket(spamd_gpg_t)
> -
> -	miscfiles_read_localization(spamd_gpg_t)
> -
> -	userdom_use_inherited_user_terminals(spamd_gpg_t)
> +	gpg_exec(spamd_update_t)
>   ')
> Index: refpolicy-2.20200405/policy/modules/services/clamav.te
> ===================================================================
> --- refpolicy-2.20200405.orig/policy/modules/services/clamav.te
> +++ refpolicy-2.20200405/policy/modules/services/clamav.te
> @@ -146,6 +146,7 @@ auth_use_nsswitch(clamd_t)
>   
>   logging_send_syslog_msg(clamd_t)
>   
> +miscfiles_read_generic_certs(clamd_t)
>   miscfiles_read_localization(clamd_t)
>   
>   tunable_policy(`clamd_use_jit',`
> @@ -235,6 +236,7 @@ auth_use_nsswitch(freshclam_t)
>   
>   logging_send_syslog_msg(freshclam_t)
>   
> +miscfiles_read_generic_certs(freshclam_t)
>   miscfiles_read_localization(freshclam_t)
>   
>   tunable_policy(`clamd_use_jit',`
> Index: refpolicy-2.20200405/policy/modules/services/dkim.te
> ===================================================================
> --- refpolicy-2.20200405.orig/policy/modules/services/dkim.te
> +++ refpolicy-2.20200405/policy/modules/services/dkim.te
> @@ -44,6 +44,8 @@ files_pid_filetrans(dkim_milter_t, dkim_
>   files_read_usr_files(dkim_milter_t)
>   files_search_spool(dkim_milter_t)
>   
> +miscfiles_read_generic_certs(dkim_milter_t)
> +
>   optional_policy(`
>   	mta_read_config(dkim_milter_t)
>   ')
> Index: refpolicy-2.20200405/policy/modules/services/dovecot.te
> ===================================================================
> --- refpolicy-2.20200405.orig/policy/modules/services/dovecot.te
> +++ refpolicy-2.20200405/policy/modules/services/dovecot.te
> @@ -173,6 +173,7 @@ files_read_usr_files(dovecot_t)
>   
>   fs_getattr_all_fs(dovecot_t)
>   fs_getattr_all_dirs(dovecot_t)
> +fs_read_tmpfs_symlinks(dovecot_t)
>   fs_search_auto_mountpoints(dovecot_t)
>   fs_list_inotifyfs(dovecot_t)
>   
> @@ -269,7 +270,12 @@ selinux_get_fs_mount(dovecot_auth_t)
>   auth_domtrans_chk_passwd(dovecot_auth_t)
>   auth_use_nsswitch(dovecot_auth_t)
>   
> +fs_search_tmpfs(dovecot_auth_t)
> +fs_read_tmpfs_symlinks(dovecot_auth_t)
> +
>   init_rw_utmp(dovecot_auth_t)
> +init_rw_inherited_stream_socket(dovecot_auth_t)
> +init_use_fds(dovecot_auth_t)
>   
>   logging_send_audit_msgs(dovecot_auth_t)
>   
> Index: refpolicy-2.20200405/policy/modules/services/postfix.te
> ===================================================================
> --- refpolicy-2.20200405.orig/policy/modules/services/postfix.te
> +++ refpolicy-2.20200405/policy/modules/services/postfix.te
> @@ -336,6 +336,7 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	mysql_read_config(postfix_master_t)
>   	mysql_stream_connect(postfix_master_t)
>   ')
>   
> @@ -427,6 +428,10 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	mysql_read_config(postfix_cleanup_t)
> +')
> +
> +optional_policy(`
>   	dbus_send_system_bus(postfix_cleanup_t)
>   	dbus_system_bus_client(postfix_cleanup_t)
>   	init_dbus_chat(postfix_cleanup_t)
> @@ -648,6 +653,7 @@ mta_rw_user_mail_stream_sockets(postfix_
>   
>   optional_policy(`
>   	apache_dontaudit_rw_fifo_file(postfix_postdrop_t)
> +	apache_use_fds(postfix_postdrop_t)
>   ')
>   
>   optional_policy(`
> @@ -826,6 +832,10 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	mysql_read_config(postfix_smtpd_t)
> +')
> +
> +optional_policy(`
>   	postgrey_stream_connect(postfix_smtpd_t)
>   ')
>   

Merged, though I renamed a couple interfaces and made a trivial syntax change.

-- 
Chris PeBenito