Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp806846pxb; Tue, 2 Feb 2021 19:34:37 -0800 (PST) X-Google-Smtp-Source: ABdhPJzSERxSqHcFeZXuWCtIjlPdOOb5+eszctLTXbp6kinDEqmUtIXygoTBjDOc0h584VOntK1v X-Received: by 2002:a17:907:ea0:: with SMTP id ho32mr1116911ejc.163.1612323277120; Tue, 02 Feb 2021 19:34:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612323277; cv=none; d=google.com; s=arc-20160816; b=ymDp5N7p7eLHgn+7X+Dd+fO5p7rrmwFly6fnnKwh4vMvkpFlyLwt0WZOWRMzzqZYCe iTLD3c8ZanVDiKOFmnfgAQWFmMYurnT3rb7aYJz52KlLCt4UfX6ZkY2zlH49D6+3DZYP aE/jRnIS5qZbThYZYo+MuLpMK1Ktg29PjH+UCxGenQuCWHhvYoPvugz7ZV8tJXlXBDTU 0y6vSl+an7/YYntcWbytgIO9pkIQXbyuVdtUIAtMmoGcUWBGWoMpBEvDdF23ocvX3God UFeFjc4zoXBVjGP5uJ44zqin8qVJjPI66RdBXkwiThcrGaEwYm6d1JhndWWkuYnxNXQk ipuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=MaiT35dkDr2726tiv1tHcian7GCguhWQFN2THB03Qbc=; b=hE09FrCotftLiyMnXhahuKiWcQ0XejNm4xG1cpqUnH+rQWOM5yM6/gPe8/iFxzyAjk EWplZJg0x5U8Xd8Us2VCalngsh6AgdguDrY8ssSBQL/SE68m9ZFupm/25rjiACsTWC2f Ueu6b58I2q5cE5XK/1gQDK/KNG0SI44sqtAdHDJHy/ciHQ65xVomptomRRLF4rxnyYyJ zL/pz+DqGdWsuBJO54TfDX9SiU5LxvczrcOYmqw0WVnBvXo1jgJncgisYir6uONZyjCs ukv+/UNv31vyQJsZ1W5mBvPdl2aysimY4MpOfpZKIdiawBHLHFRDHQPuXpVhQ/wFfhrj 0XVA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=OZ4oZUlz; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id mb2si472715ejb.729.2021.02.02.19.34.32; Tue, 02 Feb 2021 19:34:37 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=OZ4oZUlz; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232568AbhBCDdA (ORCPT + 16 others); Tue, 2 Feb 2021 22:33:00 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:53336 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232798AbhBCDcm (ORCPT ); Tue, 2 Feb 2021 22:32:42 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 2DDDEF38E for ; Wed, 3 Feb 2021 14:31:59 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1612323119; bh=MaiT35dkDr2726tiv1tHcian7GCguhWQFN2THB03Qbc=; l=10166; h=Date:From:To:Subject:From; b=OZ4oZUlzoJTjFr4pS5HXJ2a0nfJlPZwHDjEtsw3a5+reKDMVpXPFLMLeHzAha+/vk FvVR8kFVXTDX921wKbkgzQz6GWEAIEuQKZxVtPeyZKVtmtERv1kOv87F+4vPrIFnrQ 7PA6UVNccaJOMlcfLN/1GsJY9XU+0JgmdqXg377U= Received: by xev.coker.com.au (Postfix, from userid 1001) id C726D1353F2D; Wed, 3 Feb 2021 14:31:54 +1100 (AEDT) Date: Wed, 3 Feb 2021 14:31:54 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] mailman 3 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Patches needed for mailman3. Signed-off-by: Russell Coker Index: refpolicy-2.20210203/policy/modules/services/mailman.if =================================================================== --- refpolicy-2.20210203.orig/policy/modules/services/mailman.if +++ refpolicy-2.20210203/policy/modules/services/mailman.if @@ -109,6 +109,64 @@ interface(`mailman_domtrans_cgi',` ####################################### ## +## Talk to mailman_cgi_t via Unix domain socket +## +## +## +## Domain talking to mailman +## +## +# +interface(`mailman_connect_cgi',` + gen_require(` + type mailman_cgi_t, mailman_runtime_t; + ') + + allow $1 mailman_runtime_t:dir search; + allow $1 mailman_runtime_t:sock_file write; + allow $1 mailman_cgi_t:unix_stream_socket connectto; +') + +####################################### +## +## Manage mailman runtime files +## +## +## +## Domain to manage the files +## +## +# +interface(`mailman_manage_runtime',` + gen_require(` + type mailman_runtime_t; + ') + + allow $1 mailman_runtime_t:dir rw_dir_perms; + allow $1 mailman_runtime_t:file manage_file_perms; +') + +####################################### +## +## read mailman runtime files +## +## +## +## Domain to read the files +## +## +# +interface(`mailman_read_runtime',` + gen_require(` + type mailman_runtime_t; + ') + + allow $1 mailman_runtime_t:dir search_dir_perms; + allow $1 mailman_runtime_t:file read_file_perms; +') + +####################################### +## ## Execute mailman in the caller domain. ## ## @@ -181,6 +239,7 @@ interface(`mailman_read_data_files',` files_search_spool($1) list_dirs_pattern($1, mailman_data_t, mailman_data_t) read_files_pattern($1, mailman_data_t, mailman_data_t) + allow $1 mailman_data_t:file map; read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) ') @@ -342,3 +401,21 @@ interface(`mailman_domtrans_queue',` libs_search_lib($1) domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) ') + +####################################### +## +## Manage mailman lock dir +## +## +## +## Domain allowed to manage it. +## +## +# +interface(`mailman_manage_lockdir',` + gen_require(` + type mailman_lock_t; + ') + + allow $1 mailman_lock_t:dir manage_dir_perms; +') Index: refpolicy-2.20210203/policy/modules/services/mailman.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/services/mailman.te +++ refpolicy-2.20210203/policy/modules/services/mailman.te @@ -26,6 +26,9 @@ files_lock_file(mailman_lock_t) type mailman_runtime_t alias mailman_var_run_t; files_runtime_file(mailman_runtime_t) +type mailman_cgi_tmpfs_t; +files_tmpfs_file(mailman_cgi_tmpfs_t) + mailman_domain_template(mail) init_daemon_domain(mailman_mail_t, mailman_mail_exec_t) role mailman_roles types mailman_mail_t; @@ -89,13 +92,16 @@ miscfiles_read_localization(mailman_doma # CGI local policy # -allow mailman_cgi_t self:unix_dgram_socket { create connect }; +allow mailman_cgi_t self:process { signal signull sigkill }; +allow mailman_cgi_t self:fifo_file rw_file_perms; +allow mailman_cgi_t self:capability { dac_override setgid setuid }; +allow mailman_cgi_t self:unix_dgram_socket create_socket_perms; allow mailman_cgi_t mailman_archive_t:dir search_dir_perms; allow mailman_cgi_t mailman_archive_t:file read_file_perms; allow mailman_cgi_t mailman_data_t:dir rw_dir_perms; -allow mailman_cgi_t mailman_data_t:file manage_file_perms; +allow mailman_cgi_t mailman_data_t:file { map manage_file_perms }; allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms; allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms; @@ -104,25 +110,40 @@ allow mailman_cgi_t mailman_lock_t:file allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms }; allow mailman_cgi_t mailman_log_t:dir search_dir_perms; +allow mailman_cgi_t mailman_runtime_t:dir rw_dir_perms; +allow mailman_cgi_t mailman_runtime_t:file read_file_perms; +allow mailman_cgi_t mailman_runtime_t:sock_file manage_file_perms; + +fs_tmpfs_filetrans(mailman_cgi_t, mailman_cgi_tmpfs_t, file) +allow mailman_cgi_t mailman_cgi_tmpfs_t:file { map manage_file_perms }; + kernel_read_crypto_sysctls(mailman_cgi_t) +kernel_read_net_sysctls(mailman_cgi_t) kernel_read_system_state(mailman_cgi_t) +kernel_search_vm_sysctl(mailman_cgi_t) +corecmd_bin_entry_type(mailman_cgi_t) corecmd_exec_bin(mailman_cgi_t) +corenet_tcp_bind_generic_node(mailman_cgi_t) +corenet_tcp_connect_all_unreserved_ports(mailman_cgi_t) + dev_read_urand(mailman_cgi_t) files_search_locks(mailman_cgi_t) files_read_usr_files(mailman_cgi_t) +init_daemon_domain(mailman_cgi_t, mailman_cgi_exec_t) + term_use_controlling_term(mailman_cgi_t) libs_dontaudit_write_lib_dirs(mailman_cgi_t) logging_search_logs(mailman_cgi_t) +miscfiles_read_generic_certs(mailman_cgi_t) miscfiles_read_localization(mailman_cgi_t) - optional_policy(` apache_sigchld(mailman_cgi_t) apache_use_fds(mailman_cgi_t) @@ -133,6 +154,15 @@ optional_policy(` ') optional_policy(` + cron_rw_inherited_tmp_files(mailman_cgi_t) + cron_system_entry(mailman_cgi_t, mailman_cgi_exec_t) +') + +optional_policy(` + mysql_stream_connect(mailman_cgi_t) +') + +optional_policy(` postfix_read_config(mailman_cgi_t) ') @@ -142,7 +172,9 @@ optional_policy(` # allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config }; -allow mailman_mail_t self:process { signal signull setsched }; +allow mailman_mail_t self:process { execmem signal signull setsched }; +allow mailman_mail_t self:netlink_audit_socket { nlmsg_relay create_socket_perms }; +allow mailman_mail_t self:fifo_file rw_file_perms; allow mailman_mail_t mailman_archive_t:dir manage_dir_perms; allow mailman_mail_t mailman_archive_t:file manage_file_perms; @@ -167,8 +199,12 @@ manage_files_pattern(mailman_mail_t, mai manage_dirs_pattern(mailman_mail_t, mailman_runtime_t, mailman_runtime_t) files_runtime_filetrans(mailman_mail_t, mailman_runtime_t, { file dir }) +kernel_read_network_state(mailman_mail_t) kernel_read_system_state(mailman_mail_t) +corenet_tcp_bind_all_unreserved_ports(mailman_mail_t) +corenet_tcp_bind_generic_node(mailman_mail_t) +corenet_tcp_connect_http_port(mailman_mail_t) corenet_tcp_connect_smtp_port(mailman_mail_t) corenet_sendrecv_spamd_client_packets(mailman_mail_t) corenet_sendrecv_innd_client_packets(mailman_mail_t) @@ -193,6 +229,7 @@ libs_read_lib_files(mailman_mail_t) logging_search_logs(mailman_mail_t) +miscfiles_read_generic_certs(mailman_mail_t) miscfiles_read_localization(mailman_mail_t) mta_use_mailserver_fds(mailman_mail_t) @@ -200,14 +237,26 @@ mta_dontaudit_rw_delivery_tcp_sockets(ma mta_dontaudit_rw_queue(mailman_mail_t) optional_policy(` + apache_search_config(mailman_mail_t) +') + +optional_policy(` courier_read_spool(mailman_mail_t) ') optional_policy(` cron_read_pipes(mailman_mail_t) + cron_rw_inherited_tmp_files(mailman_mail_t) + cron_search_spool(mailman_mail_t) + cron_system_entry(mailman_mail_t, mailman_mail_exec_t) ') optional_policy(` + corenet_tcp_connect_mysqld_port(mailman_mail_t) +') + +optional_policy(` + postfix_read_config(mailman_mail_t) postfix_search_spool(mailman_mail_t) postfix_rw_inherited_master_pipes(mailman_mail_t) ') @@ -217,8 +266,8 @@ optional_policy(` # Queue local policy # -allow mailman_queue_t self:capability { setgid setuid }; -allow mailman_queue_t self:process { setsched signal_perms }; +allow mailman_queue_t self:capability { dac_override setgid setuid }; +allow mailman_queue_t self:process { setsched signal_perms sigkill }; allow mailman_queue_t self:fifo_file rw_fifo_file_perms; allow mailman_queue_t mailman_archive_t:dir manage_dir_perms; @@ -251,14 +300,14 @@ seutil_dontaudit_search_config(mailman_q userdom_search_user_home_dirs(mailman_queue_t) -cron_rw_tmp_files(mailman_queue_t) - optional_policy(` apache_read_config(mailman_queue_t) ') optional_policy(` + cron_rw_tmp_files(mailman_queue_t) cron_system_entry(mailman_queue_t, mailman_queue_exec_t) + cron_use_fds(mailman_queue_t) ') optional_policy(` Index: refpolicy-2.20210203/policy/modules/services/apache.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/services/apache.te +++ refpolicy-2.20210203/policy/modules/services/apache.te @@ -815,6 +815,7 @@ optional_policy(` ') optional_policy(` + mailman_connect_cgi(httpd_t) mailman_signal_cgi(httpd_t) mailman_domtrans_cgi(httpd_t) mailman_read_data_files(httpd_t) Index: refpolicy-2.20210203/policy/modules/services/cron.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/services/cron.te +++ refpolicy-2.20210203/policy/modules/services/cron.te @@ -607,6 +607,12 @@ optional_policy(` ') optional_policy(` + mailman_domtrans_queue(system_cronjob_t) + # for flock + mailman_manage_runtime(system_cronjob_t) +') + +optional_policy(` mrtg_append_create_logs(system_cronjob_t) mrtg_read_config(system_cronjob_t) ') Index: refpolicy-2.20210203/policy/modules/system/systemd.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/system/systemd.te +++ refpolicy-2.20210203/policy/modules/system/systemd.te @@ -1523,6 +1523,10 @@ optional_policy(` ') optional_policy(` + mailman_manage_lockdir(systemd_tmpfiles_t) +') + +optional_policy(` xfs_create_tmp_dirs(systemd_tmpfiles_t) ')