Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp806846pxb;
        Tue, 2 Feb 2021 19:34:37 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzSERxSqHcFeZXuWCtIjlPdOOb5+eszctLTXbp6kinDEqmUtIXygoTBjDOc0h584VOntK1v
X-Received: by 2002:a17:907:ea0:: with SMTP id ho32mr1116911ejc.163.1612323277120;
        Tue, 02 Feb 2021 19:34:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1612323277; cv=none;
        d=google.com; s=arc-20160816;
        b=ymDp5N7p7eLHgn+7X+Dd+fO5p7rrmwFly6fnnKwh4vMvkpFlyLwt0WZOWRMzzqZYCe
         iTLD3c8ZanVDiKOFmnfgAQWFmMYurnT3rb7aYJz52KlLCt4UfX6ZkY2zlH49D6+3DZYP
         aE/jRnIS5qZbThYZYo+MuLpMK1Ktg29PjH+UCxGenQuCWHhvYoPvugz7ZV8tJXlXBDTU
         0y6vSl+an7/YYntcWbytgIO9pkIQXbyuVdtUIAtMmoGcUWBGWoMpBEvDdF23ocvX3God
         UFeFjc4zoXBVjGP5uJ44zqin8qVJjPI66RdBXkwiThcrGaEwYm6d1JhndWWkuYnxNXQk
         ipuQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-disposition:mime-version:message-id
         :subject:to:from:date:dkim-signature;
        bh=MaiT35dkDr2726tiv1tHcian7GCguhWQFN2THB03Qbc=;
        b=hE09FrCotftLiyMnXhahuKiWcQ0XejNm4xG1cpqUnH+rQWOM5yM6/gPe8/iFxzyAjk
         EWplZJg0x5U8Xd8Us2VCalngsh6AgdguDrY8ssSBQL/SE68m9ZFupm/25rjiACsTWC2f
         Ueu6b58I2q5cE5XK/1gQDK/KNG0SI44sqtAdHDJHy/ciHQ65xVomptomRRLF4rxnyYyJ
         zL/pz+DqGdWsuBJO54TfDX9SiU5LxvczrcOYmqw0WVnBvXo1jgJncgisYir6uONZyjCs
         ukv+/UNv31vyQJsZ1W5mBvPdl2aysimY4MpOfpZKIdiawBHLHFRDHQPuXpVhQ/wFfhrj
         0XVA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=OZ4oZUlz;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id mb2si472715ejb.729.2021.02.02.19.34.32;
        Tue, 02 Feb 2021 19:34:37 -0800 (PST)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=OZ4oZUlz;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232568AbhBCDdA (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 16 others); Tue, 2 Feb 2021 22:33:00 -0500
Received: from smtp.sws.net.au ([46.4.88.250]:53336 "EHLO smtp.sws.net.au"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S232798AbhBCDcm (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Tue, 2 Feb 2021 22:32:42 -0500
Received: from xev.coker.com.au (localhost [127.0.0.1])
        by smtp.sws.net.au (Postfix) with ESMTP id 2DDDEF38E
        for <selinux-refpolicy@vger.kernel.org>; Wed,  3 Feb 2021 14:31:59 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1612323119;
        bh=MaiT35dkDr2726tiv1tHcian7GCguhWQFN2THB03Qbc=; l=10166;
        h=Date:From:To:Subject:From;
        b=OZ4oZUlzoJTjFr4pS5HXJ2a0nfJlPZwHDjEtsw3a5+reKDMVpXPFLMLeHzAha+/vk
         FvVR8kFVXTDX921wKbkgzQz6GWEAIEuQKZxVtPeyZKVtmtERv1kOv87F+4vPrIFnrQ
         7PA6UVNccaJOMlcfLN/1GsJY9XU+0JgmdqXg377U=
Received: by xev.coker.com.au (Postfix, from userid 1001)
        id C726D1353F2D; Wed,  3 Feb 2021 14:31:54 +1100 (AEDT)
Date:   Wed, 3 Feb 2021 14:31:54 +1100
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Subject: [PATCH] mailman 3
Message-ID: <YBoZKrzxfKdrIoN+@xev>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Patches needed for mailman3.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20210203/policy/modules/services/mailman.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/mailman.if
+++ refpolicy-2.20210203/policy/modules/services/mailman.if
@@ -109,6 +109,64 @@ interface(`mailman_domtrans_cgi',`
 
 #######################################
 ## <summary>
+##	Talk to mailman_cgi_t via Unix domain socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain talking to mailman
+##	</summary>
+## </param>
+#
+interface(`mailman_connect_cgi',`
+	gen_require(`
+		type mailman_cgi_t, mailman_runtime_t;
+	')
+
+	allow $1 mailman_runtime_t:dir search;
+	allow $1 mailman_runtime_t:sock_file write;
+	allow $1 mailman_cgi_t:unix_stream_socket connectto;
+')
+
+#######################################
+## <summary>
+##	Manage mailman runtime files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to manage the files
+##	</summary>
+## </param>
+#
+interface(`mailman_manage_runtime',`
+	gen_require(`
+		type mailman_runtime_t;
+	')
+
+	allow $1 mailman_runtime_t:dir rw_dir_perms;
+	allow $1 mailman_runtime_t:file manage_file_perms;
+')
+
+#######################################
+## <summary>
+##	read mailman runtime files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to read the files
+##	</summary>
+## </param>
+#
+interface(`mailman_read_runtime',`
+	gen_require(`
+		type mailman_runtime_t;
+	')
+
+	allow $1 mailman_runtime_t:dir search_dir_perms;
+	allow $1 mailman_runtime_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
 ##	Execute mailman in the caller domain.
 ## </summary>
 ## <param name="domain">
@@ -181,6 +239,7 @@ interface(`mailman_read_data_files',`
 	files_search_spool($1)
 	list_dirs_pattern($1, mailman_data_t, mailman_data_t)
 	read_files_pattern($1, mailman_data_t, mailman_data_t)
+	allow $1 mailman_data_t:file map;
 	read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
 ')
 
@@ -342,3 +401,21 @@ interface(`mailman_domtrans_queue',`
 	libs_search_lib($1)
 	domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
 ')
+
+#######################################
+## <summary>
+##	Manage mailman lock dir
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to manage it.
+##	</summary>
+## </param>
+#
+interface(`mailman_manage_lockdir',`
+	gen_require(`
+		type mailman_lock_t;
+	')
+
+	allow $1 mailman_lock_t:dir manage_dir_perms;
+')
Index: refpolicy-2.20210203/policy/modules/services/mailman.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/mailman.te
+++ refpolicy-2.20210203/policy/modules/services/mailman.te
@@ -26,6 +26,9 @@ files_lock_file(mailman_lock_t)
 type mailman_runtime_t alias mailman_var_run_t;
 files_runtime_file(mailman_runtime_t)
 
+type mailman_cgi_tmpfs_t;
+files_tmpfs_file(mailman_cgi_tmpfs_t)
+
 mailman_domain_template(mail)
 init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)
 role mailman_roles types mailman_mail_t;
@@ -89,13 +92,16 @@ miscfiles_read_localization(mailman_doma
 # CGI local policy
 #
 
-allow mailman_cgi_t self:unix_dgram_socket { create connect };
+allow mailman_cgi_t self:process { signal signull sigkill };
+allow mailman_cgi_t self:fifo_file rw_file_perms;
+allow mailman_cgi_t self:capability { dac_override setgid setuid };
+allow mailman_cgi_t self:unix_dgram_socket create_socket_perms;
 
 allow mailman_cgi_t mailman_archive_t:dir search_dir_perms;
 allow mailman_cgi_t mailman_archive_t:file read_file_perms;
 
 allow mailman_cgi_t mailman_data_t:dir rw_dir_perms;
-allow mailman_cgi_t mailman_data_t:file manage_file_perms;
+allow mailman_cgi_t mailman_data_t:file { map manage_file_perms };
 allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms;
 
 allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms;
@@ -104,25 +110,40 @@ allow mailman_cgi_t mailman_lock_t:file
 allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms };
 allow mailman_cgi_t mailman_log_t:dir search_dir_perms;
 
+allow mailman_cgi_t mailman_runtime_t:dir rw_dir_perms;
+allow mailman_cgi_t mailman_runtime_t:file read_file_perms;
+allow mailman_cgi_t mailman_runtime_t:sock_file manage_file_perms;
+
+fs_tmpfs_filetrans(mailman_cgi_t, mailman_cgi_tmpfs_t, file)
+allow mailman_cgi_t mailman_cgi_tmpfs_t:file { map manage_file_perms };
+
 kernel_read_crypto_sysctls(mailman_cgi_t)
+kernel_read_net_sysctls(mailman_cgi_t)
 kernel_read_system_state(mailman_cgi_t)
+kernel_search_vm_sysctl(mailman_cgi_t)
 
+corecmd_bin_entry_type(mailman_cgi_t)
 corecmd_exec_bin(mailman_cgi_t)
 
+corenet_tcp_bind_generic_node(mailman_cgi_t)
+corenet_tcp_connect_all_unreserved_ports(mailman_cgi_t)
+
 dev_read_urand(mailman_cgi_t)
 
 files_search_locks(mailman_cgi_t)
 files_read_usr_files(mailman_cgi_t)
 
+init_daemon_domain(mailman_cgi_t, mailman_cgi_exec_t)
+
 term_use_controlling_term(mailman_cgi_t)
 
 libs_dontaudit_write_lib_dirs(mailman_cgi_t)
 
 logging_search_logs(mailman_cgi_t)
 
+miscfiles_read_generic_certs(mailman_cgi_t)
 miscfiles_read_localization(mailman_cgi_t)
 
-
 optional_policy(`
 	apache_sigchld(mailman_cgi_t)
 	apache_use_fds(mailman_cgi_t)
@@ -133,6 +154,15 @@ optional_policy(`
 ')
 
 optional_policy(`
+	cron_rw_inherited_tmp_files(mailman_cgi_t)
+	cron_system_entry(mailman_cgi_t, mailman_cgi_exec_t)
+')
+
+optional_policy(`
+	mysql_stream_connect(mailman_cgi_t)
+')
+
+optional_policy(`
 	postfix_read_config(mailman_cgi_t)
 ')
 
@@ -142,7 +172,9 @@ optional_policy(`
 #
 
 allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config };
-allow mailman_mail_t self:process { signal signull setsched };
+allow mailman_mail_t self:process { execmem signal signull setsched };
+allow mailman_mail_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
+allow mailman_mail_t self:fifo_file rw_file_perms;
 
 allow mailman_mail_t mailman_archive_t:dir manage_dir_perms;
 allow mailman_mail_t mailman_archive_t:file manage_file_perms;
@@ -167,8 +199,12 @@ manage_files_pattern(mailman_mail_t, mai
 manage_dirs_pattern(mailman_mail_t, mailman_runtime_t, mailman_runtime_t)
 files_runtime_filetrans(mailman_mail_t, mailman_runtime_t, { file dir })
 
+kernel_read_network_state(mailman_mail_t)
 kernel_read_system_state(mailman_mail_t)
 
+corenet_tcp_bind_all_unreserved_ports(mailman_mail_t)
+corenet_tcp_bind_generic_node(mailman_mail_t)
+corenet_tcp_connect_http_port(mailman_mail_t)
 corenet_tcp_connect_smtp_port(mailman_mail_t)
 corenet_sendrecv_spamd_client_packets(mailman_mail_t)
 corenet_sendrecv_innd_client_packets(mailman_mail_t)
@@ -193,6 +229,7 @@ libs_read_lib_files(mailman_mail_t)
 
 logging_search_logs(mailman_mail_t)
 
+miscfiles_read_generic_certs(mailman_mail_t)
 miscfiles_read_localization(mailman_mail_t)
 
 mta_use_mailserver_fds(mailman_mail_t)
@@ -200,14 +237,26 @@ mta_dontaudit_rw_delivery_tcp_sockets(ma
 mta_dontaudit_rw_queue(mailman_mail_t)
 
 optional_policy(`
+	apache_search_config(mailman_mail_t)
+')
+
+optional_policy(`
 	courier_read_spool(mailman_mail_t)
 ')
 
 optional_policy(`
 	cron_read_pipes(mailman_mail_t)
+	cron_rw_inherited_tmp_files(mailman_mail_t)
+	cron_search_spool(mailman_mail_t)
+	cron_system_entry(mailman_mail_t, mailman_mail_exec_t)
 ')
 
 optional_policy(`
+	corenet_tcp_connect_mysqld_port(mailman_mail_t)
+')
+
+optional_policy(`
+	postfix_read_config(mailman_mail_t)
 	postfix_search_spool(mailman_mail_t)
 	postfix_rw_inherited_master_pipes(mailman_mail_t)
 ')
@@ -217,8 +266,8 @@ optional_policy(`
 # Queue local policy
 #
 
-allow mailman_queue_t self:capability { setgid setuid };
-allow mailman_queue_t self:process { setsched signal_perms };
+allow mailman_queue_t self:capability { dac_override setgid setuid };
+allow mailman_queue_t self:process { setsched signal_perms sigkill };
 allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
 
 allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;
@@ -251,14 +300,14 @@ seutil_dontaudit_search_config(mailman_q
 
 userdom_search_user_home_dirs(mailman_queue_t)
 
-cron_rw_tmp_files(mailman_queue_t)
-
 optional_policy(`
 	apache_read_config(mailman_queue_t)
 ')
 
 optional_policy(`
+	cron_rw_tmp_files(mailman_queue_t)
 	cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
+	cron_use_fds(mailman_queue_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20210203/policy/modules/services/apache.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/apache.te
+++ refpolicy-2.20210203/policy/modules/services/apache.te
@@ -815,6 +815,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	mailman_connect_cgi(httpd_t)
 	mailman_signal_cgi(httpd_t)
 	mailman_domtrans_cgi(httpd_t)
 	mailman_read_data_files(httpd_t)
Index: refpolicy-2.20210203/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/cron.te
+++ refpolicy-2.20210203/policy/modules/services/cron.te
@@ -607,6 +607,12 @@ optional_policy(`
 ')
 
 optional_policy(`
+	mailman_domtrans_queue(system_cronjob_t)
+	# for flock
+	mailman_manage_runtime(system_cronjob_t)
+')
+
+optional_policy(`
 	mrtg_append_create_logs(system_cronjob_t)
 	mrtg_read_config(system_cronjob_t)
 ')
Index: refpolicy-2.20210203/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20210203/policy/modules/system/systemd.te
@@ -1523,6 +1523,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	mailman_manage_lockdir(systemd_tmpfiles_t)
+')
+
+optional_policy(`
 	xfs_create_tmp_dirs(systemd_tmpfiles_t)
 ')