Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp475114pxb; Wed, 3 Feb 2021 09:42:33 -0800 (PST) X-Google-Smtp-Source: ABdhPJyWtQnLMOdokrQq6RDAp+XlfEyuopBnBovKXVSPTodiL1gHyREee5sDK1LUjGS1h9SRenSF X-Received: by 2002:a17:906:2a8b:: with SMTP id l11mr4286564eje.1.1612374152858; Wed, 03 Feb 2021 09:42:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612374152; cv=none; d=google.com; s=arc-20160816; b=yPJGmKBuJSbCUr5awp+Jl9pYNJjwWIxc9qBmiVfXjZYbteF9iJobAVBGQBZ4CSuQLU pFQdJcQ7P6E0KOP6nK0MAIdiMKHQ4knoGQa0fimxkMCq/fCZNXyVGAFitK4owXXocvSk qYlyEdBDFQbXxGaCzReHKglGvO5eF82/eTPOXhaTw9KS1g5/+DRtzQbQMwSfg/4+8hFq gaCku0FQl0TuZBh7VW2BV+BtOgF/7YGT7740Hnt0A8nxOii5X5JdPf9y0n0wOh+lFsvc uJT7dCWMcEUVVOHCZr8fWjjgegDEbKfyia1dcpWCq+aVnaBBpnIUAS5vqTu3zLnk5jj/ cULg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:message-id:in-reply-to :date:references:subject:cc:to:from:dkim-signature:dkim-filter; bh=CLUH02eB4SbJV9ClNf4MCeBzaBITlPhDOKeLHQ+LeOU=; b=xCMkZQ0o2m7glNUJjhojEKU637FinClymHAGBCXBsT5LXf/Aa/ZO0izt0zns47h0FE zXDES8l9Ed+N6IG5v66CF+YV0iFn2YlZ0DQkYJABHuP5AOcy12nhSf6F+H3SldjjQO6X W+t/rbvQTaamsGcQA/7pHb1e9nVUu+yqR1bdF5ML8gSM8IjRRMtbf/BS5ycrnDPheLKh ZZcCPfmzHNWGt7WU+iM4MN1RsKFUIjRUbgDmBFtdjOZI7ivWBqewglPwBleEI6SeuD1M 8Cjlmwy8iHaR9V65H2SrG/S7M08eByRoM85NeNUOIdXAKPc1z3StepiumIw0jWo2uSdN x0AQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=JHaCKWz1; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id kw2si1924554ejc.366.2021.02.03.09.42.25; Wed, 03 Feb 2021 09:42:32 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=JHaCKWz1; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231404AbhBCRld (ORCPT + 16 others); Wed, 3 Feb 2021 12:41:33 -0500 Received: from agnus.defensec.nl ([80.100.19.56]:48260 "EHLO agnus.defensec.nl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230070AbhBCRlb (ORCPT ); Wed, 3 Feb 2021 12:41:31 -0500 Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id B29362A16E8; Wed, 3 Feb 2021 18:40:46 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl B29362A16E8 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1612374047; bh=CLUH02eB4SbJV9ClNf4MCeBzaBITlPhDOKeLHQ+LeOU=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=JHaCKWz1/5SawnWKzCPZ7r+W5D/jt/taor427kQOHCLs+e5GAJWB7uAdqVdfCQkLk LjmWZigVYNIuFsIx6YjBz5Ed4il1j+D9wat13fK+uK3v7JYvTrsI8Fa9rAy4mwyHF/ 1Ph/AmxsvYvZ0SMwAUeSejhFZ58ND4Uf/lOCsSGE= From: Dominick Grift To: Russell Coker Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] mailman 3 References: Date: Wed, 03 Feb 2021 18:40:43 +0100 In-Reply-To: (Russell Coker's message of "Wed, 3 Feb 2021 14:31:54 +1100") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Russell Coker writes: > Patches needed for mailman3. > > Signed-off-by: Russell Coker > > Index: refpolicy-2.20210203/policy/modules/services/mailman.if > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/services/mailman.if > +++ refpolicy-2.20210203/policy/modules/services/mailman.if > @@ -109,6 +109,64 @@ interface(`mailman_domtrans_cgi',` > > ####################################### > ## > +## Talk to mailman_cgi_t via Unix domain socket > +## > +## > +## > +## Domain talking to mailman > +## > +## > +# > +interface(`mailman_connect_cgi',` probably: mailman_stream_connect_cgi > + gen_require(` > + type mailman_cgi_t, mailman_runtime_t; > + ') > + > + allow $1 mailman_runtime_t:dir search; > + allow $1 mailman_runtime_t:sock_file write; > + allow $1 mailman_cgi_t:unix_stream_socket connectto; files_search_runtime($1) stream_connect_pattern($1, mailman_runtime_t, mailman_runtime_t, mailman_cgi_t) > +') > + > +####################################### > +## > +## Manage mailman runtime files > +## > +## > +## > +## Domain to manage the files > +## > +## > +# > +interface(`mailman_manage_runtime',` probably mailman_manage_runtime_files > + gen_require(` > + type mailman_runtime_t; > + ') > + > + allow $1 mailman_runtime_t:dir rw_dir_perms; > + allow $1 mailman_runtime_t:file manage_file_perms; files_search_runtime($1) manage_files_pattern($1, mailman_runtime_t, mailman_runtime_t) > +') > + > +####################################### > +## > +## read mailman runtime files > +## > +## > +## > +## Domain to read the files > +## > +## > +# > +interface(`mailman_read_runtime',` probably mailman_read_runtime_files > + gen_require(` > + type mailman_runtime_t; > + ') > + > + allow $1 mailman_runtime_t:dir search_dir_perms; > + allow $1 mailman_runtime_t:file read_file_perms; files_search_runtime($1) read_files_pattern($1, mailman_runtime_t, mailman_runtime_t)) > +') > + > +####################################### > +## > ## Execute mailman in the caller domain. > ## > ## > @@ -181,6 +239,7 @@ interface(`mailman_read_data_files',` > files_search_spool($1) > list_dirs_pattern($1, mailman_data_t, mailman_data_t) > read_files_pattern($1, mailman_data_t, mailman_data_t) > + allow $1 mailman_data_t:file map; maybe a seperate mailman_map_data_files > read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) > ') > > @@ -342,3 +401,21 @@ interface(`mailman_domtrans_queue',` > libs_search_lib($1) > domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) > ') > + > +####################################### > +## > +## Manage mailman lock dir > +## > +## > +## > +## Domain allowed to manage it. > +## > +## > +# > +interface(`mailman_manage_lockdir',` > + gen_require(` > + type mailman_lock_t; > + ') > + > + allow $1 mailman_lock_t:dir manage_dir_perms; > +') > Index: refpolicy-2.20210203/policy/modules/services/mailman.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/services/mailman.te > +++ refpolicy-2.20210203/policy/modules/services/mailman.te > @@ -26,6 +26,9 @@ files_lock_file(mailman_lock_t) > type mailman_runtime_t alias mailman_var_run_t; > files_runtime_file(mailman_runtime_t) > > +type mailman_cgi_tmpfs_t; > +files_tmpfs_file(mailman_cgi_tmpfs_t) > + > mailman_domain_template(mail) > init_daemon_domain(mailman_mail_t, mailman_mail_exec_t) > role mailman_roles types mailman_mail_t; > @@ -89,13 +92,16 @@ miscfiles_read_localization(mailman_doma > # CGI local policy > # > > -allow mailman_cgi_t self:unix_dgram_socket { create connect }; > +allow mailman_cgi_t self:process { signal signull sigkill }; > +allow mailman_cgi_t self:fifo_file rw_file_perms; rw_fifo_file_perms > +allow mailman_cgi_t self:capability { dac_override setgid setuid }; > +allow mailman_cgi_t self:unix_dgram_socket create_socket_perms; > > allow mailman_cgi_t mailman_archive_t:dir search_dir_perms; > allow mailman_cgi_t mailman_archive_t:file read_file_perms; > > allow mailman_cgi_t mailman_data_t:dir rw_dir_perms; > -allow mailman_cgi_t mailman_data_t:file manage_file_perms; > +allow mailman_cgi_t mailman_data_t:file { map manage_file_perms }; > allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms; > > allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms; > @@ -104,25 +110,40 @@ allow mailman_cgi_t mailman_lock_t:file > allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms }; > allow mailman_cgi_t mailman_log_t:dir search_dir_perms; > > +allow mailman_cgi_t mailman_runtime_t:dir rw_dir_perms; > +allow mailman_cgi_t mailman_runtime_t:file read_file_perms; > +allow mailman_cgi_t mailman_runtime_t:sock_file manage_file_perms; > + > +fs_tmpfs_filetrans(mailman_cgi_t, mailman_cgi_tmpfs_t, file) > +allow mailman_cgi_t mailman_cgi_tmpfs_t:file { map manage_file_perms }; > + > kernel_read_crypto_sysctls(mailman_cgi_t) > +kernel_read_net_sysctls(mailman_cgi_t) > kernel_read_system_state(mailman_cgi_t) > +kernel_search_vm_sysctl(mailman_cgi_t) > > +corecmd_bin_entry_type(mailman_cgi_t) why is this needed? > corecmd_exec_bin(mailman_cgi_t) > > +corenet_tcp_bind_generic_node(mailman_cgi_t) > +corenet_tcp_connect_all_unreserved_ports(mailman_cgi_t) > + > dev_read_urand(mailman_cgi_t) > > files_search_locks(mailman_cgi_t) > files_read_usr_files(mailman_cgi_t) > > +init_daemon_domain(mailman_cgi_t, mailman_cgi_exec_t) style issue, needs to go up > + > term_use_controlling_term(mailman_cgi_t) > > libs_dontaudit_write_lib_dirs(mailman_cgi_t) > > logging_search_logs(mailman_cgi_t) > > +miscfiles_read_generic_certs(mailman_cgi_t) > miscfiles_read_localization(mailman_cgi_t) > > - > optional_policy(` > apache_sigchld(mailman_cgi_t) > apache_use_fds(mailman_cgi_t) > @@ -133,6 +154,15 @@ optional_policy(` > ') > > optional_policy(` > + cron_rw_inherited_tmp_files(mailman_cgi_t) > + cron_system_entry(mailman_cgi_t, mailman_cgi_exec_t) > +') > + > +optional_policy(` > + mysql_stream_connect(mailman_cgi_t) > +') > + > +optional_policy(` > postfix_read_config(mailman_cgi_t) > ') > > @@ -142,7 +172,9 @@ optional_policy(` > # > > allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config }; > -allow mailman_mail_t self:process { signal signull setsched }; > +allow mailman_mail_t self:process { execmem signal signull setsched }; > +allow mailman_mail_t self:netlink_audit_socket { nlmsg_relay create_socket_perms }; > +allow mailman_mail_t self:fifo_file rw_file_perms; > > allow mailman_mail_t mailman_archive_t:dir manage_dir_perms; > allow mailman_mail_t mailman_archive_t:file manage_file_perms; > @@ -167,8 +199,12 @@ manage_files_pattern(mailman_mail_t, mai > manage_dirs_pattern(mailman_mail_t, mailman_runtime_t, mailman_runtime_t) > files_runtime_filetrans(mailman_mail_t, mailman_runtime_t, { file dir }) > > +kernel_read_network_state(mailman_mail_t) > kernel_read_system_state(mailman_mail_t) > > +corenet_tcp_bind_all_unreserved_ports(mailman_mail_t) > +corenet_tcp_bind_generic_node(mailman_mail_t) > +corenet_tcp_connect_http_port(mailman_mail_t) > corenet_tcp_connect_smtp_port(mailman_mail_t) > corenet_sendrecv_spamd_client_packets(mailman_mail_t) > corenet_sendrecv_innd_client_packets(mailman_mail_t) > @@ -193,6 +229,7 @@ libs_read_lib_files(mailman_mail_t) > > logging_search_logs(mailman_mail_t) > > +miscfiles_read_generic_certs(mailman_mail_t) > miscfiles_read_localization(mailman_mail_t) > > mta_use_mailserver_fds(mailman_mail_t) > @@ -200,14 +237,26 @@ mta_dontaudit_rw_delivery_tcp_sockets(ma > mta_dontaudit_rw_queue(mailman_mail_t) > > optional_policy(` > + apache_search_config(mailman_mail_t) > +') > + > +optional_policy(` > courier_read_spool(mailman_mail_t) > ') > > optional_policy(` > cron_read_pipes(mailman_mail_t) > + cron_rw_inherited_tmp_files(mailman_mail_t) > + cron_search_spool(mailman_mail_t) > + cron_system_entry(mailman_mail_t, mailman_mail_exec_t) > ') > > optional_policy(` > + corenet_tcp_connect_mysqld_port(mailman_mail_t) > +') > + > +optional_policy(` > + postfix_read_config(mailman_mail_t) > postfix_search_spool(mailman_mail_t) > postfix_rw_inherited_master_pipes(mailman_mail_t) > ') > @@ -217,8 +266,8 @@ optional_policy(` > # Queue local policy > # > > -allow mailman_queue_t self:capability { setgid setuid }; > -allow mailman_queue_t self:process { setsched signal_perms }; > +allow mailman_queue_t self:capability { dac_override setgid setuid }; > +allow mailman_queue_t self:process { setsched signal_perms sigkill }; is sigkill not implied with signal_perms? > allow mailman_queue_t self:fifo_file rw_fifo_file_perms; > > allow mailman_queue_t mailman_archive_t:dir manage_dir_perms; > @@ -251,14 +300,14 @@ seutil_dontaudit_search_config(mailman_q > > userdom_search_user_home_dirs(mailman_queue_t) > > -cron_rw_tmp_files(mailman_queue_t) > - > optional_policy(` > apache_read_config(mailman_queue_t) > ') > > optional_policy(` > + cron_rw_tmp_files(mailman_queue_t) > cron_system_entry(mailman_queue_t, mailman_queue_exec_t) > + cron_use_fds(mailman_queue_t) > ') > > optional_policy(` > Index: refpolicy-2.20210203/policy/modules/services/apache.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/services/apache.te > +++ refpolicy-2.20210203/policy/modules/services/apache.te > @@ -815,6 +815,7 @@ optional_policy(` > ') > > optional_policy(` > + mailman_connect_cgi(httpd_t) > mailman_signal_cgi(httpd_t) > mailman_domtrans_cgi(httpd_t) > mailman_read_data_files(httpd_t) > Index: refpolicy-2.20210203/policy/modules/services/cron.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/services/cron.te > +++ refpolicy-2.20210203/policy/modules/services/cron.te > @@ -607,6 +607,12 @@ optional_policy(` > ') > > optional_policy(` > + mailman_domtrans_queue(system_cronjob_t) > + # for flock > + mailman_manage_runtime(system_cronjob_t) > +') > + > +optional_policy(` > mrtg_append_create_logs(system_cronjob_t) > mrtg_read_config(system_cronjob_t) > ') > Index: refpolicy-2.20210203/policy/modules/system/systemd.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/system/systemd.te > +++ refpolicy-2.20210203/policy/modules/system/systemd.te > @@ -1523,6 +1523,10 @@ optional_policy(` > ') > > optional_policy(` > + mailman_manage_lockdir(systemd_tmpfiles_t) > +') > + > +optional_policy(` > xfs_create_tmp_dirs(systemd_tmpfiles_t) > ') > > -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift