Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp3184708pxb; Sun, 20 Feb 2022 11:50:22 -0800 (PST) X-Google-Smtp-Source: ABdhPJwnxiK/vU8cSnP+Ml8ksu1XDmGnVfwjhOPwifjcLJXinZNUtkfk2N2JJAw6EMrWoAonD42k X-Received: by 2002:a17:907:1183:b0:6cf:ce2f:51c1 with SMTP id uz3-20020a170907118300b006cfce2f51c1mr13465502ejb.209.1645386622001; Sun, 20 Feb 2022 11:50:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645386621; cv=none; d=google.com; s=arc-20160816; b=tny32CTpftQADWApwI/bJJLCky0HK+PbxwbNFpRU1co50NwbwP/vyPFrEJvhk12ZOT 1gumGJfzhpxxS9k8devfXX7BojAZeP2kxwQb2jujSr1gG7Xqc/wHiZ+ywnV5JooqlNRF zcb0hOsMNOwHC/63XoU9nN1HnGhDd4/26A79lLO14SLoqpQp3QTQC31CvKT13zQUkIlR 8miXasaBkI5z2Zz9U1+z6tWjTpGUe4K8q/Ejb8W8QlroJ+ZDQB+mgrwvixQwP8iuOYim w+rNyPvkJGuFeUznTwPGhu5/GFdtCv70XlQEVdpJkCSAuOKWvpojAIV0OCmSV0bMCRtT YIRw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=Wfqicm0C8ZxJJ7Hz4PlABCp8MMKxpi1hG9IK6YY3z9I=; b=wpEvA2hozQRDijMLOmKLIB+hBsj8Qk+j8rsxnCaj+x77Nbnn/6TpoWssTIDw/ozslG Sj0rx3T4LnUnf037Xyoiz/n82QgV+Nzwm0zFyubujGfYryZ5OoU3TFJve+xFjgsQ7V1p hbrPZsFYIp5Coj6SmzEp2/2zuGHtxrg16pTb/d2N210HjqNnL46DxyAvFgZ1QaKeA9W8 1oONG0YaK8x/UIsJWRwdtZkbbEBAhizVVByDJmBTjvIUsllbWVX5VEiC5ouI4/K7A5pn ZZefYFEssIKOi/Is92jm5Ig7nkR9aQZI2wKhKsmPnhcg3Biknlnlx0QjbuhPT6IElYiG Hm3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=Us+sBPHY; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z1si10791357edm.334.2022.02.20.11.50.15; Sun, 20 Feb 2022 11:50:20 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=Us+sBPHY; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229487AbiBSKfJ (ORCPT + 22 others); Sat, 19 Feb 2022 05:35:09 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:52288 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236574AbiBSKfJ (ORCPT ); Sat, 19 Feb 2022 05:35:09 -0500 Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:201:1e6::dada:cafe]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C42CC20A88E for ; Sat, 19 Feb 2022 02:34:49 -0800 (PST) Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 48B3C11406 for ; Sat, 19 Feb 2022 21:34:46 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1645266886; bh=Wfqicm0C8ZxJJ7Hz4PlABCp8MMKxpi1hG9IK6YY3z9I=; l=13414; h=Date:From:To:Subject:From; b=Us+sBPHYf1lpQWSm0WvyN47H1mofDOMy/tSZTTVlXwKo1V/++FWGJ8FWZoJ0xcGXU tEoK8negTuXUSnlczo7VZHakRHBsBbP/WjPcdgIevst8WVqUBMurumr9X7tAT2jI2I EKMJNhsYLionwWeSe2XIRmYJ6/snRv/LJ/lR+CnM= Received: by xev.coker.com.au (Postfix, from userid 1001) id C33D317399C4; Sat, 19 Feb 2022 21:34:41 +1100 (AEDT) Date: Sat, 19 Feb 2022 21:34:41 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] mailman3 V2.1 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Same as the previous but also allow web server to map mailman data files. Signed-off-by: Russell Coker Index: refpolicy-2.20220219/policy/modules/services/mailman.if =================================================================== --- refpolicy-2.20220219.orig/policy/modules/services/mailman.if +++ refpolicy-2.20220219/policy/modules/services/mailman.if @@ -109,6 +109,44 @@ interface(`mailman_domtrans_cgi',` ####################################### ## +## Talk to mailman_cgi_t via Unix domain socket +## +## +## +## Domain talking to mailman +## +## +# +interface(`mailman_stream_connect_cgi',` + gen_require(` + type mailman_cgi_t, mailman_runtime_t; + ') + + files_search_runtime($1) + stream_connect_pattern($1, mailman_runtime_t, mailman_runtime_t, mailman_cgi_t) +') + +####################################### +## +## Manage mailman runtime files +## +## +## +## Domain to manage the files +## +## +# +interface(`mailman_manage_runtime_files',` + gen_require(` + type mailman_runtime_t; + ') + + files_search_runtime($1) + manage_files_pattern($1, mailman_runtime_t, mailman_runtime_t) +') + +####################################### +## ## Execute mailman in the caller domain. ## ## @@ -186,6 +224,24 @@ interface(`mailman_read_data_files',` ####################################### ## +## map mailman data content. +## +## +## +## Domain allowed access. +## +## +# +interface(`mailman_map_data_files',` + gen_require(` + type mailman_data_t; + ') + + allow $1 mailman_data_t:file map; +') + +####################################### +## ## Create, read, write, and delete ## mailman data files. ## @@ -342,3 +398,21 @@ interface(`mailman_domtrans_queue',` libs_search_lib($1) domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) ') + +####################################### +## +## Manage mailman lock dir +## +## +## +## Domain allowed to manage it. +## +## +# +interface(`mailman_manage_lockdir',` + gen_require(` + type mailman_lock_t; + ') + + allow $1 mailman_lock_t:dir manage_dir_perms; +') Index: refpolicy-2.20220219/policy/modules/services/mailman.te =================================================================== --- refpolicy-2.20220219.orig/policy/modules/services/mailman.te +++ refpolicy-2.20220219/policy/modules/services/mailman.te @@ -10,6 +10,7 @@ attribute mailman_domain; attribute_role mailman_roles; mailman_domain_template(cgi) +init_daemon_domain(mailman_cgi_t, mailman_cgi_exec_t) type mailman_data_t; files_type(mailman_data_t) @@ -26,11 +27,18 @@ files_lock_file(mailman_lock_t) type mailman_runtime_t alias mailman_var_run_t; files_runtime_file(mailman_runtime_t) +type mailman_cgi_tmpfs_t; +files_tmpfs_file(mailman_cgi_tmpfs_t) + +type mailman_queue_tmpfs_t; +files_tmpfs_file(mailman_queue_tmpfs_t) + mailman_domain_template(mail) init_daemon_domain(mailman_mail_t, mailman_mail_exec_t) role mailman_roles types mailman_mail_t; mailman_domain_template(queue) +init_daemon_domain(mailman_queue_t, mailman_queue_exec_t) ######################################## # @@ -89,13 +97,16 @@ miscfiles_read_localization(mailman_doma # CGI local policy # -allow mailman_cgi_t self:unix_dgram_socket { create connect }; +allow mailman_cgi_t self:process { signal signull sigkill }; +allow mailman_cgi_t self:fifo_file rw_fifo_file_perms; +allow mailman_cgi_t self:capability { dac_override setgid setuid }; +allow mailman_cgi_t self:unix_dgram_socket create_socket_perms; allow mailman_cgi_t mailman_archive_t:dir search_dir_perms; allow mailman_cgi_t mailman_archive_t:file read_file_perms; allow mailman_cgi_t mailman_data_t:dir rw_dir_perms; -allow mailman_cgi_t mailman_data_t:file manage_file_perms; +allow mailman_cgi_t mailman_data_t:file { map manage_file_perms }; allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms; allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms; @@ -104,11 +115,27 @@ allow mailman_cgi_t mailman_lock_t:file allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms }; allow mailman_cgi_t mailman_log_t:dir search_dir_perms; +allow mailman_cgi_t mailman_runtime_t:dir rw_dir_perms; +allow mailman_cgi_t mailman_runtime_t:file read_file_perms; +allow mailman_cgi_t mailman_runtime_t:sock_file manage_file_perms; + +fs_tmpfs_filetrans(mailman_cgi_t, mailman_cgi_tmpfs_t, file) +allow mailman_cgi_t mailman_cgi_tmpfs_t:file { map manage_file_perms }; + kernel_read_crypto_sysctls(mailman_cgi_t) +kernel_read_net_sysctls(mailman_cgi_t) kernel_read_system_state(mailman_cgi_t) +kernel_read_vm_overcommit_sysctl(mailman_cgi_t) +# need SELinuxContext=system_u:system_r:mailman_cgi_t:s0 in the systemd +# service file for the correct context on running /usr/bin/uwsgi for +# mailman3-web +corecmd_bin_entry_type(mailman_cgi_t) corecmd_exec_bin(mailman_cgi_t) +corenet_tcp_bind_generic_node(mailman_cgi_t) +corenet_tcp_connect_all_unreserved_ports(mailman_cgi_t) + dev_read_urand(mailman_cgi_t) files_search_locks(mailman_cgi_t) @@ -120,9 +147,9 @@ libs_dontaudit_write_lib_dirs(mailman_cg logging_search_logs(mailman_cgi_t) +miscfiles_read_generic_certs(mailman_cgi_t) miscfiles_read_localization(mailman_cgi_t) - optional_policy(` apache_sigchld(mailman_cgi_t) apache_use_fds(mailman_cgi_t) @@ -133,6 +160,15 @@ optional_policy(` ') optional_policy(` + cron_rw_inherited_tmp_files(mailman_cgi_t) + cron_system_entry(mailman_cgi_t, mailman_cgi_exec_t) +') + +optional_policy(` + mysql_stream_connect(mailman_cgi_t) +') + +optional_policy(` postfix_read_config(mailman_cgi_t) ') @@ -142,7 +178,9 @@ optional_policy(` # allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config }; -allow mailman_mail_t self:process { signal signull setsched }; +allow mailman_mail_t self:process { execmem signal signull setsched }; +allow mailman_mail_t self:netlink_audit_socket { nlmsg_relay create_socket_perms }; +allow mailman_mail_t self:fifo_file rw_file_perms; allow mailman_mail_t mailman_archive_t:dir manage_dir_perms; allow mailman_mail_t mailman_archive_t:file manage_file_perms; @@ -167,8 +205,12 @@ manage_files_pattern(mailman_mail_t, mai manage_dirs_pattern(mailman_mail_t, mailman_runtime_t, mailman_runtime_t) files_runtime_filetrans(mailman_mail_t, mailman_runtime_t, { file dir }) +kernel_read_network_state(mailman_mail_t) kernel_read_system_state(mailman_mail_t) +corenet_tcp_bind_all_unreserved_ports(mailman_mail_t) +corenet_tcp_bind_generic_node(mailman_mail_t) +corenet_tcp_connect_http_port(mailman_mail_t) corenet_tcp_connect_smtp_port(mailman_mail_t) corenet_sendrecv_spamd_client_packets(mailman_mail_t) corenet_sendrecv_innd_client_packets(mailman_mail_t) @@ -193,6 +235,7 @@ libs_read_lib_files(mailman_mail_t) logging_search_logs(mailman_mail_t) +miscfiles_read_generic_certs(mailman_mail_t) miscfiles_read_localization(mailman_mail_t) mta_use_mailserver_fds(mailman_mail_t) @@ -200,14 +243,26 @@ mta_dontaudit_rw_delivery_tcp_sockets(ma mta_dontaudit_rw_queue(mailman_mail_t) optional_policy(` + apache_search_config(mailman_mail_t) +') + +optional_policy(` courier_read_spool(mailman_mail_t) ') optional_policy(` cron_read_pipes(mailman_mail_t) + cron_rw_inherited_tmp_files(mailman_mail_t) + cron_search_spool(mailman_mail_t) + cron_system_entry(mailman_mail_t, mailman_mail_exec_t) +') + +optional_policy(` + corenet_tcp_connect_mysqld_port(mailman_mail_t) ') optional_policy(` + postfix_read_config(mailman_mail_t) postfix_search_spool(mailman_mail_t) postfix_rw_inherited_master_pipes(mailman_mail_t) ') @@ -217,15 +272,18 @@ optional_policy(` # Queue local policy # -allow mailman_queue_t self:capability { setgid setuid }; +allow mailman_queue_t self:capability { dac_override setgid setuid }; allow mailman_queue_t self:process { setsched signal_perms }; allow mailman_queue_t self:fifo_file rw_fifo_file_perms; +allow mailman_queue_t mailman_runtime_t:dir rw_dir_perms; +allow mailman_queue_t mailman_runtime_t:file manage_file_perms; + allow mailman_queue_t mailman_archive_t:dir manage_dir_perms; allow mailman_queue_t mailman_archive_t:file manage_file_perms; allow mailman_queue_t mailman_data_t:dir rw_dir_perms; -allow mailman_queue_t mailman_data_t:file manage_file_perms; +allow mailman_queue_t mailman_data_t:file { map manage_file_perms }; allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms; allow mailman_queue_t mailman_lock_t:dir rw_dir_perms; @@ -234,15 +292,25 @@ allow mailman_queue_t mailman_lock_t:fil allow mailman_queue_t mailman_log_t:dir list_dir_perms; allow mailman_queue_t mailman_log_t:file manage_file_perms; +fs_tmpfs_filetrans(mailman_queue_t, mailman_queue_tmpfs_t, file) +allow mailman_queue_t mailman_queue_tmpfs_t:file { map manage_file_perms }; + +kernel_read_network_state(mailman_queue_t) kernel_read_system_state(mailman_queue_t) +kernel_search_vm_sysctl(mailman_queue_t) auth_domtrans_chk_passwd(mailman_queue_t) corecmd_read_bin_files(mailman_queue_t) corenet_sendrecv_innd_client_packets(mailman_queue_t) +corenet_tcp_bind_all_unreserved_ports(mailman_queue_t) +corenet_tcp_bind_generic_node(mailman_queue_t) +corenet_tcp_connect_generic_port(mailman_queue_t) +corenet_tcp_connect_http_port(mailman_queue_t) corenet_tcp_connect_innd_port(mailman_queue_t) files_dontaudit_search_runtime(mailman_queue_t) +files_read_usr_files(mailman_queue_t) files_search_locks(mailman_queue_t) miscfiles_read_localization(mailman_queue_t) @@ -251,14 +319,24 @@ seutil_dontaudit_search_config(mailman_q userdom_search_user_home_dirs(mailman_queue_t) -cron_rw_tmp_files(mailman_queue_t) - optional_policy(` apache_read_config(mailman_queue_t) ') optional_policy(` + cron_rw_tmp_files(mailman_queue_t) + cron_search_spool(mailman_queue_t) cron_system_entry(mailman_queue_t, mailman_queue_exec_t) + cron_use_fds(mailman_queue_t) +') + +optional_policy(` + mysql_stream_connect(mailman_queue_t) + mysql_tcp_connect(mailman_queue_t) +') + +optional_policy(` + postfix_read_config(mailman_queue_t) ') optional_policy(` Index: refpolicy-2.20220219/policy/modules/services/apache.te =================================================================== --- refpolicy-2.20220219.orig/policy/modules/services/apache.te +++ refpolicy-2.20220219/policy/modules/services/apache.te @@ -815,8 +815,10 @@ optional_policy(` ') optional_policy(` + mailman_stream_connect_cgi(httpd_t) mailman_signal_cgi(httpd_t) mailman_domtrans_cgi(httpd_t) + mailman_map_data_files(httpd_t) mailman_read_data_files(httpd_t) mailman_search_data(httpd_t) mailman_read_archive(httpd_t) Index: refpolicy-2.20220219/policy/modules/services/cron.te =================================================================== --- refpolicy-2.20220219.orig/policy/modules/services/cron.te +++ refpolicy-2.20220219/policy/modules/services/cron.te @@ -604,6 +604,12 @@ optional_policy(` ') optional_policy(` + mailman_domtrans_queue(system_cronjob_t) + # for flock + mailman_manage_runtime_files(system_cronjob_t) +') + +optional_policy(` mrtg_append_create_logs(system_cronjob_t) mrtg_read_config(system_cronjob_t) ') Index: refpolicy-2.20220219/policy/modules/system/systemd.te =================================================================== --- refpolicy-2.20220219.orig/policy/modules/system/systemd.te +++ refpolicy-2.20220219/policy/modules/system/systemd.te @@ -1796,6 +1796,10 @@ optional_policy(` ') optional_policy(` + mailman_manage_lockdir(systemd_tmpfiles_t) +') + +optional_policy(` xfs_create_tmp_dirs(systemd_tmpfiles_t) ') Index: refpolicy-2.20220219/policy/modules/services/mailman.fc =================================================================== --- refpolicy-2.20220219.orig/policy/modules/services/mailman.fc +++ refpolicy-2.20220219/policy/modules/services/mailman.fc @@ -20,6 +20,7 @@ /usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) /usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) +/usr/lib/mailman3/bin/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) /usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) /usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) /usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) @@ -28,3 +29,4 @@ /usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) /usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/share/mailman3-web/manage.py -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)