Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp2928550pxp; Mon, 14 Mar 2022 07:35:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJye6W7i3v8rooyXdjx/nGIYfwrmDdjGNJCcaJahK1+FgV2FWkY5MsqtBPpHqb2vY8TE8fDL X-Received: by 2002:a17:906:c10b:b0:6da:a190:edb0 with SMTP id do11-20020a170906c10b00b006daa190edb0mr18424336ejc.512.1647268510743; Mon, 14 Mar 2022 07:35:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647268510; cv=none; d=google.com; s=arc-20160816; b=CjmRWsQ+Nbl+pF6uT1owe3ZtB9Lze/UWjWqTcQ+yx9XJE09JV6PFEAvh2LYav4Uy9T x6NoYx+YNQsSCct1BHwz44CkcifXUjlkUiY/kR8wQcy6T/9UTz/NYCRArffwEZ3S5HDD gyJd3bkT3k+3GP28Dl+tV3a0K+syMROtMqh08wVujPLZgzL1aZPwPOBaJILl9okNUF9H LtYvavcuoSqVle+i+HPo/K24XEuc7TTFwCBf17N4r4nMAHNmT1soQA/q1k8B3+EIIGfX Z/iUmlnSc3GLIIp3XO9rvDs1YgdSSHuQ23C+6maoaiWvB06CRh94DdWMfZ9wezi+UmEm rnGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:to:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature; bh=rj1fRE5OTk/5zZCQpp5VwkCji4H0y9bPUvXXTKLHbvs=; b=DSTiaWkCestcFsPtEwqMEL8t5cqqgdmgUA5FKelD6kwTBhqkpLXLaR6M3uoP6Yts2m 3wjavupheTr/J3e/sVWyfmWD3XxoH+V13ztkiJneaPykd2XEGGd1uBP3aQDSdeKRFPsk EJ+9y1FLjFj6QUf7zykQKb/1cNOViXZhxzQBORmFBFoxWscnGdpHhmU4cTwp6o9dMyUF k+JofkkQ4XBhAf0hjRilCMVYTwH7QIU1PgxFdvgNpu6/C8t+mnRXg7sNZaA8xCWI9w8C KOVr8meiZVxvIk1QH3INfIiZWBkolVdKhsfD4PJZUe+/bykDT801XGduUOK6OWFwJQmV mtdA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=SAFqh7It; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x5-20020a05640226c500b004186fee9438si3892503edd.284.2022.03.14.07.35.02; Mon, 14 Mar 2022 07:35:10 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=SAFqh7It; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238880AbiCNNsT (ORCPT + 23 others); Mon, 14 Mar 2022 09:48:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52634 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231527AbiCNNsS (ORCPT ); Mon, 14 Mar 2022 09:48:18 -0400 Received: from mail-qv1-xf29.google.com (mail-qv1-xf29.google.com [IPv6:2607:f8b0:4864:20::f29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 428DB46176 for ; Mon, 14 Mar 2022 06:47:08 -0700 (PDT) Received: by mail-qv1-xf29.google.com with SMTP id jx8so12047686qvb.2 for ; Mon, 14 Mar 2022 06:47:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=message-id:date:mime-version:user-agent:subject:content-language:to :references:from:in-reply-to:content-transfer-encoding; bh=rj1fRE5OTk/5zZCQpp5VwkCji4H0y9bPUvXXTKLHbvs=; b=SAFqh7IthONTALQ1DwdxfykMkJeDldN+5s7IXMaRv70UmDcZi6bibmNa2DOMu+1IMs GcLyzu/R+9NnQgIWlP0LlpPvUrl0t1OGWCl2cqZD4hl32P2W4KVL2VbVj1yWPOi0tnNk BIxuiN1cN3w1ayt60FhZG7SW17NnfSvzfRUTg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=rj1fRE5OTk/5zZCQpp5VwkCji4H0y9bPUvXXTKLHbvs=; b=KrNMcH/GtP8rBu+O6B4zkqfT+MpDGxZ8c/HWL+7NZ7ADft0XcPL/dCqYZ9m7gZPhlA lf5JgTfbnB7aMO3iTl8ewl/dCEwIiitydnJqVdXC3DMjEspx1DQPO5F8pI0CZqPiG6h/ 75iqu9kxn+gnAxjEJEavp3ULWdcKKbZxSgNLMKz2iQs9eWLjQoE+kNLT5E+GVIloHRCz F5GtyjiEogcINgk6D5RMWI+AhJFRWStDXltx1uiY/2IzhbuVDr2vwRN6mig+VFWLa75P mtB0aTafZ9tnm6HXd+CopAYjP5JGdr9GsTwTUtEHWIUh62YqccZxoywIu9XgK8a6D8QI xhsQ== X-Gm-Message-State: AOAM5306153QV56ByAXe8ZYuVMoK+GiO4IKSoN/bsO5DO03fCE26v6Ky fS9U4qG9vioxQ9RsVvEiKpjX2Fo1vr5UFQ== X-Received: by 2002:a05:6214:27ec:b0:436:2872:2e09 with SMTP id jt12-20020a05621427ec00b0043628722e09mr16053569qvb.60.1647265627297; Mon, 14 Mar 2022 06:47:07 -0700 (PDT) Received: from [192.168.1.133] (pool-68-134-25-67.bltmmd.fios.verizon.net. [68.134.25.67]) by smtp.gmail.com with ESMTPSA id k8-20020a05620a138800b00679fc7566fcsm7690257qki.18.2022.03.14.06.47.06 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 14 Mar 2022 06:47:06 -0700 (PDT) Message-ID: <30f62017-1672-7c40-b37d-b62aa276bbae@ieee.org> Date: Mon, 14 Mar 2022 09:47:05 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.6.2 Subject: Re: [PATCH] mailman3 V3 Content-Language: en-US To: Russell Coker , selinux-refpolicy@vger.kernel.org References: From: Chris PeBenito In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 3/8/22 23:54, Russell Coker wrote: > Fixed the issues Chris raised with the previous patch. I think this is > ready to merge. > > Signed-off-by: Russell Coker > > Index: refpolicy-2.20220309/policy/modules/services/mailman.if > =================================================================== > --- refpolicy-2.20220309.orig/policy/modules/services/mailman.if > +++ refpolicy-2.20220309/policy/modules/services/mailman.if > @@ -109,6 +109,44 @@ interface(`mailman_domtrans_cgi',` > > ####################################### > ## > +## Talk to mailman_cgi_t via Unix domain socket > +## > +## > +## > +## Domain talking to mailman > +## > +## > +# > +interface(`mailman_stream_connect_cgi',` > + gen_require(` > + type mailman_cgi_t, mailman_runtime_t; > + ') > + > + files_search_runtime($1) > + stream_connect_pattern($1, mailman_runtime_t, mailman_runtime_t, mailman_cgi_t) > +') > + > +####################################### > +## > +## Manage mailman runtime files > +## > +## > +## > +## Domain to manage the files > +## > +## > +# > +interface(`mailman_manage_runtime_files',` > + gen_require(` > + type mailman_runtime_t; > + ') > + > + files_search_runtime($1) > + manage_files_pattern($1, mailman_runtime_t, mailman_runtime_t) > +') > + > +####################################### > +## > ## Execute mailman in the caller domain. > ## > ## > @@ -186,6 +224,24 @@ interface(`mailman_read_data_files',` > > ####################################### > ## > +## map mailman data content. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`mailman_map_data_files',` > + gen_require(` > + type mailman_data_t; > + ') > + > + allow $1 mailman_data_t:file map; > +') > + > +####################################### > +## > ## Create, read, write, and delete > ## mailman data files. > ## > @@ -342,3 +398,21 @@ interface(`mailman_domtrans_queue',` > libs_search_lib($1) > domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) > ') > + > +####################################### > +## > +## Manage mailman lock dir > +## > +## > +## > +## Domain allowed to manage it. > +## > +## > +# > +interface(`mailman_manage_lockdir',` > + gen_require(` > + type mailman_lock_t; > + ') > + > + allow $1 mailman_lock_t:dir manage_dir_perms; > +') > Index: refpolicy-2.20220309/policy/modules/services/mailman.te > =================================================================== > --- refpolicy-2.20220309.orig/policy/modules/services/mailman.te > +++ refpolicy-2.20220309/policy/modules/services/mailman.te > @@ -10,6 +10,7 @@ attribute mailman_domain; > attribute_role mailman_roles; > > mailman_domain_template(cgi) > +init_daemon_domain(mailman_cgi_t, mailman_cgi_exec_t) > > type mailman_data_t; > files_type(mailman_data_t) > @@ -22,15 +23,25 @@ logging_log_file(mailman_log_t) > > type mailman_lock_t; > files_lock_file(mailman_lock_t) > +optional_policy(` > + systemd_tmpfilesd_managed(mailman_lock_t) > +') > > type mailman_runtime_t alias mailman_var_run_t; > files_runtime_file(mailman_runtime_t) > > +type mailman_cgi_tmpfs_t; > +files_tmpfs_file(mailman_cgi_tmpfs_t) > + > +type mailman_queue_tmpfs_t; > +files_tmpfs_file(mailman_queue_tmpfs_t) > + > mailman_domain_template(mail) > init_daemon_domain(mailman_mail_t, mailman_mail_exec_t) > role mailman_roles types mailman_mail_t; > > mailman_domain_template(queue) > +init_daemon_domain(mailman_queue_t, mailman_queue_exec_t) > > ######################################## > # > @@ -89,13 +100,16 @@ miscfiles_read_localization(mailman_doma > # CGI local policy > # > > -allow mailman_cgi_t self:unix_dgram_socket { create connect }; > +allow mailman_cgi_t self:process { signal signull sigkill }; > +allow mailman_cgi_t self:fifo_file rw_fifo_file_perms; > +allow mailman_cgi_t self:capability { dac_override setgid setuid }; > +allow mailman_cgi_t self:unix_dgram_socket create_socket_perms; > > allow mailman_cgi_t mailman_archive_t:dir search_dir_perms; > allow mailman_cgi_t mailman_archive_t:file read_file_perms; > > allow mailman_cgi_t mailman_data_t:dir rw_dir_perms; > -allow mailman_cgi_t mailman_data_t:file manage_file_perms; > +allow mailman_cgi_t mailman_data_t:file { map manage_file_perms }; > allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms; > > allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms; > @@ -104,11 +118,27 @@ allow mailman_cgi_t mailman_lock_t:file > allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms }; > allow mailman_cgi_t mailman_log_t:dir search_dir_perms; > > +allow mailman_cgi_t mailman_runtime_t:dir rw_dir_perms; > +allow mailman_cgi_t mailman_runtime_t:file read_file_perms; > +allow mailman_cgi_t mailman_runtime_t:sock_file manage_file_perms; > + > +fs_tmpfs_filetrans(mailman_cgi_t, mailman_cgi_tmpfs_t, file) > +allow mailman_cgi_t mailman_cgi_tmpfs_t:file { map manage_file_perms }; > + > kernel_read_crypto_sysctls(mailman_cgi_t) > +kernel_read_net_sysctls(mailman_cgi_t) > kernel_read_system_state(mailman_cgi_t) > +kernel_read_vm_overcommit_sysctl(mailman_cgi_t) > > +# need SELinuxContext=system_u:system_r:mailman_cgi_t:s0 in the systemd > +# service file for the correct context on running /usr/bin/uwsgi for > +# mailman3-web > +corecmd_bin_entry_type(mailman_cgi_t) > corecmd_exec_bin(mailman_cgi_t) > > +corenet_tcp_bind_generic_node(mailman_cgi_t) > +corenet_tcp_connect_all_unreserved_ports(mailman_cgi_t) > + > dev_read_urand(mailman_cgi_t) > > files_search_locks(mailman_cgi_t) > @@ -120,9 +150,9 @@ libs_dontaudit_write_lib_dirs(mailman_cg > > logging_search_logs(mailman_cgi_t) > > +miscfiles_read_generic_certs(mailman_cgi_t) > miscfiles_read_localization(mailman_cgi_t) > > - > optional_policy(` > apache_sigchld(mailman_cgi_t) > apache_use_fds(mailman_cgi_t) > @@ -133,6 +163,15 @@ optional_policy(` > ') > > optional_policy(` > + cron_rw_inherited_tmp_files(mailman_cgi_t) > + cron_system_entry(mailman_cgi_t, mailman_cgi_exec_t) > +') > + > +optional_policy(` > + mysql_stream_connect(mailman_cgi_t) > +') > + > +optional_policy(` > postfix_read_config(mailman_cgi_t) > ') > > @@ -142,7 +181,9 @@ optional_policy(` > # > > allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config }; > -allow mailman_mail_t self:process { signal signull setsched }; > +allow mailman_mail_t self:process { execmem signal signull setsched }; > +allow mailman_mail_t self:netlink_audit_socket { nlmsg_relay create_socket_perms }; > +allow mailman_mail_t self:fifo_file rw_file_perms; > > allow mailman_mail_t mailman_archive_t:dir manage_dir_perms; > allow mailman_mail_t mailman_archive_t:file manage_file_perms; > @@ -167,8 +208,12 @@ manage_files_pattern(mailman_mail_t, mai > manage_dirs_pattern(mailman_mail_t, mailman_runtime_t, mailman_runtime_t) > files_runtime_filetrans(mailman_mail_t, mailman_runtime_t, { file dir }) > > +kernel_read_network_state(mailman_mail_t) > kernel_read_system_state(mailman_mail_t) > > +corenet_tcp_bind_all_unreserved_ports(mailman_mail_t) > +corenet_tcp_bind_generic_node(mailman_mail_t) > +corenet_tcp_connect_http_port(mailman_mail_t) > corenet_tcp_connect_smtp_port(mailman_mail_t) > corenet_sendrecv_spamd_client_packets(mailman_mail_t) > corenet_sendrecv_innd_client_packets(mailman_mail_t) > @@ -193,6 +238,7 @@ libs_read_lib_files(mailman_mail_t) > > logging_search_logs(mailman_mail_t) > > +miscfiles_read_generic_certs(mailman_mail_t) > miscfiles_read_localization(mailman_mail_t) > > mta_use_mailserver_fds(mailman_mail_t) > @@ -200,14 +246,26 @@ mta_dontaudit_rw_delivery_tcp_sockets(ma > mta_dontaudit_rw_queue(mailman_mail_t) > > optional_policy(` > + apache_search_config(mailman_mail_t) > +') > + > +optional_policy(` > courier_read_spool(mailman_mail_t) > ') > > optional_policy(` > cron_read_pipes(mailman_mail_t) > + cron_rw_inherited_tmp_files(mailman_mail_t) > + cron_search_spool(mailman_mail_t) > + cron_system_entry(mailman_mail_t, mailman_mail_exec_t) > ') > > optional_policy(` > + corenet_tcp_connect_mysqld_port(mailman_mail_t) > +') > + > +optional_policy(` > + postfix_read_config(mailman_mail_t) > postfix_search_spool(mailman_mail_t) > postfix_rw_inherited_master_pipes(mailman_mail_t) > ') > @@ -217,15 +275,18 @@ optional_policy(` > # Queue local policy > # > > -allow mailman_queue_t self:capability { setgid setuid }; > +allow mailman_queue_t self:capability { dac_override setgid setuid }; > allow mailman_queue_t self:process { setsched signal_perms }; > allow mailman_queue_t self:fifo_file rw_fifo_file_perms; > > +allow mailman_queue_t mailman_runtime_t:dir rw_dir_perms; > +allow mailman_queue_t mailman_runtime_t:file manage_file_perms; > + > allow mailman_queue_t mailman_archive_t:dir manage_dir_perms; > allow mailman_queue_t mailman_archive_t:file manage_file_perms; > > allow mailman_queue_t mailman_data_t:dir rw_dir_perms; > -allow mailman_queue_t mailman_data_t:file manage_file_perms; > +allow mailman_queue_t mailman_data_t:file { map manage_file_perms }; > allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms; > > allow mailman_queue_t mailman_lock_t:dir rw_dir_perms; > @@ -234,15 +295,25 @@ allow mailman_queue_t mailman_lock_t:fil > allow mailman_queue_t mailman_log_t:dir list_dir_perms; > allow mailman_queue_t mailman_log_t:file manage_file_perms; > > +fs_tmpfs_filetrans(mailman_queue_t, mailman_queue_tmpfs_t, file) > +allow mailman_queue_t mailman_queue_tmpfs_t:file { map manage_file_perms }; > + > +kernel_read_network_state(mailman_queue_t) > kernel_read_system_state(mailman_queue_t) > +kernel_search_vm_sysctl(mailman_queue_t) > > auth_domtrans_chk_passwd(mailman_queue_t) > > corecmd_read_bin_files(mailman_queue_t) > corenet_sendrecv_innd_client_packets(mailman_queue_t) > +corenet_tcp_bind_all_unreserved_ports(mailman_queue_t) > +corenet_tcp_bind_generic_node(mailman_queue_t) > +corenet_tcp_connect_generic_port(mailman_queue_t) > +corenet_tcp_connect_http_port(mailman_queue_t) > corenet_tcp_connect_innd_port(mailman_queue_t) > > files_dontaudit_search_runtime(mailman_queue_t) > +files_read_usr_files(mailman_queue_t) > files_search_locks(mailman_queue_t) > > miscfiles_read_localization(mailman_queue_t) > @@ -251,14 +322,24 @@ seutil_dontaudit_search_config(mailman_q > > userdom_search_user_home_dirs(mailman_queue_t) > > -cron_rw_tmp_files(mailman_queue_t) > - > optional_policy(` > apache_read_config(mailman_queue_t) > ') > > optional_policy(` > + cron_rw_tmp_files(mailman_queue_t) > + cron_search_spool(mailman_queue_t) > cron_system_entry(mailman_queue_t, mailman_queue_exec_t) > + cron_use_fds(mailman_queue_t) > +') > + > +optional_policy(` > + mysql_stream_connect(mailman_queue_t) > + mysql_tcp_connect(mailman_queue_t) > +') > + > +optional_policy(` > + postfix_read_config(mailman_queue_t) > ') > > optional_policy(` > Index: refpolicy-2.20220309/policy/modules/services/apache.te > =================================================================== > --- refpolicy-2.20220309.orig/policy/modules/services/apache.te > +++ refpolicy-2.20220309/policy/modules/services/apache.te > @@ -815,8 +815,10 @@ optional_policy(` > ') > > optional_policy(` > + mailman_stream_connect_cgi(httpd_t) > mailman_signal_cgi(httpd_t) > mailman_domtrans_cgi(httpd_t) > + mailman_map_data_files(httpd_t) > mailman_read_data_files(httpd_t) > mailman_search_data(httpd_t) > mailman_read_archive(httpd_t) > Index: refpolicy-2.20220309/policy/modules/services/cron.te > =================================================================== > --- refpolicy-2.20220309.orig/policy/modules/services/cron.te > +++ refpolicy-2.20220309/policy/modules/services/cron.te > @@ -604,6 +604,12 @@ optional_policy(` > ') > > optional_policy(` > + mailman_domtrans_queue(system_cronjob_t) > + # for flock > + mailman_manage_runtime_files(system_cronjob_t) > +') > + > +optional_policy(` > mrtg_append_create_logs(system_cronjob_t) > mrtg_read_config(system_cronjob_t) > ') > Index: refpolicy-2.20220309/policy/modules/services/mailman.fc > =================================================================== > --- refpolicy-2.20220309.orig/policy/modules/services/mailman.fc > +++ refpolicy-2.20220309/policy/modules/services/mailman.fc > @@ -20,6 +20,7 @@ > > /usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) > /usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) > +/usr/lib/mailman3/bin/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) > /usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) > /usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) > /usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) > @@ -28,3 +29,4 @@ > /usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) > > /usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) > +/usr/share/mailman3-web/manage.py -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) Merged. -- Chris PeBenito