Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp801731rwi; Mon, 10 Oct 2022 07:24:15 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7xW/GgBhLpBYkMiFksCd6oPB2iRogaOc6pXtVSj8KmEyo48Ozak6C0UxTvvsuN2A2Ood/v X-Received: by 2002:a17:907:a0d3:b0:78d:426d:f978 with SMTP id hw19-20020a170907a0d300b0078d426df978mr15119519ejc.59.1665411854902; Mon, 10 Oct 2022 07:24:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665411854; cv=none; d=google.com; s=arc-20160816; b=vNwxhRKnpw6hZKjU75A2kSStWJgL2p7zSCDk/du2V7luvpKe8u5dEx+Y9+9/t+dGBc eetOIo9XYWOudKDDfxGezR2CbBu1QJajFmj/G3pwBla2KtWQygPf7KYsMP8YrpMjix0G RxQy+54kPehVKQIZAPhPjG/a+0SW2dKoPPSyJ5ydGDoBNnzDNU6G4PBq3yCPViZI6JSc sK/oceWjByFAuZa0o1mjeeGvO1ITnhIk/OUXZrDptckuC6hwhyt2/gmlv5yp2IZuZRfL NaK2Z7fvJ9oJpt/VM2ue2BLl3dKmS2geg/XjxYGRyUvZ9VAOnRNRVBtCdl+tVARSK6GQ 0wSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:to:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature:dkim-filter; bh=hr1UhNejskLeeJtCFjyQ+Ira2OZv2PYIqvMjJ0EBb5w=; b=GTcpeYrOtFPovm5rcetr40cdPeSFA5gfmIyTaV3FGI5wqJuep/gM7/YBaJ0dfUzjJG wBkqd/ijvBg6M012L1K3jMTvP1V2IvCF0pd3EjLRN6kiTpI6XS85T9VqKxS5bWTa7CLe nrcsDjqmRw5JEKL4XzMsAn0XcYuzaBN6bXCo9+jHYJgx56QKVa2ySI7LrybGERsEvM6W Msy32S8sbHbl27Ev0x41PGdkukibCUFb3Vd8zvNR1nLFy/T7G8+AaOlQc+DHAZy6HtJ4 m1r8wWJqV/ABWVQfz8nO6bvpCUb7rlkzC7uzOnOirFMFmzzMuEFnRsLrjefht/HViuLr 8ERA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=bQ63YZ17; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t23-20020a056402241700b00446fdce2a62si9708952eda.420.2022.10.10.07.24.06; Mon, 10 Oct 2022 07:24:14 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=bQ63YZ17; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229550AbiJJONO (ORCPT + 21 others); Mon, 10 Oct 2022 10:13:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44568 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229779AbiJJONK (ORCPT ); Mon, 10 Oct 2022 10:13:10 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 7F3EC52FC8 for ; Mon, 10 Oct 2022 07:13:07 -0700 (PDT) Received: from [192.168.254.22] (unknown [68.33.139.110]) by linux.microsoft.com (Postfix) with ESMTPSA id A98892034CAB; Mon, 10 Oct 2022 07:13:06 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com A98892034CAB DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1665411187; bh=hr1UhNejskLeeJtCFjyQ+Ira2OZv2PYIqvMjJ0EBb5w=; h=Date:Subject:To:References:From:In-Reply-To:From; b=bQ63YZ17ieZDaKxJiLy3cBkxLS6+H6uwmFNzXaRRz5Hz2TdBsTlCPRmXZlGNte+BP s94wjlST1dqzngY+GR90imwMH4EIDQKC9uUSSyrGVSWFe5coyLnl79I0DhbQ7T368j zB1CsqqSTg62OR8LyDrYPanEYJfPRND5Hb6dLF68= Message-ID: <71db8a48-4e6b-62b9-5f56-4c37374cf952@linux.microsoft.com> Date: Mon, 10 Oct 2022 10:13:05 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0 Subject: Re: [PATCH] Sympa list server Content-Language: en-US To: Russell Coker , selinux-refpolicy@vger.kernel.org References: From: Chris PeBenito In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-21.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,ENV_AND_HDR_SPF_MATCH,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS,USER_IN_DEF_DKIM_WL, USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 9/25/2022 09:58, Russell Coker wrote: > Policy for the Sympa mailing list server. > > I think this is ready to merge, it works well. > > > Signed-off-by: Russell Coker > > Index: refpolicy-2.20220918/policy/modules/services/sympa.fc > =================================================================== > --- /dev/null > +++ refpolicy-2.20220918/policy/modules/services/sympa.fc > @@ -0,0 +1,6 @@ > +/usr/lib/sympa/bin/.* -- gen_context(system_u:object_r:sympa_exec_t,s0) > +/var/lib/sympa(/.*)? gen_context(system_u:object_r:sympa_var_t,s0) > +/var/spool/sympa(/.*)? gen_context(system_u:object_r:sympa_var_t,s0) > +/run/sympa(/.*)? gen_context(system_u:object_r:sympa_runtime_t,s0) > +/etc/mail/sympa(/.*)? gen_context(system_u:object_r:sympa_etc_t,s0) > +/etc/sympa(/.*)? gen_context(system_u:object_r:sympa_etc_t,s0) > Index: refpolicy-2.20220918/policy/modules/services/sympa.te > =================================================================== > --- /dev/null > +++ refpolicy-2.20220918/policy/modules/services/sympa.te > @@ -0,0 +1,86 @@ > +policy_module(sympa,1.0.0) > + > +######################################## > +# > +# Declarations > +# > + > +type sympa_t; > +type sympa_exec_t; > +init_daemon_domain(sympa_t, sympa_exec_t) > + > +type sympa_var_t; > +files_type(sympa_var_t) > + > +type sympa_runtime_t; > +files_runtime_file(sympa_runtime_t) > + > +type sympa_etc_t; > +files_config_file(sympa_etc_t) > + > +type sympa_tmp_t; > +files_tmp_file(sympa_tmp_t) > + > +######################################## > +# > +# Local policy > +# > + > +allow sympa_t self:capability { chown dac_override setgid setuid }; > +allow sympa_t self:fifo_file rw_file_perms; > +allow sympa_t self:tcp_socket create_socket_perms; > +allow sympa_t self:unix_dgram_socket create_socket_perms; > +allow sympa_t self:process signull; > +allow sympa_t sympa_var_t:dir manage_dir_perms; > +allow sympa_t sympa_var_t:file manage_file_perms; > + > +allow sympa_t sympa_runtime_t:dir manage_dir_perms; > +allow sympa_t sympa_runtime_t:file manage_file_perms; > +allow sympa_t sympa_runtime_t:sock_file { create setattr unlink write }; > + > +allow sympa_t sympa_etc_t:dir list_dir_perms; > +allow sympa_t sympa_etc_t:file read_file_perms; > + > +files_tmp_filetrans(sympa_t, sympa_tmp_t, { file }) > +allow sympa_t sympa_tmp_t:file manage_file_perms; > + > +can_exec(sympa_t, sympa_exec_t) > + > +kernel_read_kernel_sysctls(sympa_t) > + > +auth_dontaudit_read_shadow(sympa_t) > + > +# for setting SE Linux context in systemd unit file > +corecmd_bin_entry_type(sympa_t) > + > +corecmd_exec_bin(sympa_t) > +corecmd_exec_shell(sympa_t) > + > +dev_read_urand(sympa_t) > + > +files_read_etc_files(sympa_t) > +files_read_usr_files(sympa_t) > +files_search_spool(sympa_t) > +files_search_var_lib(sympa_t) > + > +logging_send_syslog_msg(sympa_t) > + > +miscfiles_read_generic_certs(sympa_t) > +miscfiles_read_localization(sympa_t) > + > +sysnet_read_config(sympa_t) > + > +optional_policy(` > + apache_search_sys_scripts(sympa_t) > +') > + > +optional_policy(` > + mta_read_config(sympa_t) > + mta_send_mail(sympa_t) > + mta_rw_delivery_fifos(sympa_t) > +') > + > +optional_policy(` > + mysql_tcp_connect(sympa_t) > + mysql_stream_connect(sympa_t) > +') > Index: refpolicy-2.20220918/policy/modules/services/sympa.if > =================================================================== > --- /dev/null > +++ refpolicy-2.20220918/policy/modules/services/sympa.if > @@ -0,0 +1,209 @@ > +## Sympa mailing list manager > +## > +## > +## Sympa is a popular mailing list manager. > +## https://www.sympa.org/ > +## > + > +######################################## > +## > +## Allow appending to sympa_var_t (for error log) > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`sympa_append_var_files',` > + gen_require(` > + type sympa_var_t; > + ') > + > + allow $1 sympa_var_t:file { append getattr }; > +') > + > +######################################## > +## > +## Allow reading sympa_var_t files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`sympa_read_var_files',` > + gen_require(` > + type sympa_var_t; > + ') > + > + allow $1 sympa_var_t:dir list_dir_perms; > + allow $1 sympa_var_t:file read_file_perms; > +') > + > +######################################## > +## > +## Allow managing sympa_var_t files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`sympa_manage_var_files',` > + gen_require(` > + type sympa_var_t; > + ') > + > + allow $1 sympa_var_t:dir rw_dir_perms; > + allow $1 sympa_var_t:file manage_file_perms; > +') > + > +######################################## > +## > +## Allow mapping sympa_var_t files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`sympa_map_var_files',` > + gen_require(` > + type sympa_var_t; > + ') > + > + allow $1 sympa_var_t:file map; > +') > + > +######################################## > +## > +## Transition to sympa_t when executing sympa_exec_t > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`sympa_domtrans',` > + gen_require(` > + type sympa_exec_t, sympa_t; > + ') > + > + domain_auto_transition_pattern($1, sympa_exec_t, sympa_t) > +') > + > +######################################## > +## > +## Use file handles inherited from sympa > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`sympa_use_fd',` > + gen_require(` > + type sympa_t; > + ') > + > + allow $1 sympa_t:fd use; > +') > + > +######################################## > +## > +## Dontaudit access to inherited sympa tcp sockets > +## > +## > +## > +## Domain to not audit > +## > +## > +# > +interface(`sympa_dontaudit_tcp_rw',` > + gen_require(` > + type sympa_t; > + ') > + > + dontaudit $1 sympa_t:tcp_socket { read write }; > +') > + > +######################################## > +## > +## Allow reading sympa config files > +## > +## > +## > +## Domain to allow > +## > +## > +# > +interface(`sympa_read_conf',` > + gen_require(` > + type sympa_etc_t; > + ') > + > + allow $1 sympa_etc_t:dir list_dir_perms; > + allow $1 sympa_etc_t:file read_file_perms; > +') > + > +######################################## > +## > +## Allow rw sympa runtime dirs and manage sympa runtime files > +## > +## > +## > +## Domain to allow > +## > +## > +# > +interface(`sympa_manage_runtime_files',` > + gen_require(` > + type sympa_runtime_t; > + ') > + > + allow $1 sympa_runtime_t:dir rw_dir_perms; > + allow $1 sympa_runtime_t:file manage_file_perms; > +') > + > +######################################## > +## > +## Allow rw sympa runtime dirs and manage sympa runtime sock files > +## > +## > +## > +## Domain to allow > +## > +## > +# > +interface(`sympa_manage_runtime_sock_files',` > + gen_require(` > + type sympa_runtime_t; > + ') > + > + allow $1 sympa_runtime_t:dir rw_dir_perms; > + allow $1 sympa_runtime_t:sock_file { setattr create unlink write }; > +') > + > +######################################## > +## > +## Allow domain to connect to sympa socket > +## > +## > +## > +## Domain to allow > +## > +## > +# > +interface(`sympa_connect_runtime_sock_files',` > + gen_require(` > + type sympa_t; > + ') > + > + allow $1 sympa_t:unix_stream_socket connectto; > +') > Index: refpolicy-2.20220918/policy/modules/services/mta.te > =================================================================== > --- refpolicy-2.20220918.orig/policy/modules/services/mta.te > +++ refpolicy-2.20220918/policy/modules/services/mta.te > @@ -306,6 +306,11 @@ optional_policy(` > ') > > optional_policy(` > + sympa_append_var_files(system_mail_t) > + sympa_dontaudit_tcp_rw(system_mail_t) > +') > + > +optional_policy(` > unconfined_use_fds(system_mail_t) > ') > > @@ -396,6 +401,11 @@ optional_policy(` > ') > > optional_policy(` > + sympa_dontaudit_tcp_rw(mailserver_delivery) > + sympa_domtrans(mailserver_delivery) > +') > + > +optional_policy(` > uucp_domtrans_uux(mailserver_delivery) > ') > > Index: refpolicy-2.20220918/policy/modules/services/mta.if > =================================================================== > --- refpolicy-2.20220918.orig/policy/modules/services/mta.if > +++ refpolicy-2.20220918/policy/modules/services/mta.if > @@ -872,6 +872,26 @@ interface(`mta_read_spool_symlinks',` > > ####################################### > ## > +## read and write fifo files inherited from delivery domains > +## > +## > +## > +## Domain to use fifo files > +## > +## > +# > +interface(`mta_rw_delivery_fifos',` > + gen_require(` > + attribute mailserver_delivery; > + ') > + > + allow $1 mailserver_delivery:fd use; > + allow $1 mailserver_delivery:fifo_file { getattr read write }; > +') > + > + > +####################################### > +## > ## Do not audit attempts to read > ## mail spool symlinks. > ## > Index: refpolicy-2.20220918/policy/modules/services/exim.te > =================================================================== > --- refpolicy-2.20220918.orig/policy/modules/services/exim.te > +++ refpolicy-2.20220918/policy/modules/services/exim.te > @@ -251,3 +251,10 @@ optional_policy(` > spamassassin_exec(exim_t) > spamassassin_exec_client(exim_t) > ') > + > +optional_policy(` > + # each of these should probably be for mailserver_delivery or mailserver_domain > + sympa_append_var_files(exim_t) > + sympa_read_var_files(exim_t) > + sympa_use_fd(exim_t) > +') > Index: refpolicy-2.20220918/policy/modules/services/apache.te > =================================================================== > --- refpolicy-2.20220918.orig/policy/modules/services/apache.te > +++ refpolicy-2.20220918/policy/modules/services/apache.te > @@ -898,6 +898,14 @@ optional_policy(` > snmp_dontaudit_write_snmp_var_lib_files(httpd_t) > ') > > +optional_policy(` > + sympa_manage_runtime_sock_files(httpd_t) > + sympa_map_var_files(httpd_t) > + sympa_read_conf(httpd_t) > + sympa_read_var_files(httpd_t) > +') > + > + > ######################################## > # > # Helper local policy > @@ -1239,6 +1247,8 @@ files_read_var_symlinks(httpd_sys_script > files_search_var_lib(httpd_sys_script_t) > files_search_spool(httpd_sys_script_t) > > +miscfiles_read_generic_certs(httpd_sys_script_t) > + > apache_domtrans_rotatelogs(httpd_sys_script_t) > > auth_use_nsswitch(httpd_sys_script_t) > @@ -1321,6 +1331,11 @@ optional_policy(` > ') > ') > > +optional_policy(` > + sympa_manage_var_files(httpd_sys_script_t) > + sympa_read_conf(httpd_sys_script_t) > +') > + > ######################################## > # > # Rotatelogs local policy Queued for merging: https://github.com/SELinuxProject/refpolicy/pull/554 -- Chris PeBenito