2022-02-20 19:50:22

by Russell Coker

[permalink] [raw]
Subject: [PATCH] mailman3 V2.1

Same as the previous but also allow web server to map mailman data files.

Signed-off-by: Russell Coker <[email protected]>

Index: refpolicy-2.20220219/policy/modules/services/mailman.if
===================================================================
--- refpolicy-2.20220219.orig/policy/modules/services/mailman.if
+++ refpolicy-2.20220219/policy/modules/services/mailman.if
@@ -109,6 +109,44 @@ interface(`mailman_domtrans_cgi',`

#######################################
## <summary>
+## Talk to mailman_cgi_t via Unix domain socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain talking to mailman
+## </summary>
+## </param>
+#
+interface(`mailman_stream_connect_cgi',`
+ gen_require(`
+ type mailman_cgi_t, mailman_runtime_t;
+ ')
+
+ files_search_runtime($1)
+ stream_connect_pattern($1, mailman_runtime_t, mailman_runtime_t, mailman_cgi_t)
+')
+
+#######################################
+## <summary>
+## Manage mailman runtime files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to manage the files
+## </summary>
+## </param>
+#
+interface(`mailman_manage_runtime_files',`
+ gen_require(`
+ type mailman_runtime_t;
+ ')
+
+ files_search_runtime($1)
+ manage_files_pattern($1, mailman_runtime_t, mailman_runtime_t)
+')
+
+#######################################
+## <summary>
## Execute mailman in the caller domain.
## </summary>
## <param name="domain">
@@ -186,6 +224,24 @@ interface(`mailman_read_data_files',`

#######################################
## <summary>
+## map mailman data content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_map_data_files',`
+ gen_require(`
+ type mailman_data_t;
+ ')
+
+ allow $1 mailman_data_t:file map;
+')
+
+#######################################
+## <summary>
## Create, read, write, and delete
## mailman data files.
## </summary>
@@ -342,3 +398,21 @@ interface(`mailman_domtrans_queue',`
libs_search_lib($1)
domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
')
+
+#######################################
+## <summary>
+## Manage mailman lock dir
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to manage it.
+## </summary>
+## </param>
+#
+interface(`mailman_manage_lockdir',`
+ gen_require(`
+ type mailman_lock_t;
+ ')
+
+ allow $1 mailman_lock_t:dir manage_dir_perms;
+')
Index: refpolicy-2.20220219/policy/modules/services/mailman.te
===================================================================
--- refpolicy-2.20220219.orig/policy/modules/services/mailman.te
+++ refpolicy-2.20220219/policy/modules/services/mailman.te
@@ -10,6 +10,7 @@ attribute mailman_domain;
attribute_role mailman_roles;

mailman_domain_template(cgi)
+init_daemon_domain(mailman_cgi_t, mailman_cgi_exec_t)

type mailman_data_t;
files_type(mailman_data_t)
@@ -26,11 +27,18 @@ files_lock_file(mailman_lock_t)
type mailman_runtime_t alias mailman_var_run_t;
files_runtime_file(mailman_runtime_t)

+type mailman_cgi_tmpfs_t;
+files_tmpfs_file(mailman_cgi_tmpfs_t)
+
+type mailman_queue_tmpfs_t;
+files_tmpfs_file(mailman_queue_tmpfs_t)
+
mailman_domain_template(mail)
init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)
role mailman_roles types mailman_mail_t;

mailman_domain_template(queue)
+init_daemon_domain(mailman_queue_t, mailman_queue_exec_t)

########################################
#
@@ -89,13 +97,16 @@ miscfiles_read_localization(mailman_doma
# CGI local policy
#

-allow mailman_cgi_t self:unix_dgram_socket { create connect };
+allow mailman_cgi_t self:process { signal signull sigkill };
+allow mailman_cgi_t self:fifo_file rw_fifo_file_perms;
+allow mailman_cgi_t self:capability { dac_override setgid setuid };
+allow mailman_cgi_t self:unix_dgram_socket create_socket_perms;

allow mailman_cgi_t mailman_archive_t:dir search_dir_perms;
allow mailman_cgi_t mailman_archive_t:file read_file_perms;

allow mailman_cgi_t mailman_data_t:dir rw_dir_perms;
-allow mailman_cgi_t mailman_data_t:file manage_file_perms;
+allow mailman_cgi_t mailman_data_t:file { map manage_file_perms };
allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms;

allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms;
@@ -104,11 +115,27 @@ allow mailman_cgi_t mailman_lock_t:file
allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms };
allow mailman_cgi_t mailman_log_t:dir search_dir_perms;

+allow mailman_cgi_t mailman_runtime_t:dir rw_dir_perms;
+allow mailman_cgi_t mailman_runtime_t:file read_file_perms;
+allow mailman_cgi_t mailman_runtime_t:sock_file manage_file_perms;
+
+fs_tmpfs_filetrans(mailman_cgi_t, mailman_cgi_tmpfs_t, file)
+allow mailman_cgi_t mailman_cgi_tmpfs_t:file { map manage_file_perms };
+
kernel_read_crypto_sysctls(mailman_cgi_t)
+kernel_read_net_sysctls(mailman_cgi_t)
kernel_read_system_state(mailman_cgi_t)
+kernel_read_vm_overcommit_sysctl(mailman_cgi_t)

+# need SELinuxContext=system_u:system_r:mailman_cgi_t:s0 in the systemd
+# service file for the correct context on running /usr/bin/uwsgi for
+# mailman3-web
+corecmd_bin_entry_type(mailman_cgi_t)
corecmd_exec_bin(mailman_cgi_t)

+corenet_tcp_bind_generic_node(mailman_cgi_t)
+corenet_tcp_connect_all_unreserved_ports(mailman_cgi_t)
+
dev_read_urand(mailman_cgi_t)

files_search_locks(mailman_cgi_t)
@@ -120,9 +147,9 @@ libs_dontaudit_write_lib_dirs(mailman_cg

logging_search_logs(mailman_cgi_t)

+miscfiles_read_generic_certs(mailman_cgi_t)
miscfiles_read_localization(mailman_cgi_t)

-
optional_policy(`
apache_sigchld(mailman_cgi_t)
apache_use_fds(mailman_cgi_t)
@@ -133,6 +160,15 @@ optional_policy(`
')

optional_policy(`
+ cron_rw_inherited_tmp_files(mailman_cgi_t)
+ cron_system_entry(mailman_cgi_t, mailman_cgi_exec_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(mailman_cgi_t)
+')
+
+optional_policy(`
postfix_read_config(mailman_cgi_t)
')

@@ -142,7 +178,9 @@ optional_policy(`
#

allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config };
-allow mailman_mail_t self:process { signal signull setsched };
+allow mailman_mail_t self:process { execmem signal signull setsched };
+allow mailman_mail_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
+allow mailman_mail_t self:fifo_file rw_file_perms;

allow mailman_mail_t mailman_archive_t:dir manage_dir_perms;
allow mailman_mail_t mailman_archive_t:file manage_file_perms;
@@ -167,8 +205,12 @@ manage_files_pattern(mailman_mail_t, mai
manage_dirs_pattern(mailman_mail_t, mailman_runtime_t, mailman_runtime_t)
files_runtime_filetrans(mailman_mail_t, mailman_runtime_t, { file dir })

+kernel_read_network_state(mailman_mail_t)
kernel_read_system_state(mailman_mail_t)

+corenet_tcp_bind_all_unreserved_ports(mailman_mail_t)
+corenet_tcp_bind_generic_node(mailman_mail_t)
+corenet_tcp_connect_http_port(mailman_mail_t)
corenet_tcp_connect_smtp_port(mailman_mail_t)
corenet_sendrecv_spamd_client_packets(mailman_mail_t)
corenet_sendrecv_innd_client_packets(mailman_mail_t)
@@ -193,6 +235,7 @@ libs_read_lib_files(mailman_mail_t)

logging_search_logs(mailman_mail_t)

+miscfiles_read_generic_certs(mailman_mail_t)
miscfiles_read_localization(mailman_mail_t)

mta_use_mailserver_fds(mailman_mail_t)
@@ -200,14 +243,26 @@ mta_dontaudit_rw_delivery_tcp_sockets(ma
mta_dontaudit_rw_queue(mailman_mail_t)

optional_policy(`
+ apache_search_config(mailman_mail_t)
+')
+
+optional_policy(`
courier_read_spool(mailman_mail_t)
')

optional_policy(`
cron_read_pipes(mailman_mail_t)
+ cron_rw_inherited_tmp_files(mailman_mail_t)
+ cron_search_spool(mailman_mail_t)
+ cron_system_entry(mailman_mail_t, mailman_mail_exec_t)
+')
+
+optional_policy(`
+ corenet_tcp_connect_mysqld_port(mailman_mail_t)
')

optional_policy(`
+ postfix_read_config(mailman_mail_t)
postfix_search_spool(mailman_mail_t)
postfix_rw_inherited_master_pipes(mailman_mail_t)
')
@@ -217,15 +272,18 @@ optional_policy(`
# Queue local policy
#

-allow mailman_queue_t self:capability { setgid setuid };
+allow mailman_queue_t self:capability { dac_override setgid setuid };
allow mailman_queue_t self:process { setsched signal_perms };
allow mailman_queue_t self:fifo_file rw_fifo_file_perms;

+allow mailman_queue_t mailman_runtime_t:dir rw_dir_perms;
+allow mailman_queue_t mailman_runtime_t:file manage_file_perms;
+
allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;
allow mailman_queue_t mailman_archive_t:file manage_file_perms;

allow mailman_queue_t mailman_data_t:dir rw_dir_perms;
-allow mailman_queue_t mailman_data_t:file manage_file_perms;
+allow mailman_queue_t mailman_data_t:file { map manage_file_perms };
allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms;

allow mailman_queue_t mailman_lock_t:dir rw_dir_perms;
@@ -234,15 +292,25 @@ allow mailman_queue_t mailman_lock_t:fil
allow mailman_queue_t mailman_log_t:dir list_dir_perms;
allow mailman_queue_t mailman_log_t:file manage_file_perms;

+fs_tmpfs_filetrans(mailman_queue_t, mailman_queue_tmpfs_t, file)
+allow mailman_queue_t mailman_queue_tmpfs_t:file { map manage_file_perms };
+
+kernel_read_network_state(mailman_queue_t)
kernel_read_system_state(mailman_queue_t)
+kernel_search_vm_sysctl(mailman_queue_t)

auth_domtrans_chk_passwd(mailman_queue_t)

corecmd_read_bin_files(mailman_queue_t)
corenet_sendrecv_innd_client_packets(mailman_queue_t)
+corenet_tcp_bind_all_unreserved_ports(mailman_queue_t)
+corenet_tcp_bind_generic_node(mailman_queue_t)
+corenet_tcp_connect_generic_port(mailman_queue_t)
+corenet_tcp_connect_http_port(mailman_queue_t)
corenet_tcp_connect_innd_port(mailman_queue_t)

files_dontaudit_search_runtime(mailman_queue_t)
+files_read_usr_files(mailman_queue_t)
files_search_locks(mailman_queue_t)

miscfiles_read_localization(mailman_queue_t)
@@ -251,14 +319,24 @@ seutil_dontaudit_search_config(mailman_q

userdom_search_user_home_dirs(mailman_queue_t)

-cron_rw_tmp_files(mailman_queue_t)
-
optional_policy(`
apache_read_config(mailman_queue_t)
')

optional_policy(`
+ cron_rw_tmp_files(mailman_queue_t)
+ cron_search_spool(mailman_queue_t)
cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
+ cron_use_fds(mailman_queue_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(mailman_queue_t)
+ mysql_tcp_connect(mailman_queue_t)
+')
+
+optional_policy(`
+ postfix_read_config(mailman_queue_t)
')

optional_policy(`
Index: refpolicy-2.20220219/policy/modules/services/apache.te
===================================================================
--- refpolicy-2.20220219.orig/policy/modules/services/apache.te
+++ refpolicy-2.20220219/policy/modules/services/apache.te
@@ -815,8 +815,10 @@ optional_policy(`
')

optional_policy(`
+ mailman_stream_connect_cgi(httpd_t)
mailman_signal_cgi(httpd_t)
mailman_domtrans_cgi(httpd_t)
+ mailman_map_data_files(httpd_t)
mailman_read_data_files(httpd_t)
mailman_search_data(httpd_t)
mailman_read_archive(httpd_t)
Index: refpolicy-2.20220219/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20220219.orig/policy/modules/services/cron.te
+++ refpolicy-2.20220219/policy/modules/services/cron.te
@@ -604,6 +604,12 @@ optional_policy(`
')

optional_policy(`
+ mailman_domtrans_queue(system_cronjob_t)
+ # for flock
+ mailman_manage_runtime_files(system_cronjob_t)
+')
+
+optional_policy(`
mrtg_append_create_logs(system_cronjob_t)
mrtg_read_config(system_cronjob_t)
')
Index: refpolicy-2.20220219/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20220219.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20220219/policy/modules/system/systemd.te
@@ -1796,6 +1796,10 @@ optional_policy(`
')

optional_policy(`
+ mailman_manage_lockdir(systemd_tmpfiles_t)
+')
+
+optional_policy(`
xfs_create_tmp_dirs(systemd_tmpfiles_t)
')

Index: refpolicy-2.20220219/policy/modules/services/mailman.fc
===================================================================
--- refpolicy-2.20220219.orig/policy/modules/services/mailman.fc
+++ refpolicy-2.20220219/policy/modules/services/mailman.fc
@@ -20,6 +20,7 @@

/usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman3/bin/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
@@ -28,3 +29,4 @@
/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)

/usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/share/mailman3-web/manage.py -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)


2022-02-28 21:01:48

by Christopher J. PeBenito

[permalink] [raw]
Subject: Re: [PATCH] mailman3 V2.1

On 2/19/22 05:34, Russell Coker wrote:
> Same as the previous but also allow web server to map mailman data files.
>
> Signed-off-by: Russell Coker <[email protected]>
>
> Index: refpolicy-2.20220219/policy/modules/services/mailman.if
> ===================================================================
> --- refpolicy-2.20220219.orig/policy/modules/services/mailman.if
> +++ refpolicy-2.20220219/policy/modules/services/mailman.if
> @@ -109,6 +109,44 @@ interface(`mailman_domtrans_cgi',`
>
> #######################################
> ## <summary>
> +## Talk to mailman_cgi_t via Unix domain socket
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain talking to mailman
> +## </summary>
> +## </param>
> +#
> +interface(`mailman_stream_connect_cgi',`
> + gen_require(`
> + type mailman_cgi_t, mailman_runtime_t;
> + ')
> +
> + files_search_runtime($1)
> + stream_connect_pattern($1, mailman_runtime_t, mailman_runtime_t, mailman_cgi_t)
> +')
> +
> +#######################################
> +## <summary>
> +## Manage mailman runtime files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to manage the files
> +## </summary>
> +## </param>
> +#
> +interface(`mailman_manage_runtime_files',`
> + gen_require(`
> + type mailman_runtime_t;
> + ')
> +
> + files_search_runtime($1)
> + manage_files_pattern($1, mailman_runtime_t, mailman_runtime_t)
> +')
> +
> +#######################################
> +## <summary>
> ## Execute mailman in the caller domain.
> ## </summary>
> ## <param name="domain">
> @@ -186,6 +224,24 @@ interface(`mailman_read_data_files',`
>
> #######################################
> ## <summary>
> +## map mailman data content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mailman_map_data_files',`
> + gen_require(`
> + type mailman_data_t;
> + ')
> +
> + allow $1 mailman_data_t:file map;
> +')
> +
> +#######################################
> +## <summary>
> ## Create, read, write, and delete
> ## mailman data files.
> ## </summary>
> @@ -342,3 +398,21 @@ interface(`mailman_domtrans_queue',`
> libs_search_lib($1)
> domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
> ')
> +
> +#######################################
> +## <summary>
> +## Manage mailman lock dir
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to manage it.
> +## </summary>
> +## </param>
> +#
> +interface(`mailman_manage_lockdir',`
> + gen_require(`
> + type mailman_lock_t;
> + ')
> +
> + allow $1 mailman_lock_t:dir manage_dir_perms;
> +')
> Index: refpolicy-2.20220219/policy/modules/services/mailman.te
> ===================================================================
> --- refpolicy-2.20220219.orig/policy/modules/services/mailman.te
> +++ refpolicy-2.20220219/policy/modules/services/mailman.te
> @@ -10,6 +10,7 @@ attribute mailman_domain;
> attribute_role mailman_roles;
>
> mailman_domain_template(cgi)
> +init_daemon_domain(mailman_cgi_t, mailman_cgi_exec_t)
>
> type mailman_data_t;
> files_type(mailman_data_t)
> @@ -26,11 +27,18 @@ files_lock_file(mailman_lock_t)
> type mailman_runtime_t alias mailman_var_run_t;
> files_runtime_file(mailman_runtime_t)
>
> +type mailman_cgi_tmpfs_t;
> +files_tmpfs_file(mailman_cgi_tmpfs_t)
> +
> +type mailman_queue_tmpfs_t;
> +files_tmpfs_file(mailman_queue_tmpfs_t)
> +
> mailman_domain_template(mail)
> init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)
> role mailman_roles types mailman_mail_t;
>
> mailman_domain_template(queue)
> +init_daemon_domain(mailman_queue_t, mailman_queue_exec_t)
>
> ########################################
> #
> @@ -89,13 +97,16 @@ miscfiles_read_localization(mailman_doma
> # CGI local policy
> #
>
> -allow mailman_cgi_t self:unix_dgram_socket { create connect };
> +allow mailman_cgi_t self:process { signal signull sigkill };
> +allow mailman_cgi_t self:fifo_file rw_fifo_file_perms;
> +allow mailman_cgi_t self:capability { dac_override setgid setuid };
> +allow mailman_cgi_t self:unix_dgram_socket create_socket_perms;
>
> allow mailman_cgi_t mailman_archive_t:dir search_dir_perms;
> allow mailman_cgi_t mailman_archive_t:file read_file_perms;
>
> allow mailman_cgi_t mailman_data_t:dir rw_dir_perms;
> -allow mailman_cgi_t mailman_data_t:file manage_file_perms;
> +allow mailman_cgi_t mailman_data_t:file { map manage_file_perms };
> allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms;
>
> allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms;
> @@ -104,11 +115,27 @@ allow mailman_cgi_t mailman_lock_t:file
> allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms };
> allow mailman_cgi_t mailman_log_t:dir search_dir_perms;
>
> +allow mailman_cgi_t mailman_runtime_t:dir rw_dir_perms;
> +allow mailman_cgi_t mailman_runtime_t:file read_file_perms;
> +allow mailman_cgi_t mailman_runtime_t:sock_file manage_file_perms;
> +
> +fs_tmpfs_filetrans(mailman_cgi_t, mailman_cgi_tmpfs_t, file)
> +allow mailman_cgi_t mailman_cgi_tmpfs_t:file { map manage_file_perms };
> +
> kernel_read_crypto_sysctls(mailman_cgi_t)
> +kernel_read_net_sysctls(mailman_cgi_t)
> kernel_read_system_state(mailman_cgi_t)
> +kernel_read_vm_overcommit_sysctl(mailman_cgi_t)
>
> +# need SELinuxContext=system_u:system_r:mailman_cgi_t:s0 in the systemd
> +# service file for the correct context on running /usr/bin/uwsgi for
> +# mailman3-web
> +corecmd_bin_entry_type(mailman_cgi_t)

Why can't the label be changed for uwsgi?


> corecmd_exec_bin(mailman_cgi_t)
>
> +corenet_tcp_bind_generic_node(mailman_cgi_t)
> +corenet_tcp_connect_all_unreserved_ports(mailman_cgi_t)
> +
> dev_read_urand(mailman_cgi_t)
>
> files_search_locks(mailman_cgi_t)
> @@ -120,9 +147,9 @@ libs_dontaudit_write_lib_dirs(mailman_cg
>
> logging_search_logs(mailman_cgi_t)
>
> +miscfiles_read_generic_certs(mailman_cgi_t)
> miscfiles_read_localization(mailman_cgi_t)
>
> -
> optional_policy(`
> apache_sigchld(mailman_cgi_t)
> apache_use_fds(mailman_cgi_t)
> @@ -133,6 +160,15 @@ optional_policy(`
> ')
>
> optional_policy(`
> + cron_rw_inherited_tmp_files(mailman_cgi_t)
> + cron_system_entry(mailman_cgi_t, mailman_cgi_exec_t)
> +')
> +
> +optional_policy(`
> + mysql_stream_connect(mailman_cgi_t)
> +')
> +
> +optional_policy(`
> postfix_read_config(mailman_cgi_t)
> ')
>
> @@ -142,7 +178,9 @@ optional_policy(`
> #
>
> allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config };
> -allow mailman_mail_t self:process { signal signull setsched };
> +allow mailman_mail_t self:process { execmem signal signull setsched };

Any idea why the execmem is hit?


> +allow mailman_mail_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
> +allow mailman_mail_t self:fifo_file rw_file_perms;
>
> allow mailman_mail_t mailman_archive_t:dir manage_dir_perms;
> allow mailman_mail_t mailman_archive_t:file manage_file_perms;
> @@ -167,8 +205,12 @@ manage_files_pattern(mailman_mail_t, mai
> manage_dirs_pattern(mailman_mail_t, mailman_runtime_t, mailman_runtime_t)
> files_runtime_filetrans(mailman_mail_t, mailman_runtime_t, { file dir })
>
> +kernel_read_network_state(mailman_mail_t)
> kernel_read_system_state(mailman_mail_t)
>
> +corenet_tcp_bind_all_unreserved_ports(mailman_mail_t)
> +corenet_tcp_bind_generic_node(mailman_mail_t)
> +corenet_tcp_connect_http_port(mailman_mail_t)
> corenet_tcp_connect_smtp_port(mailman_mail_t)
> corenet_sendrecv_spamd_client_packets(mailman_mail_t)
> corenet_sendrecv_innd_client_packets(mailman_mail_t)
> @@ -193,6 +235,7 @@ libs_read_lib_files(mailman_mail_t)
>
> logging_search_logs(mailman_mail_t)
>
> +miscfiles_read_generic_certs(mailman_mail_t)
> miscfiles_read_localization(mailman_mail_t)
>
> mta_use_mailserver_fds(mailman_mail_t)
> @@ -200,14 +243,26 @@ mta_dontaudit_rw_delivery_tcp_sockets(ma
> mta_dontaudit_rw_queue(mailman_mail_t)
>
> optional_policy(`
> + apache_search_config(mailman_mail_t)
> +')
> +
> +optional_policy(`
> courier_read_spool(mailman_mail_t)
> ')
>
> optional_policy(`
> cron_read_pipes(mailman_mail_t)
> + cron_rw_inherited_tmp_files(mailman_mail_t)
> + cron_search_spool(mailman_mail_t)
> + cron_system_entry(mailman_mail_t, mailman_mail_exec_t)
> +')
> +
> +optional_policy(`
> + corenet_tcp_connect_mysqld_port(mailman_mail_t)
> ')
>
> optional_policy(`
> + postfix_read_config(mailman_mail_t)
> postfix_search_spool(mailman_mail_t)
> postfix_rw_inherited_master_pipes(mailman_mail_t)
> ')
> @@ -217,15 +272,18 @@ optional_policy(`
> # Queue local policy
> #
>
> -allow mailman_queue_t self:capability { setgid setuid };
> +allow mailman_queue_t self:capability { dac_override setgid setuid };
> allow mailman_queue_t self:process { setsched signal_perms };
> allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
>
> +allow mailman_queue_t mailman_runtime_t:dir rw_dir_perms;
> +allow mailman_queue_t mailman_runtime_t:file manage_file_perms;
> +
> allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;
> allow mailman_queue_t mailman_archive_t:file manage_file_perms;
>
> allow mailman_queue_t mailman_data_t:dir rw_dir_perms;
> -allow mailman_queue_t mailman_data_t:file manage_file_perms;
> +allow mailman_queue_t mailman_data_t:file { map manage_file_perms };
> allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms;
>
> allow mailman_queue_t mailman_lock_t:dir rw_dir_perms;
> @@ -234,15 +292,25 @@ allow mailman_queue_t mailman_lock_t:fil
> allow mailman_queue_t mailman_log_t:dir list_dir_perms;
> allow mailman_queue_t mailman_log_t:file manage_file_perms;
>
> +fs_tmpfs_filetrans(mailman_queue_t, mailman_queue_tmpfs_t, file)
> +allow mailman_queue_t mailman_queue_tmpfs_t:file { map manage_file_perms };
> +
> +kernel_read_network_state(mailman_queue_t)
> kernel_read_system_state(mailman_queue_t)
> +kernel_search_vm_sysctl(mailman_queue_t)
>
> auth_domtrans_chk_passwd(mailman_queue_t)
>
> corecmd_read_bin_files(mailman_queue_t)
> corenet_sendrecv_innd_client_packets(mailman_queue_t)
> +corenet_tcp_bind_all_unreserved_ports(mailman_queue_t)
> +corenet_tcp_bind_generic_node(mailman_queue_t)
> +corenet_tcp_connect_generic_port(mailman_queue_t)
> +corenet_tcp_connect_http_port(mailman_queue_t)
> corenet_tcp_connect_innd_port(mailman_queue_t)
>
> files_dontaudit_search_runtime(mailman_queue_t)
> +files_read_usr_files(mailman_queue_t)
> files_search_locks(mailman_queue_t)
>
> miscfiles_read_localization(mailman_queue_t)
> @@ -251,14 +319,24 @@ seutil_dontaudit_search_config(mailman_q
>
> userdom_search_user_home_dirs(mailman_queue_t)
>
> -cron_rw_tmp_files(mailman_queue_t)
> -
> optional_policy(`
> apache_read_config(mailman_queue_t)
> ')
>
> optional_policy(`
> + cron_rw_tmp_files(mailman_queue_t)
> + cron_search_spool(mailman_queue_t)
> cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
> + cron_use_fds(mailman_queue_t)
> +')
> +
> +optional_policy(`
> + mysql_stream_connect(mailman_queue_t)
> + mysql_tcp_connect(mailman_queue_t)
> +')
> +
> +optional_policy(`
> + postfix_read_config(mailman_queue_t)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20220219/policy/modules/services/apache.te
> ===================================================================
> --- refpolicy-2.20220219.orig/policy/modules/services/apache.te
> +++ refpolicy-2.20220219/policy/modules/services/apache.te
> @@ -815,8 +815,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + mailman_stream_connect_cgi(httpd_t)
> mailman_signal_cgi(httpd_t)
> mailman_domtrans_cgi(httpd_t)
> + mailman_map_data_files(httpd_t)
> mailman_read_data_files(httpd_t)
> mailman_search_data(httpd_t)
> mailman_read_archive(httpd_t)
> Index: refpolicy-2.20220219/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20220219.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20220219/policy/modules/services/cron.te
> @@ -604,6 +604,12 @@ optional_policy(`
> ')
>
> optional_policy(`
> + mailman_domtrans_queue(system_cronjob_t)
> + # for flock
> + mailman_manage_runtime_files(system_cronjob_t)
> +')
> +
> +optional_policy(`
> mrtg_append_create_logs(system_cronjob_t)
> mrtg_read_config(system_cronjob_t)
> ')
> Index: refpolicy-2.20220219/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20220219.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20220219/policy/modules/system/systemd.te
> @@ -1796,6 +1796,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + mailman_manage_lockdir(systemd_tmpfiles_t)

There should be a systemd_tmpfilesd_managed(mailman_lock_t) in mailman.te instead.


> +')
> +
> +optional_policy(`
> xfs_create_tmp_dirs(systemd_tmpfiles_t)
> ')
>
> Index: refpolicy-2.20220219/policy/modules/services/mailman.fc
> ===================================================================
> --- refpolicy-2.20220219.orig/policy/modules/services/mailman.fc
> +++ refpolicy-2.20220219/policy/modules/services/mailman.fc
> @@ -20,6 +20,7 @@
>
> /usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
> /usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
> +/usr/lib/mailman3/bin/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
> /usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
> /usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> /usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> @@ -28,3 +29,4 @@
> /usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
>
> /usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> +/usr/share/mailman3-web/manage.py -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)


--
Chris PeBenito

2022-03-09 04:57:47

by Russell Coker

[permalink] [raw]
Subject: Re: [PATCH] mailman3 V2.1

On Tuesday, 1 March 2022 08:01:02 AEDT Chris PeBenito wrote:
> > +# need SELinuxContext=system_u:system_r:mailman_cgi_t:s0 in the systemd
> > +# service file for the correct context on running /usr/bin/uwsgi for
> > +# mailman3-web
> > +corecmd_bin_entry_type(mailman_cgi_t)
>
> Why can't the label be changed for uwsgi?

Because uwsgi is a service program that may be used by many daemons.

> > allow mailman_mail_t self:capability { dac_override kill setgid setuid
> > sys_tty_config };>
> > -allow mailman_mail_t self:process { signal signull setsched };
> > +allow mailman_mail_t self:process { execmem signal signull setsched };
>
> Any idea why the execmem is hit?

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913544

Mailman is mostly Python and function pointers in Python needs execmem, this
is used by the openssl Python library among other things.

> > Index: refpolicy-2.20220219/policy/modules/system/systemd.te
> > ===================================================================
> > --- refpolicy-2.20220219.orig/policy/modules/system/systemd.te
> > +++ refpolicy-2.20220219/policy/modules/system/systemd.te
> > @@ -1796,6 +1796,10 @@ optional_policy(`
> >
> > ')
> >
> > optional_policy(`
> >
> > + mailman_manage_lockdir(systemd_tmpfiles_t)
>
> There should be a systemd_tmpfilesd_managed(mailman_lock_t) in mailman.te
> instead.

OK, I'll make a new version with that change.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/