---
milter.fc | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/milter.fc b/milter.fc
index 378d5e4..9310401 100644
--- a/milter.fc
+++ b/milter.fc
@@ -4,20 +4,20 @@
/usr/bin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
-/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
-/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
-/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
-/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
-/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
+/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
-/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
-/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
-/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
-/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
-/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
/var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
--
2.14.1
- add initrc filecontext
- remove unnecessary permissions
---
milter.fc | 2 ++
milter.te | 16 ++++++----------
2 files changed, 8 insertions(+), 10 deletions(-)
diff --git a/milter.fc b/milter.fc
index 9310401..42fe5e9 100644
--- a/milter.fc
+++ b/milter.fc
@@ -1,3 +1,5 @@
+/etc/rc\.d/init\.d/spamass-milter -- gen_context(system_u:object_r:spamass_milter_initrc_exec_t,s0)
+
/usr/bin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
/usr/bin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
/usr/bin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
diff --git a/milter.te b/milter.te
index d0e9c1b..a908466 100644
--- a/milter.te
+++ b/milter.te
@@ -12,6 +12,9 @@ milter_template(greylist)
milter_template(regex)
milter_template(spamass)
+type spamass_milter_initrc_exec_t;
+init_script_file(spamass_milter_initrc_exec_t)
+
type spamass_milter_state_t;
files_type(spamass_milter_state_t)
@@ -23,8 +26,6 @@ files_type(spamass_milter_state_t)
allow milter_domains self:fifo_file rw_fifo_file_perms;
allow milter_domains self:tcp_socket { accept listen };
-kernel_dontaudit_read_system_state(milter_domains)
-
corenet_all_recvfrom_unlabeled(milter_domains)
corenet_all_recvfrom_netlabel(milter_domains)
corenet_tcp_sendrecv_generic_if(milter_domains)
@@ -44,7 +45,7 @@ logging_send_syslog_msg(milter_domains)
#
allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
-allow greylist_milter_t self:process { setsched getsched };
+allow greylist_milter_t self:process { getsched setsched };
files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
@@ -93,20 +94,15 @@ mta_read_config(regex_milter_t)
# spamass local policy
#
-allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
allow spamass_milter_t self:process sigkill;
+allow spamass_milter_t self:unix_stream_socket { accept listen };
-kernel_read_system_state(spamass_milter_t)
-kernel_read_vm_overcommit_sysctl(spamass_milter_t)
+allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
corecmd_exec_shell(spamass_milter_t)
-dev_read_sysfs(spamass_milter_t)
-
files_search_var_lib(spamass_milter_t)
-mta_send_mail(spamass_milter_t)
-
optional_policy(`
postfix_search_spool(spamass_milter_t)
')
--
2.14.1
On 09/10/2017 10:55 AM, Christian G?ttsche via refpolicy wrote:
> ---
> milter.fc | 20 ++++++++++----------
> 1 file changed, 10 insertions(+), 10 deletions(-)
>
> diff --git a/milter.fc b/milter.fc
> index 378d5e4..9310401 100644
> --- a/milter.fc
> +++ b/milter.fc
> @@ -4,20 +4,20 @@
> /usr/bin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
>
> /usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
> -/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
> -/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
> +/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
> +/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
> /usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
>
> -/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
> -/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
> -/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
> +/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
> +/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
> +/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
>
> -/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
> +/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
> /run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
> -/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
> -/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
> -/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
> +/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
> +/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
> +/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
> /run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
>
> -/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
> +/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
> /var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
Merged.
--
Chris PeBenito
On 09/10/2017 10:55 AM, Christian G?ttsche via refpolicy wrote:
> - add initrc filecontext
> - remove unnecessary permissions
While I'd like to remove permissions, how do you know they're not
needed? Did you test all the combinations and error paths?
> ---
> milter.fc | 2 ++
> milter.te | 16 ++++++----------
> 2 files changed, 8 insertions(+), 10 deletions(-)
>
> diff --git a/milter.fc b/milter.fc
> index 9310401..42fe5e9 100644
> --- a/milter.fc
> +++ b/milter.fc
> @@ -1,3 +1,5 @@
> +/etc/rc\.d/init\.d/spamass-milter -- gen_context(system_u:object_r:spamass_milter_initrc_exec_t,s0)
> +
> /usr/bin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
> /usr/bin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
> /usr/bin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
> diff --git a/milter.te b/milter.te
> index d0e9c1b..a908466 100644
> --- a/milter.te
> +++ b/milter.te
> @@ -12,6 +12,9 @@ milter_template(greylist)
> milter_template(regex)
> milter_template(spamass)
>
> +type spamass_milter_initrc_exec_t;
> +init_script_file(spamass_milter_initrc_exec_t)
> +
> type spamass_milter_state_t;
> files_type(spamass_milter_state_t)
>
> @@ -23,8 +26,6 @@ files_type(spamass_milter_state_t)
> allow milter_domains self:fifo_file rw_fifo_file_perms;
> allow milter_domains self:tcp_socket { accept listen };
>
> -kernel_dontaudit_read_system_state(milter_domains)
> -
> corenet_all_recvfrom_unlabeled(milter_domains)
> corenet_all_recvfrom_netlabel(milter_domains)
> corenet_tcp_sendrecv_generic_if(milter_domains)
> @@ -44,7 +45,7 @@ logging_send_syslog_msg(milter_domains)
> #
>
> allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
> -allow greylist_milter_t self:process { setsched getsched };
> +allow greylist_milter_t self:process { getsched setsched };
>
> files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
>
> @@ -93,20 +94,15 @@ mta_read_config(regex_milter_t)
> # spamass local policy
> #
>
> -allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
> allow spamass_milter_t self:process sigkill;
> +allow spamass_milter_t self:unix_stream_socket { accept listen };
>
> -kernel_read_system_state(spamass_milter_t)
> -kernel_read_vm_overcommit_sysctl(spamass_milter_t)
> +allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
>
> corecmd_exec_shell(spamass_milter_t)
>
> -dev_read_sysfs(spamass_milter_t)
> -
> files_search_var_lib(spamass_milter_t)
>
> -mta_send_mail(spamass_milter_t)
> -
> optional_policy(`
> postfix_search_spool(spamass_milter_t)
> ')
>
--
Chris PeBenito