- add filecontexts
- review admin interfaces
- enhance sa-update policy
v2:
- drop list -> search changes in admin interface
- use run instead of role interface for spamd_update
- drop runtime_t rename
- drop alias removal
---
spamassassin.fc | 8 ++++-
spamassassin.if | 43 +++++++++++++++++++++-----
spamassassin.te | 95 +++++++++++++++++++++++++++++++++++++++------------------
3 files changed, 109 insertions(+), 37 deletions(-)
diff --git a/spamassassin.fc b/spamassassin.fc
index 18fa75f..a8b3c01 100644
--- a/spamassassin.fc
+++ b/spamassassin.fc
@@ -1,6 +1,7 @@
HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
+/etc/rc\.d/init\.d/spamassassin -- gen_context(system_u:object_r:spamassassin_initrc_exec_t,s0)
/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
@@ -17,14 +18,19 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/lib/systemd/system/spamassassin\.service -- gen_context(system_u:object_r:spamassassin_unit_t,s0)
+
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
/var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0)
/var/log/spamd\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0)
/var/log/mimedefang.* -- gen_context(system_u:object_r:spamd_log_t,s0)
+/var/vmail/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+
/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
-/run/spamassassin\.pid gen_context(system_u:object_r:spamd_var_run_t,s0)
+/run/spamassassin\.pid -- gen_context(system_u:object_r:spamd_var_run_t,s0)
+/run/spamd\.pid -- gen_context(system_u:object_r:spamd_var_run_t,s0)
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
diff --git a/spamassassin.if b/spamassassin.if
index e915b5f..ddfff8c 100644
--- a/spamassassin.if
+++ b/spamassassin.if
@@ -27,8 +27,7 @@ interface(`spamassassin_role',`
domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
domtrans_pattern($2, spamc_exec_t, spamc_t)
- allow $2 { spamc_t spamassassin_t}:process { ptrace signal_perms };
- ps_process_pattern($2, { spamc_t spamassassin_t })
+ admin_process_pattern($2, { spamc_t spamassassin_t })
allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms };
@@ -37,6 +36,33 @@ interface(`spamassassin_role',`
userdom_user_home_dir_filetrans($2, spamd_home_t, dir, ".spamd")
')
+########################################
+## <summary>
+## Execute sa-update in the spamd-update domain,
+## and allow the specified role
+## the spamd-update domain. Also allow transitive
+## access to the private gpg domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`spamassassin_run_update',`
+ gen_require(`
+ type spamd_gpg_t, spamd_update_exec_t, spamd_update_t;
+ ')
+
+ role 21 types { spamd_update_t spamd_gpg_t };
+ domtrans_pattern($1, spamd_update_exec_t, spamd_update_t)
+')
+
########################################
## <summary>
## Execute the standalone spamassassin
@@ -378,16 +404,16 @@ interface(`spamassassin_admin',`
gen_require(`
type spamd_t, spamd_tmp_t, spamd_log_t;
type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t;
- type spamd_initrc_exec_t;
+ type spamd_initrc_exec_t, spamassassin_unit_t;
+ type spamd_gpg_t, spamd_update_t;
')
- allow $1 spamd_t:process { ptrace signal_perms };
- ps_process_pattern($1, spamd_t)
+ admin_process_pattern($1, { spamd_t spamd_gpg_t spamd_update_t })
- init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t)
+ init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t, spamassassin_unit_t)
files_list_tmp($1)
- admin_pattern($1, spamd_tmp_t)
+ admin_pattern($1, { spamd_tmp_t spamd_update_tmp_t })
logging_list_logs($1)
admin_pattern($1, spamd_log_t)
@@ -403,4 +429,7 @@ interface(`spamassassin_admin',`
# This makes it impossible to apply _admin if _role has already been applied
#spamassassin_role($2, $1)
+
+ # sa-update
+ spamassassin_run_update($1, $2)
')
diff --git a/spamassassin.te b/spamassassin.te
index 72e781e..08c153d 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -25,6 +25,9 @@ type spamd_update_t;
type spamd_update_exec_t;
init_system_domain(spamd_update_t, spamd_update_exec_t)
+type spamd_update_tmp_t;
+files_tmp_file(spamd_update_tmp_t)
+
type spamassassin_t;
type spamassassin_exec_t;
typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
@@ -36,11 +39,17 @@ typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassi
typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
userdom_user_home_content(spamassassin_home_t)
+type spamassassin_initrc_exec_t;
+init_script_file(spamassassin_initrc_exec_t)
+
type spamassassin_tmp_t;
typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
userdom_user_tmp_file(spamassassin_tmp_t)
+type spamassassin_unit_t;
+init_unit_file(spamassassin_unit_t)
+
type spamc_t;
type spamc_exec_t;
typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
@@ -63,6 +72,9 @@ files_type(spamd_compiled_t)
type spamd_etc_t;
files_config_file(spamd_etc_t)
+type spamd_gpg_t;
+domain_type(spamd_gpg_t)
+
type spamd_home_t;
userdom_user_home_content(spamd_home_t)
@@ -119,7 +131,6 @@ files_read_etc_files(spamassassin_t)
files_read_etc_runtime_files(spamassassin_t)
files_list_home(spamassassin_t)
files_read_usr_files(spamassassin_t)
-files_dontaudit_search_var(spamassassin_t)
logging_send_syslog_msg(spamassassin_t)
@@ -216,7 +227,6 @@ fs_search_auto_mountpoints(spamc_t)
files_read_etc_runtime_files(spamc_t)
files_read_usr_files(spamc_t)
-files_dontaudit_search_var(spamc_t)
files_list_home(spamc_t)
files_list_var_lib(spamc_t)
@@ -276,8 +286,7 @@ optional_policy(`
# Daemon local policy
#
-allow spamd_t self:capability { dac_override kill setgid setuid sys_tty_config };
-dontaudit spamd_t self:capability sys_tty_config;
+allow spamd_t self:capability { dac_override kill setgid setuid };
allow spamd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow spamd_t self:fd use;
allow spamd_t self:fifo_file rw_fifo_file_perms;
@@ -328,6 +337,9 @@ can_exec(spamd_t, { spamd_exec_t spamd_compiled_t })
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
+auth_dontaudit_read_shadow(spamd_t)
+auth_use_nsswitch(spamd_t)
+
corenet_all_recvfrom_unlabeled(spamd_t)
corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_generic_if(spamd_t)
@@ -369,11 +381,6 @@ files_read_etc_runtime_files(spamd_t)
fs_getattr_all_fs(spamd_t)
fs_search_auto_mountpoints(spamd_t)
-auth_use_nsswitch(spamd_t)
-auth_dontaudit_read_shadow(spamd_t)
-
-init_dontaudit_rw_utmp(spamd_t)
-
libs_use_ld_so(spamd_t)
libs_use_shared_libs(spamd_t)
@@ -383,8 +390,6 @@ miscfiles_read_localization(spamd_t)
sysnet_use_ldap(spamd_t)
-userdom_use_unpriv_users_fds(spamd_t)
-
tunable_policy(`spamd_enable_home_dirs',`
userdom_manage_user_home_content_dirs(spamd_t)
userdom_manage_user_home_content_files(spamd_t)
@@ -439,6 +444,10 @@ optional_policy(`
milter_manage_spamass_state(spamd_t)
')
+optional_policy(`
+ mta_getattr_spool(spamd_t)
+')
+
optional_policy(`
mysql_stream_connect(spamd_t)
mysql_tcp_connect(spamd_t)
@@ -464,10 +473,6 @@ optional_policy(`
razor_manage_home_content(spamd_t)
')
-optional_policy(`
- seutil_sigchld_newrole(spamd_t)
-')
-
optional_policy(`
sendmail_stub(spamd_t)
mta_read_config(spamd_t)
@@ -483,13 +488,14 @@ optional_policy(`
# Update local policy
#
-allow spamd_update_t self:capability dac_override;
+allow spamd_update_t self:capability dac_read_search;
+allow spamd_update_t self:process signal;
allow spamd_update_t self:fifo_file manage_fifo_file_perms;
allow spamd_update_t self:unix_stream_socket create_stream_socket_perms;
-manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
-manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
-files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir })
+manage_dirs_pattern(spamd_update_t, spamd_update_tmp_t, spamd_update_tmp_t)
+manage_files_pattern(spamd_update_t, spamd_update_tmp_t, spamd_update_tmp_t)
+files_tmp_filetrans(spamd_update_t, spamd_update_tmp_t, { file dir })
manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
@@ -497,6 +503,9 @@ manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
kernel_read_system_state(spamd_update_t)
+auth_use_nsswitch(spamd_update_t)
+auth_dontaudit_read_shadow(spamd_update_t)
+
corenet_all_recvfrom_unlabeled(spamd_update_t)
corenet_all_recvfrom_netlabel(spamd_update_t)
corenet_tcp_sendrecv_generic_if(spamd_update_t)
@@ -510,29 +519,57 @@ corenet_tcp_sendrecv_http_port(spamd_update_t)
corecmd_exec_bin(spamd_update_t)
corecmd_exec_shell(spamd_update_t)
+corenet_tcp_bind_generic_node(spamd_update_t)
+corenet_udp_bind_generic_node(spamd_update_t)
+
dev_read_urand(spamd_update_t)
domain_use_interactive_fds(spamd_update_t)
files_read_usr_files(spamd_update_t)
-auth_use_nsswitch(spamd_update_t)
-auth_dontaudit_read_shadow(spamd_update_t)
+fs_getattr_xattr_fs(spamd_update_t)
miscfiles_read_localization(spamd_update_t)
-userdom_use_user_terminals(spamd_update_t)
+userdom_use_inherited_user_terminals(spamd_update_t)
+userdom_dontaudit_search_user_home_dirs(spamd_update_t)
+userdom_dontaudit_search_user_home_content(spamd_update_t)
optional_policy(`
cron_system_entry(spamd_update_t, spamd_update_exec_t)
')
-# probably want a solution same as httpd_use_gpg since this will
-# give spamd_update a path to users gpg keys
-# optional_policy(`
-# gpg_domtrans(spamd_update_t)
-# ')
-
optional_policy(`
- mta_read_config(spamd_update_t)
+ gpg_spec_domtrans(spamd_update_t, spamd_gpg_t)
+ gpg_entry_type(spamd_gpg_t)
+ role system_r types spamd_gpg_t;
+
+ allow spamd_gpg_t self:capability { dac_override dac_read_search };
+ allow spamd_gpg_t self:unix_stream_socket { connect create };
+
+ allow spamd_gpg_t spamd_update_t:fd use;
+ allow spamd_gpg_t spamd_update_t:process sigchld;
+ allow spamd_gpg_t spamd_update_t:fifo_file { getattr write };
+ allow spamd_gpg_t spamd_var_lib_t:dir search_dir_perms;
+ allow spamd_gpg_t spamd_var_lib_t:file rw_file_perms;
+ allow spamd_gpg_t spamd_update_tmp_t:file read_file_perms;
+
+ # fips
+ kernel_search_crypto_sysctls(spamd_gpg_t)
+
+ domain_use_interactive_fds(spamd_gpg_t)
+
+ files_read_etc_files(spamd_gpg_t)
+ files_read_usr_files(spamd_gpg_t)
+ files_search_var_lib(spamd_gpg_t)
+ files_search_pids(spamd_gpg_t)
+ files_search_tmp(spamd_gpg_t)
+
+ init_use_fds(spamd_gpg_t)
+ init_rw_inherited_stream_socket(spamd_gpg_t)
+
+ miscfiles_read_localization(spamd_gpg_t)
+
+ userdom_use_inherited_user_terminals(spamd_gpg_t)
')
--
2.14.1
On 09/12/2017 05:48 AM, Christian G?ttsche via refpolicy wrote:
> - add filecontexts
> - review admin interfaces
> - enhance sa-update policy
>
> v2:
>
> - drop list -> search changes in admin interface
> - use run instead of role interface for spamd_update
> - drop runtime_t rename
> - drop alias removal
> ---
> spamassassin.fc | 8 ++++-
> spamassassin.if | 43 +++++++++++++++++++++-----
> spamassassin.te | 95 +++++++++++++++++++++++++++++++++++++++------------------
> 3 files changed, 109 insertions(+), 37 deletions(-)
>
> diff --git a/spamassassin.fc b/spamassassin.fc
> index 18fa75f..a8b3c01 100644
> --- a/spamassassin.fc
> +++ b/spamassassin.fc
> @@ -1,6 +1,7 @@
> HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
> HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
>
> +/etc/rc\.d/init\.d/spamassassin -- gen_context(system_u:object_r:spamassassin_initrc_exec_t,s0)
> /etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
> /etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
> /etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
> @@ -17,14 +18,19 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
> /usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
> /usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0)
>
> +/usr/lib/systemd/system/spamassassin\.service -- gen_context(system_u:object_r:spamassassin_unit_t,s0)
> +
> /var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
> /var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0)
>
> /var/log/spamd\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0)
> /var/log/mimedefang.* -- gen_context(system_u:object_r:spamd_log_t,s0)
>
> +/var/vmail/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
> +
> /run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
> -/run/spamassassin\.pid gen_context(system_u:object_r:spamd_var_run_t,s0)
> +/run/spamassassin\.pid -- gen_context(system_u:object_r:spamd_var_run_t,s0)
> +/run/spamd\.pid -- gen_context(system_u:object_r:spamd_var_run_t,s0)
>
> /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
> /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
> diff --git a/spamassassin.if b/spamassassin.if
> index e915b5f..ddfff8c 100644
> --- a/spamassassin.if
> +++ b/spamassassin.if
> @@ -27,8 +27,7 @@ interface(`spamassassin_role',`
> domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
> domtrans_pattern($2, spamc_exec_t, spamc_t)
>
> - allow $2 { spamc_t spamassassin_t}:process { ptrace signal_perms };
> - ps_process_pattern($2, { spamc_t spamassassin_t })
> + admin_process_pattern($2, { spamc_t spamassassin_t })
>
> allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
> allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms };
> @@ -37,6 +36,33 @@ interface(`spamassassin_role',`
> userdom_user_home_dir_filetrans($2, spamd_home_t, dir, ".spamd")
> ')
>
> +########################################
> +## <summary>
> +## Execute sa-update in the spamd-update domain,
> +## and allow the specified role
> +## the spamd-update domain. Also allow transitive
> +## access to the private gpg domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`spamassassin_run_update',`
> + gen_require(`
> + type spamd_gpg_t, spamd_update_exec_t, spamd_update_t;
> + ')
> +
> + role 21 types { spamd_update_t spamd_gpg_t };
A patch issue here.
> + domtrans_pattern($1, spamd_update_exec_t, spamd_update_t)
> +')
> +
> ########################################
> ## <summary>
> ## Execute the standalone spamassassin
> @@ -378,16 +404,16 @@ interface(`spamassassin_admin',`
> gen_require(`
> type spamd_t, spamd_tmp_t, spamd_log_t;
> type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t;
> - type spamd_initrc_exec_t;
> + type spamd_initrc_exec_t, spamassassin_unit_t;
> + type spamd_gpg_t, spamd_update_t;
> ')
>
> - allow $1 spamd_t:process { ptrace signal_perms };
> - ps_process_pattern($1, spamd_t)
> + admin_process_pattern($1, { spamd_t spamd_gpg_t spamd_update_t })
>
> - init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t)
> + init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t, spamassassin_unit_t)
>
> files_list_tmp($1)
> - admin_pattern($1, spamd_tmp_t)
> + admin_pattern($1, { spamd_tmp_t spamd_update_tmp_t })
>
> logging_list_logs($1)
> admin_pattern($1, spamd_log_t)
> @@ -403,4 +429,7 @@ interface(`spamassassin_admin',`
>
> # This makes it impossible to apply _admin if _role has already been applied
> #spamassassin_role($2, $1)
> +
> + # sa-update
> + spamassassin_run_update($1, $2)
> ')
> diff --git a/spamassassin.te b/spamassassin.te
> index 72e781e..08c153d 100644
> --- a/spamassassin.te
> +++ b/spamassassin.te
> @@ -25,6 +25,9 @@ type spamd_update_t;
> type spamd_update_exec_t;
> init_system_domain(spamd_update_t, spamd_update_exec_t)
>
> +type spamd_update_tmp_t;
> +files_tmp_file(spamd_update_tmp_t)
> +
> type spamassassin_t;
> type spamassassin_exec_t;
> typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
> @@ -36,11 +39,17 @@ typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassi
> typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
> userdom_user_home_content(spamassassin_home_t)
>
> +type spamassassin_initrc_exec_t;
> +init_script_file(spamassassin_initrc_exec_t)
> +
> type spamassassin_tmp_t;
> typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
> typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
> userdom_user_tmp_file(spamassassin_tmp_t)
>
> +type spamassassin_unit_t;
> +init_unit_file(spamassassin_unit_t)
> +
> type spamc_t;
> type spamc_exec_t;
> typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
> @@ -63,6 +72,9 @@ files_type(spamd_compiled_t)
> type spamd_etc_t;
> files_config_file(spamd_etc_t)
>
> +type spamd_gpg_t;
> +domain_type(spamd_gpg_t)
> +
> type spamd_home_t;
> userdom_user_home_content(spamd_home_t)
>
> @@ -119,7 +131,6 @@ files_read_etc_files(spamassassin_t)
> files_read_etc_runtime_files(spamassassin_t)
> files_list_home(spamassassin_t)
> files_read_usr_files(spamassassin_t)
> -files_dontaudit_search_var(spamassassin_t)
>
> logging_send_syslog_msg(spamassassin_t)
>
> @@ -216,7 +227,6 @@ fs_search_auto_mountpoints(spamc_t)
>
> files_read_etc_runtime_files(spamc_t)
> files_read_usr_files(spamc_t)
> -files_dontaudit_search_var(spamc_t)
> files_list_home(spamc_t)
> files_list_var_lib(spamc_t)
>
> @@ -276,8 +286,7 @@ optional_policy(`
> # Daemon local policy
> #
>
> -allow spamd_t self:capability { dac_override kill setgid setuid sys_tty_config };
> -dontaudit spamd_t self:capability sys_tty_config;
> +allow spamd_t self:capability { dac_override kill setgid setuid };
> allow spamd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
> allow spamd_t self:fd use;
> allow spamd_t self:fifo_file rw_fifo_file_perms;
> @@ -328,6 +337,9 @@ can_exec(spamd_t, { spamd_exec_t spamd_compiled_t })
> kernel_read_all_sysctls(spamd_t)
> kernel_read_system_state(spamd_t)
>
> +auth_dontaudit_read_shadow(spamd_t)
> +auth_use_nsswitch(spamd_t)
These lines were in the correct location below.
> corenet_all_recvfrom_unlabeled(spamd_t)
> corenet_all_recvfrom_netlabel(spamd_t)
> corenet_tcp_sendrecv_generic_if(spamd_t)
> @@ -369,11 +381,6 @@ files_read_etc_runtime_files(spamd_t)
> fs_getattr_all_fs(spamd_t)
> fs_search_auto_mountpoints(spamd_t)
>
> -auth_use_nsswitch(spamd_t)
> -auth_dontaudit_read_shadow(spamd_t)
> -
> -init_dontaudit_rw_utmp(spamd_t)
> -
> libs_use_ld_so(spamd_t)
> libs_use_shared_libs(spamd_t)
>
> @@ -383,8 +390,6 @@ miscfiles_read_localization(spamd_t)
>
> sysnet_use_ldap(spamd_t)
>
> -userdom_use_unpriv_users_fds(spamd_t)
> -
> tunable_policy(`spamd_enable_home_dirs',`
> userdom_manage_user_home_content_dirs(spamd_t)
> userdom_manage_user_home_content_files(spamd_t)
> @@ -439,6 +444,10 @@ optional_policy(`
> milter_manage_spamass_state(spamd_t)
> ')
>
> +optional_policy(`
> + mta_getattr_spool(spamd_t)
> +')
> +
> optional_policy(`
> mysql_stream_connect(spamd_t)
> mysql_tcp_connect(spamd_t)
> @@ -464,10 +473,6 @@ optional_policy(`
> razor_manage_home_content(spamd_t)
> ')
>
> -optional_policy(`
> - seutil_sigchld_newrole(spamd_t)
> -')
> -
> optional_policy(`
> sendmail_stub(spamd_t)
> mta_read_config(spamd_t)
> @@ -483,13 +488,14 @@ optional_policy(`
> # Update local policy
> #
>
> -allow spamd_update_t self:capability dac_override;
> +allow spamd_update_t self:capability dac_read_search;
> +allow spamd_update_t self:process signal;
> allow spamd_update_t self:fifo_file manage_fifo_file_perms;
> allow spamd_update_t self:unix_stream_socket create_stream_socket_perms;
>
> -manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
> -manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
> -files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir })
> +manage_dirs_pattern(spamd_update_t, spamd_update_tmp_t, spamd_update_tmp_t)
> +manage_files_pattern(spamd_update_t, spamd_update_tmp_t, spamd_update_tmp_t)
> +files_tmp_filetrans(spamd_update_t, spamd_update_tmp_t, { file dir })
>
> manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
> manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
> @@ -497,6 +503,9 @@ manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
>
> kernel_read_system_state(spamd_update_t)
>
> +auth_use_nsswitch(spamd_update_t)
> +auth_dontaudit_read_shadow(spamd_update_t)
These lines were in the correct place.
> corenet_all_recvfrom_unlabeled(spamd_update_t)
> corenet_all_recvfrom_netlabel(spamd_update_t)
> corenet_tcp_sendrecv_generic_if(spamd_update_t)
> @@ -510,29 +519,57 @@ corenet_tcp_sendrecv_http_port(spamd_update_t)
> corecmd_exec_bin(spamd_update_t)
> corecmd_exec_shell(spamd_update_t)
>
> +corenet_tcp_bind_generic_node(spamd_update_t)
> +corenet_udp_bind_generic_node(spamd_update_t)
> +
> dev_read_urand(spamd_update_t)
>
> domain_use_interactive_fds(spamd_update_t)
>
> files_read_usr_files(spamd_update_t)
>
> -auth_use_nsswitch(spamd_update_t)
> -auth_dontaudit_read_shadow(spamd_update_t)
> +fs_getattr_xattr_fs(spamd_update_t)
>
> miscfiles_read_localization(spamd_update_t)
>
> -userdom_use_user_terminals(spamd_update_t)
> +userdom_use_inherited_user_terminals(spamd_update_t)
> +userdom_dontaudit_search_user_home_dirs(spamd_update_t)
> +userdom_dontaudit_search_user_home_content(spamd_update_t)
>
> optional_policy(`
> cron_system_entry(spamd_update_t, spamd_update_exec_t)
> ')
>
> -# probably want a solution same as httpd_use_gpg since this will
> -# give spamd_update a path to users gpg keys
> -# optional_policy(`
> -# gpg_domtrans(spamd_update_t)
> -# ')
> -
> optional_policy(`
> - mta_read_config(spamd_update_t)
> + gpg_spec_domtrans(spamd_update_t, spamd_gpg_t)
> + gpg_entry_type(spamd_gpg_t)
> + role system_r types spamd_gpg_t;
> +
> + allow spamd_gpg_t self:capability { dac_override dac_read_search };
> + allow spamd_gpg_t self:unix_stream_socket { connect create };
> +
> + allow spamd_gpg_t spamd_update_t:fd use;
> + allow spamd_gpg_t spamd_update_t:process sigchld;
> + allow spamd_gpg_t spamd_update_t:fifo_file { getattr write };
> + allow spamd_gpg_t spamd_var_lib_t:dir search_dir_perms;
> + allow spamd_gpg_t spamd_var_lib_t:file rw_file_perms;
> + allow spamd_gpg_t spamd_update_tmp_t:file read_file_perms;
> +
> + # fips
> + kernel_search_crypto_sysctls(spamd_gpg_t)
> +
> + domain_use_interactive_fds(spamd_gpg_t)
> +
> + files_read_etc_files(spamd_gpg_t)
> + files_read_usr_files(spamd_gpg_t)
> + files_search_var_lib(spamd_gpg_t)
> + files_search_pids(spamd_gpg_t)
> + files_search_tmp(spamd_gpg_t)
> +
> + init_use_fds(spamd_gpg_t)
> + init_rw_inherited_stream_socket(spamd_gpg_t)
> +
> + miscfiles_read_localization(spamd_gpg_t)
> +
> + userdom_use_inherited_user_terminals(spamd_gpg_t)
> ')
>
--
Chris PeBenito
2017-09-13 1:48 GMT+02:00 Chris PeBenito <[email protected]>:
> On 09/12/2017 05:48 AM, Christian G?ttsche via refpolicy wrote:
>>
>> - add filecontexts
>> - review admin interfaces
>> - enhance sa-update policy
>>
>> v2:
>>
>> - drop list -> search changes in admin interface
>> - use run instead of role interface for spamd_update
>> - drop runtime_t rename
>> - drop alias removal
>> ---
>> spamassassin.fc | 8 ++++-
>> spamassassin.if | 43 +++++++++++++++++++++-----
>> spamassassin.te | 95
>> +++++++++++++++++++++++++++++++++++++++------------------
>> 3 files changed, 109 insertions(+), 37 deletions(-)
>>
>> diff --git a/spamassassin.fc b/spamassassin.fc
>> index 18fa75f..a8b3c01 100644
>> --- a/spamassassin.fc
>> +++ b/spamassassin.fc
>> @@ -1,6 +1,7 @@
>> HOME_DIR/\.spamassassin(/.*)?
>> gen_context(system_u:object_r:spamassassin_home_t,s0)
>> HOME_DIR/\.spamd(/.*)?
>> gen_context(system_u:object_r:spamd_home_t,s0)
>> +/etc/rc\.d/init\.d/spamassassin --
>> gen_context(system_u:object_r:spamassassin_initrc_exec_t,s0)
>> /etc/rc\.d/init\.d/spamd --
>> gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
>> /etc/rc\.d/init\.d/spampd --
>> gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
>> /etc/rc\.d/init\.d/mimedefang.* --
>> gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
>> @@ -17,14 +18,19 @@ HOME_DIR/\.spamd(/.*)?
>> gen_context(system_u:object_r:spamd_home_t,s0)
>> /usr/sbin/spamd --
>> gen_context(system_u:object_r:spamd_exec_t,s0)
>> /usr/sbin/spampd --
>> gen_context(system_u:object_r:spamd_exec_t,s0)
>> +/usr/lib/systemd/system/spamassassin\.service --
>> gen_context(system_u:object_r:spamassassin_unit_t,s0)
>> +
>> /var/lib/spamassassin(/.*)?
>> gen_context(system_u:object_r:spamd_var_lib_t,s0)
>> /var/lib/spamassassin/compiled(/.*)?
>> gen_context(system_u:object_r:spamd_compiled_t,s0)
>> /var/log/spamd\.log.* --
>> gen_context(system_u:object_r:spamd_log_t,s0)
>> /var/log/mimedefang.* --
>> gen_context(system_u:object_r:spamd_log_t,s0)
>> +/var/vmail/\.spamassassin(/.*)?
>> gen_context(system_u:object_r:spamassassin_home_t,s0)
>> +
>> /run/spamassassin(/.*)?
>> gen_context(system_u:object_r:spamd_var_run_t,s0)
>> -/run/spamassassin\.pid
>> gen_context(system_u:object_r:spamd_var_run_t,s0)
>> +/run/spamassassin\.pid --
>> gen_context(system_u:object_r:spamd_var_run_t,s0)
>> +/run/spamd\.pid --
>> gen_context(system_u:object_r:spamd_var_run_t,s0)
>> /var/spool/spamassassin(/.*)?
>> gen_context(system_u:object_r:spamd_spool_t,s0)
>> /var/spool/spamd(/.*)?
>> gen_context(system_u:object_r:spamd_spool_t,s0)
>> diff --git a/spamassassin.if b/spamassassin.if
>> index e915b5f..ddfff8c 100644
>> --- a/spamassassin.if
>> +++ b/spamassassin.if
>> @@ -27,8 +27,7 @@ interface(`spamassassin_role',`
>> domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
>> domtrans_pattern($2, spamc_exec_t, spamc_t)
>> - allow $2 { spamc_t spamassassin_t}:process { ptrace signal_perms
>> };
>> - ps_process_pattern($2, { spamc_t spamassassin_t })
>> + admin_process_pattern($2, { spamc_t spamassassin_t })
>> allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t
>> spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
>> allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t
>> spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms };
>> @@ -37,6 +36,33 @@ interface(`spamassassin_role',`
>> userdom_user_home_dir_filetrans($2, spamd_home_t, dir, ".spamd")
>> ')
>> +########################################
>> +## <summary>
>> +## Execute sa-update in the spamd-update domain,
>> +## and allow the specified role
>> +## the spamd-update domain. Also allow transitive
>> +## access to the private gpg domain.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed to transition.
>> +## </summary>
>> +## </param>
>> +## <param name="role">
>> +## <summary>
>> +## Role allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`spamassassin_run_update',`
>> + gen_require(`
>> + type spamd_gpg_t, spamd_update_exec_t, spamd_update_t;
>> + ')
>> +
>> + role 21 types { spamd_update_t spamd_gpg_t };
>
>
> A patch issue here.
>
>
>
>> + domtrans_pattern($1, spamd_update_exec_t, spamd_update_t)
>> +')
>> +
>> ########################################
>> ## <summary>
>> ## Execute the standalone spamassassin
>> @@ -378,16 +404,16 @@ interface(`spamassassin_admin',`
>> gen_require(`
>> type spamd_t, spamd_tmp_t, spamd_log_t;
>> type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t;
>> - type spamd_initrc_exec_t;
>> + type spamd_initrc_exec_t, spamassassin_unit_t;
>> + type spamd_gpg_t, spamd_update_t;
>> ')
>> - allow $1 spamd_t:process { ptrace signal_perms };
>> - ps_process_pattern($1, spamd_t)
>> + admin_process_pattern($1, { spamd_t spamd_gpg_t spamd_update_t })
>> - init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t)
>> + init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t,
>> spamassassin_unit_t)
>> files_list_tmp($1)
>> - admin_pattern($1, spamd_tmp_t)
>> + admin_pattern($1, { spamd_tmp_t spamd_update_tmp_t })
>> logging_list_logs($1)
>> admin_pattern($1, spamd_log_t)
>> @@ -403,4 +429,7 @@ interface(`spamassassin_admin',`
>> # This makes it impossible to apply _admin if _role has already
>> been applied
>> #spamassassin_role($2, $1)
>> +
>> + # sa-update
>> + spamassassin_run_update($1, $2)
>> ')
>> diff --git a/spamassassin.te b/spamassassin.te
>> index 72e781e..08c153d 100644
>> --- a/spamassassin.te
>> +++ b/spamassassin.te
>> @@ -25,6 +25,9 @@ type spamd_update_t;
>> type spamd_update_exec_t;
>> init_system_domain(spamd_update_t, spamd_update_exec_t)
>> +type spamd_update_tmp_t;
>> +files_tmp_file(spamd_update_tmp_t)
>> +
>> type spamassassin_t;
>> type spamassassin_exec_t;
>> typealias spamassassin_t alias { user_spamassassin_t
>> staff_spamassassin_t sysadm_spamassassin_t };
>> @@ -36,11 +39,17 @@ typealias spamassassin_home_t alias {
>> user_spamassassin_home_t staff_spamassassi
>> typealias spamassassin_home_t alias { auditadm_spamassassin_home_t
>> secadm_spamassassin_home_t };
>> userdom_user_home_content(spamassassin_home_t)
>> +type spamassassin_initrc_exec_t;
>> +init_script_file(spamassassin_initrc_exec_t)
>> +
>> type spamassassin_tmp_t;
>> typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t
>> staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
>> typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t
>> secadm_spamassassin_tmp_t };
>> userdom_user_tmp_file(spamassassin_tmp_t)
>> +type spamassassin_unit_t;
>> +init_unit_file(spamassassin_unit_t)
>> +
>> type spamc_t;
>> type spamc_exec_t;
>> typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
>> @@ -63,6 +72,9 @@ files_type(spamd_compiled_t)
>> type spamd_etc_t;
>> files_config_file(spamd_etc_t)
>> +type spamd_gpg_t;
>> +domain_type(spamd_gpg_t)
>> +
>> type spamd_home_t;
>> userdom_user_home_content(spamd_home_t)
>> @@ -119,7 +131,6 @@ files_read_etc_files(spamassassin_t)
>> files_read_etc_runtime_files(spamassassin_t)
>> files_list_home(spamassassin_t)
>> files_read_usr_files(spamassassin_t)
>> -files_dontaudit_search_var(spamassassin_t)
>> logging_send_syslog_msg(spamassassin_t)
>> @@ -216,7 +227,6 @@ fs_search_auto_mountpoints(spamc_t)
>> files_read_etc_runtime_files(spamc_t)
>> files_read_usr_files(spamc_t)
>> -files_dontaudit_search_var(spamc_t)
>> files_list_home(spamc_t)
>> files_list_var_lib(spamc_t)
>> @@ -276,8 +286,7 @@ optional_policy(`
>> # Daemon local policy
>> #
>> -allow spamd_t self:capability { dac_override kill setgid setuid
>> sys_tty_config };
>> -dontaudit spamd_t self:capability sys_tty_config;
>> +allow spamd_t self:capability { dac_override kill setgid setuid };
>> allow spamd_t self:process { transition signal_perms getsched setsched
>> getsession getpgid setpgid getcap setcap share getattr noatsecure siginh
>> rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
>> allow spamd_t self:fd use;
>> allow spamd_t self:fifo_file rw_fifo_file_perms;
>> @@ -328,6 +337,9 @@ can_exec(spamd_t, { spamd_exec_t spamd_compiled_t })
>> kernel_read_all_sysctls(spamd_t)
>> kernel_read_system_state(spamd_t)
>> +auth_dontaudit_read_shadow(spamd_t)
>> +auth_use_nsswitch(spamd_t)
>
>
> These lines were in the correct location below.
Can you please specify in the style guard in the "Local policy rules"
section, what "kernel layer modules" are?
kernel_, corenet_, dev_ ...
>
>
>> corenet_all_recvfrom_unlabeled(spamd_t)
>> corenet_all_recvfrom_netlabel(spamd_t)
>> corenet_tcp_sendrecv_generic_if(spamd_t)
>> @@ -369,11 +381,6 @@ files_read_etc_runtime_files(spamd_t)
>> fs_getattr_all_fs(spamd_t)
>> fs_search_auto_mountpoints(spamd_t)
>> -auth_use_nsswitch(spamd_t)
>> -auth_dontaudit_read_shadow(spamd_t)
>> -
>> -init_dontaudit_rw_utmp(spamd_t)
>> -
>> libs_use_ld_so(spamd_t)
>> libs_use_shared_libs(spamd_t)
>> @@ -383,8 +390,6 @@ miscfiles_read_localization(spamd_t)
>> sysnet_use_ldap(spamd_t)
>> -userdom_use_unpriv_users_fds(spamd_t)
>> -
>> tunable_policy(`spamd_enable_home_dirs',`
>> userdom_manage_user_home_content_dirs(spamd_t)
>> userdom_manage_user_home_content_files(spamd_t)
>> @@ -439,6 +444,10 @@ optional_policy(`
>> milter_manage_spamass_state(spamd_t)
>> ')
>> +optional_policy(`
>> + mta_getattr_spool(spamd_t)
>> +')
>> +
>> optional_policy(`
>> mysql_stream_connect(spamd_t)
>> mysql_tcp_connect(spamd_t)
>> @@ -464,10 +473,6 @@ optional_policy(`
>> razor_manage_home_content(spamd_t)
>> ')
>> -optional_policy(`
>> - seutil_sigchld_newrole(spamd_t)
>> -')
>> -
>> optional_policy(`
>> sendmail_stub(spamd_t)
>> mta_read_config(spamd_t)
>> @@ -483,13 +488,14 @@ optional_policy(`
>> # Update local policy
>> #
>> -allow spamd_update_t self:capability dac_override;
>> +allow spamd_update_t self:capability dac_read_search;
>> +allow spamd_update_t self:process signal;
>> allow spamd_update_t self:fifo_file manage_fifo_file_perms;
>> allow spamd_update_t self:unix_stream_socket create_stream_socket_perms;
>> -manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
>> -manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
>> -files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir })
>> +manage_dirs_pattern(spamd_update_t, spamd_update_tmp_t,
>> spamd_update_tmp_t)
>> +manage_files_pattern(spamd_update_t, spamd_update_tmp_t,
>> spamd_update_tmp_t)
>> +files_tmp_filetrans(spamd_update_t, spamd_update_tmp_t, { file dir })
>> manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
>> manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
>> @@ -497,6 +503,9 @@ manage_lnk_files_pattern(spamd_update_t,
>> spamd_var_lib_t, spamd_var_lib_t)
>> kernel_read_system_state(spamd_update_t)
>> +auth_use_nsswitch(spamd_update_t)
>> +auth_dontaudit_read_shadow(spamd_update_t)
>
>
> These lines were in the correct place.
>
>
>> corenet_all_recvfrom_unlabeled(spamd_update_t)
>> corenet_all_recvfrom_netlabel(spamd_update_t)
>> corenet_tcp_sendrecv_generic_if(spamd_update_t)
>> @@ -510,29 +519,57 @@ corenet_tcp_sendrecv_http_port(spamd_update_t)
>> corecmd_exec_bin(spamd_update_t)
>> corecmd_exec_shell(spamd_update_t)
>> +corenet_tcp_bind_generic_node(spamd_update_t)
>> +corenet_udp_bind_generic_node(spamd_update_t)
>> +
>> dev_read_urand(spamd_update_t)
>> domain_use_interactive_fds(spamd_update_t)
>> files_read_usr_files(spamd_update_t)
>> -auth_use_nsswitch(spamd_update_t)
>> -auth_dontaudit_read_shadow(spamd_update_t)
>> +fs_getattr_xattr_fs(spamd_update_t)
>> miscfiles_read_localization(spamd_update_t)
>> -userdom_use_user_terminals(spamd_update_t)
>> +userdom_use_inherited_user_terminals(spamd_update_t)
>> +userdom_dontaudit_search_user_home_dirs(spamd_update_t)
>> +userdom_dontaudit_search_user_home_content(spamd_update_t)
>> optional_policy(`
>> cron_system_entry(spamd_update_t, spamd_update_exec_t)
>> ')
>> -# probably want a solution same as httpd_use_gpg since this will
>> -# give spamd_update a path to users gpg keys
>> -# optional_policy(`
>> -# gpg_domtrans(spamd_update_t)
>> -# ')
>> -
>> optional_policy(`
>> - mta_read_config(spamd_update_t)
>> + gpg_spec_domtrans(spamd_update_t, spamd_gpg_t)
>> + gpg_entry_type(spamd_gpg_t)
>> + role system_r types spamd_gpg_t;
>> +
>> + allow spamd_gpg_t self:capability { dac_override dac_read_search
>> };
>> + allow spamd_gpg_t self:unix_stream_socket { connect create };
>> +
>> + allow spamd_gpg_t spamd_update_t:fd use;
>> + allow spamd_gpg_t spamd_update_t:process sigchld;
>> + allow spamd_gpg_t spamd_update_t:fifo_file { getattr write };
>> + allow spamd_gpg_t spamd_var_lib_t:dir search_dir_perms;
>> + allow spamd_gpg_t spamd_var_lib_t:file rw_file_perms;
>> + allow spamd_gpg_t spamd_update_tmp_t:file read_file_perms;
>> +
>> + # fips
>> + kernel_search_crypto_sysctls(spamd_gpg_t)
>> +
>> + domain_use_interactive_fds(spamd_gpg_t)
>> +
>> + files_read_etc_files(spamd_gpg_t)
>> + files_read_usr_files(spamd_gpg_t)
>> + files_search_var_lib(spamd_gpg_t)
>> + files_search_pids(spamd_gpg_t)
>> + files_search_tmp(spamd_gpg_t)
>> +
>> + init_use_fds(spamd_gpg_t)
>> + init_rw_inherited_stream_socket(spamd_gpg_t)
>> +
>> + miscfiles_read_localization(spamd_gpg_t)
>> +
>> + userdom_use_inherited_user_terminals(spamd_gpg_t)
>> ')
>>
>
>
> --
> Chris PeBenito
On 09/13/2017 04:17 AM, Christian G?ttsche wrote:
> 2017-09-13 1:48 GMT+02:00 Chris PeBenito <[email protected]>:
>> On 09/12/2017 05:48 AM, Christian G?ttsche via refpolicy wrote:
>>>
>>> - add filecontexts
>>> - review admin interfaces
>>> - enhance sa-update policy
>>>
>>> v2:
>>>
>>> - drop list -> search changes in admin interface
>>> - use run instead of role interface for spamd_update
>>> - drop runtime_t rename
>>> - drop alias removal
>>> ---
>>> spamassassin.fc | 8 ++++-
>>> spamassassin.if | 43 +++++++++++++++++++++-----
>>> spamassassin.te | 95
>>> +++++++++++++++++++++++++++++++++++++++------------------
>>> 3 files changed, 109 insertions(+), 37 deletions(-)
>>>
>>> diff --git a/spamassassin.fc b/spamassassin.fc
>>> index 18fa75f..a8b3c01 100644
>>> --- a/spamassassin.fc
>>> +++ b/spamassassin.fc
>>> @@ -1,6 +1,7 @@
>>> HOME_DIR/\.spamassassin(/.*)?
>>> gen_context(system_u:object_r:spamassassin_home_t,s0)
>>> HOME_DIR/\.spamd(/.*)?
>>> gen_context(system_u:object_r:spamd_home_t,s0)
>>> +/etc/rc\.d/init\.d/spamassassin --
>>> gen_context(system_u:object_r:spamassassin_initrc_exec_t,s0)
>>> /etc/rc\.d/init\.d/spamd --
>>> gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
>>> /etc/rc\.d/init\.d/spampd --
>>> gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
>>> /etc/rc\.d/init\.d/mimedefang.* --
>>> gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
>>> @@ -17,14 +18,19 @@ HOME_DIR/\.spamd(/.*)?
>>> gen_context(system_u:object_r:spamd_home_t,s0)
>>> /usr/sbin/spamd --
>>> gen_context(system_u:object_r:spamd_exec_t,s0)
>>> /usr/sbin/spampd --
>>> gen_context(system_u:object_r:spamd_exec_t,s0)
>>> +/usr/lib/systemd/system/spamassassin\.service --
>>> gen_context(system_u:object_r:spamassassin_unit_t,s0)
>>> +
>>> /var/lib/spamassassin(/.*)?
>>> gen_context(system_u:object_r:spamd_var_lib_t,s0)
>>> /var/lib/spamassassin/compiled(/.*)?
>>> gen_context(system_u:object_r:spamd_compiled_t,s0)
>>> /var/log/spamd\.log.* --
>>> gen_context(system_u:object_r:spamd_log_t,s0)
>>> /var/log/mimedefang.* --
>>> gen_context(system_u:object_r:spamd_log_t,s0)
>>> +/var/vmail/\.spamassassin(/.*)?
>>> gen_context(system_u:object_r:spamassassin_home_t,s0)
>>> +
>>> /run/spamassassin(/.*)?
>>> gen_context(system_u:object_r:spamd_var_run_t,s0)
>>> -/run/spamassassin\.pid
>>> gen_context(system_u:object_r:spamd_var_run_t,s0)
>>> +/run/spamassassin\.pid --
>>> gen_context(system_u:object_r:spamd_var_run_t,s0)
>>> +/run/spamd\.pid --
>>> gen_context(system_u:object_r:spamd_var_run_t,s0)
>>> /var/spool/spamassassin(/.*)?
>>> gen_context(system_u:object_r:spamd_spool_t,s0)
>>> /var/spool/spamd(/.*)?
>>> gen_context(system_u:object_r:spamd_spool_t,s0)
>>> diff --git a/spamassassin.if b/spamassassin.if
>>> index e915b5f..ddfff8c 100644
>>> --- a/spamassassin.if
>>> +++ b/spamassassin.if
>>> @@ -27,8 +27,7 @@ interface(`spamassassin_role',`
>>> domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
>>> domtrans_pattern($2, spamc_exec_t, spamc_t)
>>> - allow $2 { spamc_t spamassassin_t}:process { ptrace signal_perms
>>> };
>>> - ps_process_pattern($2, { spamc_t spamassassin_t })
>>> + admin_process_pattern($2, { spamc_t spamassassin_t })
>>> allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t
>>> spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
>>> allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t
>>> spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms };
>>> @@ -37,6 +36,33 @@ interface(`spamassassin_role',`
>>> userdom_user_home_dir_filetrans($2, spamd_home_t, dir, ".spamd")
>>> ')
>>> +########################################
>>> +## <summary>
>>> +## Execute sa-update in the spamd-update domain,
>>> +## and allow the specified role
>>> +## the spamd-update domain. Also allow transitive
>>> +## access to the private gpg domain.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed to transition.
>>> +## </summary>
>>> +## </param>
>>> +## <param name="role">
>>> +## <summary>
>>> +## Role allowed access.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`spamassassin_run_update',`
>>> + gen_require(`
>>> + type spamd_gpg_t, spamd_update_exec_t, spamd_update_t;
>>> + ')
>>> +
>>> + role 21 types { spamd_update_t spamd_gpg_t };
>>
>>
>> A patch issue here.
>>
>>
>>
>>> + domtrans_pattern($1, spamd_update_exec_t, spamd_update_t)
>>> +')
>>> +
>>> ########################################
>>> ## <summary>
>>> ## Execute the standalone spamassassin
>>> @@ -378,16 +404,16 @@ interface(`spamassassin_admin',`
>>> gen_require(`
>>> type spamd_t, spamd_tmp_t, spamd_log_t;
>>> type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t;
>>> - type spamd_initrc_exec_t;
>>> + type spamd_initrc_exec_t, spamassassin_unit_t;
>>> + type spamd_gpg_t, spamd_update_t;
>>> ')
>>> - allow $1 spamd_t:process { ptrace signal_perms };
>>> - ps_process_pattern($1, spamd_t)
>>> + admin_process_pattern($1, { spamd_t spamd_gpg_t spamd_update_t })
>>> - init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t)
>>> + init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t,
>>> spamassassin_unit_t)
>>> files_list_tmp($1)
>>> - admin_pattern($1, spamd_tmp_t)
>>> + admin_pattern($1, { spamd_tmp_t spamd_update_tmp_t })
>>> logging_list_logs($1)
>>> admin_pattern($1, spamd_log_t)
>>> @@ -403,4 +429,7 @@ interface(`spamassassin_admin',`
>>> # This makes it impossible to apply _admin if _role has already
>>> been applied
>>> #spamassassin_role($2, $1)
>>> +
>>> + # sa-update
>>> + spamassassin_run_update($1, $2)
>>> ')
>>> diff --git a/spamassassin.te b/spamassassin.te
>>> index 72e781e..08c153d 100644
>>> --- a/spamassassin.te
>>> +++ b/spamassassin.te
>>> @@ -25,6 +25,9 @@ type spamd_update_t;
>>> type spamd_update_exec_t;
>>> init_system_domain(spamd_update_t, spamd_update_exec_t)
>>> +type spamd_update_tmp_t;
>>> +files_tmp_file(spamd_update_tmp_t)
>>> +
>>> type spamassassin_t;
>>> type spamassassin_exec_t;
>>> typealias spamassassin_t alias { user_spamassassin_t
>>> staff_spamassassin_t sysadm_spamassassin_t };
>>> @@ -36,11 +39,17 @@ typealias spamassassin_home_t alias {
>>> user_spamassassin_home_t staff_spamassassi
>>> typealias spamassassin_home_t alias { auditadm_spamassassin_home_t
>>> secadm_spamassassin_home_t };
>>> userdom_user_home_content(spamassassin_home_t)
>>> +type spamassassin_initrc_exec_t;
>>> +init_script_file(spamassassin_initrc_exec_t)
>>> +
>>> type spamassassin_tmp_t;
>>> typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t
>>> staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
>>> typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t
>>> secadm_spamassassin_tmp_t };
>>> userdom_user_tmp_file(spamassassin_tmp_t)
>>> +type spamassassin_unit_t;
>>> +init_unit_file(spamassassin_unit_t)
>>> +
>>> type spamc_t;
>>> type spamc_exec_t;
>>> typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
>>> @@ -63,6 +72,9 @@ files_type(spamd_compiled_t)
>>> type spamd_etc_t;
>>> files_config_file(spamd_etc_t)
>>> +type spamd_gpg_t;
>>> +domain_type(spamd_gpg_t)
>>> +
>>> type spamd_home_t;
>>> userdom_user_home_content(spamd_home_t)
>>> @@ -119,7 +131,6 @@ files_read_etc_files(spamassassin_t)
>>> files_read_etc_runtime_files(spamassassin_t)
>>> files_list_home(spamassassin_t)
>>> files_read_usr_files(spamassassin_t)
>>> -files_dontaudit_search_var(spamassassin_t)
>>> logging_send_syslog_msg(spamassassin_t)
>>> @@ -216,7 +227,6 @@ fs_search_auto_mountpoints(spamc_t)
>>> files_read_etc_runtime_files(spamc_t)
>>> files_read_usr_files(spamc_t)
>>> -files_dontaudit_search_var(spamc_t)
>>> files_list_home(spamc_t)
>>> files_list_var_lib(spamc_t)
>>> @@ -276,8 +286,7 @@ optional_policy(`
>>> # Daemon local policy
>>> #
>>> -allow spamd_t self:capability { dac_override kill setgid setuid
>>> sys_tty_config };
>>> -dontaudit spamd_t self:capability sys_tty_config;
>>> +allow spamd_t self:capability { dac_override kill setgid setuid };
>>> allow spamd_t self:process { transition signal_perms getsched setsched
>>> getsession getpgid setpgid getcap setcap share getattr noatsecure siginh
>>> rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
>>> allow spamd_t self:fd use;
>>> allow spamd_t self:fifo_file rw_fifo_file_perms;
>>> @@ -328,6 +337,9 @@ can_exec(spamd_t, { spamd_exec_t spamd_compiled_t })
>>> kernel_read_all_sysctls(spamd_t)
>>> kernel_read_system_state(spamd_t)
>>> +auth_dontaudit_read_shadow(spamd_t)
>>> +auth_use_nsswitch(spamd_t)
>>
>>
>> These lines were in the correct location below.
>
> Can you please specify in the style guard in the "Local policy rules"
> section, what "kernel layer modules" are?
> kernel_, corenet_, dev_ ...
It's all of the ones under policy/modules/kernel.
--
Chris PeBenito