2017-02-24 06:25:21

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] mta patches

Here are patches for clamav, courier, opendkim, dovecot, spamass_milter, mta,
perdition, postfix, postfixpolicyd, postgrey, procmail, and spamassassin.


Index: refpolicy-2.20170224/policy/modules/contrib/clamav.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/clamav.te
+++ refpolicy-2.20170224/policy/modules/contrib/clamav.te
@@ -73,7 +73,7 @@ logging_log_file(freshclam_var_log_t)
# Clamd local policy
#

-allow clamd_t self:capability { dac_override kill setgid setuid };
+allow clamd_t self:capability { chown fowner fsetid kill setgid setuid dac_override };
dontaudit clamd_t self:capability sys_tty_config;
allow clamd_t self:process signal;
allow clamd_t self:fifo_file rw_fifo_file_perms;
@@ -107,6 +107,9 @@ kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
kernel_read_kernel_sysctls(clamd_t)
kernel_read_system_state(clamd_t)
+kernel_read_vm_sysctls(clamd_t)
+kernel_read_vm_overcommit_sysctl(clamd_t)
+dev_read_sysfs(clamd_t)

corecmd_exec_shell(clamd_t)

@@ -215,6 +218,10 @@ corenet_sendrecv_http_client_packets(fre
corenet_tcp_connect_http_port(freshclam_t)
corenet_tcp_sendrecv_http_port(freshclam_t)

+corenet_sendrecv_http_cache_client_packets(freshclam_t)
+corenet_tcp_connect_http_cache_port(freshclam_t)
+corenet_tcp_sendrecv_http_cache_port(freshclam_t)
+
corenet_sendrecv_squid_client_packets(freshclam_t)
corenet_tcp_connect_squid_port(freshclam_t)
corenet_tcp_sendrecv_squid_port(freshclam_t)
Index: refpolicy-2.20170224/policy/modules/contrib/courier.if
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/courier.if
+++ refpolicy-2.20170224/policy/modules/contrib/courier.if
@@ -65,11 +65,11 @@ interface(`courier_domtrans_authdaemon',
#
interface(`courier_stream_connect_authdaemon',`
gen_require(`
- type courier_authdaemon_t, courier_spool_t;
+ type courier_authdaemon_t, courier_var_run_t;
')

files_search_spool($1)
- stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
+ stream_connect_pattern($1, courier_var_run_t, courier_var_run_t, courier_authdaemon_t)
')

########################################
Index: refpolicy-2.20170224/policy/modules/contrib/courier.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/courier.te
+++ refpolicy-2.20170224/policy/modules/contrib/courier.te
@@ -100,6 +100,7 @@ allow courier_authdaemon_t courier_tcpd_
allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms;

can_exec(courier_authdaemon_t, courier_exec_t)
+corecmd_exec_shell(courier_authdaemon_t)

domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)

@@ -187,6 +188,8 @@ miscfiles_read_localization(courier_tcpd

kernel_read_kernel_sysctls(courier_sqwebmail_t)

+dev_read_urand(courier_sqwebmail_t)
+
optional_policy(`
cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t)
')
Index: refpolicy-2.20170224/policy/modules/contrib/dkim.if
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/dkim.if
+++ refpolicy-2.20170224/policy/modules/contrib/dkim.if
@@ -34,3 +34,23 @@ interface(`dkim_admin',`
files_search_pids($1)
admin_pattern($1, dkim_milter_data_t)
')
+
+########################################
+## <summary>
+## Allow a domain to talk to dkim via Unix domain socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dkim_stream_connect',`
+ gen_require(`
+ type dkim_milter_data_t, dkim_milter_t;
+ ')
+
+ allow $1 dkim_milter_data_t:dir search_dir_perms;
+ allow postfix_cleanup_t dkim_milter_data_t:sock_file write;
+ allow postfix_cleanup_t dkim_milter_t:unix_stream_socket connectto;
+')
Index: refpolicy-2.20170224/policy/modules/contrib/dkim.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/dkim.te
+++ refpolicy-2.20170224/policy/modules/contrib/dkim.te
@@ -20,16 +20,25 @@ init_daemon_pid_file(dkim_milter_data_t,
# Local policy
#

-allow dkim_milter_t self:capability { setgid setuid };
-allow dkim_milter_t self:process signal;
+allow dkim_milter_t self:capability { dac_override setgid setuid };
+allow dkim_milter_t self:process { signal signull };
allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;

read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)

kernel_read_kernel_sysctls(dkim_milter_t)
+kernel_read_vm_sysctls(dkim_milter_t)
+kernel_read_vm_overcommit_sysctl(dkim_milter_t)
+
+# for cpu/online
+dev_read_sysfs(dkim_milter_t)

dev_read_urand(dkim_milter_t)

files_search_spool(dkim_milter_t)

mta_read_config(dkim_milter_t)
+
+corenet_udp_bind_generic_node(dkim_milter_t)
+corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
+corenet_dontaudit_udp_bind_all_ports(dkim_milter_t)
Index: refpolicy-2.20170224/policy/modules/contrib/dovecot.fc
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/dovecot.fc
+++ refpolicy-2.20170224/policy/modules/contrib/dovecot.fc
@@ -19,6 +19,9 @@
/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/lib/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/lib/dovecot/log -- gen_context(system_u:object_r:dovecot_exec_t,s0)
+/usr/lib/dovecot/ssl-params -- gen_context(system_u:object_r:dovecot_exec_t,s0)
+/usr/lib/dovecot/anvil -- gen_context(system_u:object_r:dovecot_exec_t,s0)

/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
Index: refpolicy-2.20170224/policy/modules/contrib/dovecot.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/dovecot.te
+++ refpolicy-2.20170224/policy/modules/contrib/dovecot.te
@@ -92,7 +92,7 @@ miscfiles_read_localization(dovecot_doma
# Local policy
#

-allow dovecot_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_chroot };
+allow dovecot_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_chroot sys_resource };
dontaudit dovecot_t self:capability sys_tty_config;
allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
allow dovecot_t self:tcp_socket { accept listen };
@@ -133,6 +133,9 @@ allow dovecot_t dovecot_auth_t:process s

domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)

+files_list_usr(dovecot_t)
+files_read_usr_files(dovecot_t)
+
corenet_all_recvfrom_unlabeled(dovecot_t)
corenet_all_recvfrom_netlabel(dovecot_t)
corenet_tcp_sendrecv_generic_if(dovecot_t)
@@ -242,9 +245,14 @@ files_tmp_filetrans(dovecot_auth_t, dove

allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+allow dovecot_auth_t dovecot_var_run_t:file manage_file_perms;
+allow dovecot_auth_t dovecot_var_run_t:fifo_file write_fifo_file_perms;

allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };

+selinux_get_enforce_mode(dovecot_auth_t)
+selinux_get_fs_mount(dovecot_auth_t)
+
files_search_pids(dovecot_auth_t)
files_read_usr_files(dovecot_auth_t)
files_read_var_lib_files(dovecot_auth_t)
@@ -256,7 +264,7 @@ init_rw_utmp(dovecot_auth_t)

logging_send_audit_msgs(dovecot_auth_t)

-seutil_dontaudit_search_config(dovecot_auth_t)
+seutil_search_default_contexts(dovecot_auth_t)

sysnet_use_ldap(dovecot_auth_t)

Index: refpolicy-2.20170224/policy/modules/contrib/milter.if
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/milter.if
+++ refpolicy-2.20170224/policy/modules/contrib/milter.if
@@ -97,3 +97,21 @@ interface(`milter_manage_spamass_state',
manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
')
+
+########################################
+## <summary>
+## stat spamassissin milter data dir
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`milter_getattr_data_dir',`
+ gen_require(`
+ type spamass_milter_data_t;
+ ')
+
+ allow $1 spamass_milter_data_t:dir getattr;
+')
Index: refpolicy-2.20170224/policy/modules/contrib/milter.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/milter.te
+++ refpolicy-2.20170224/policy/modules/contrib/milter.te
@@ -94,8 +94,11 @@ mta_read_config(regex_milter_t)
#

allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
+allow spamass_milter_t self:process sigkill;

kernel_read_system_state(spamass_milter_t)
+kernel_read_vm_overcommit_sysctl(spamass_milter_t)
+dev_read_sysfs(spamass_milter_t)

corecmd_exec_shell(spamass_milter_t)

@@ -106,3 +109,7 @@ mta_send_mail(spamass_milter_t)
optional_policy(`
spamassassin_domtrans_client(spamass_milter_t)
')
+
+optional_policy(`
+ postfix_search_spool(spamass_milter_t)
+')
Index: refpolicy-2.20170224/policy/modules/contrib/mta.fc
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/mta.fc
+++ refpolicy-2.20170224/policy/modules/contrib/mta.fc
@@ -3,6 +3,7 @@ HOME_DIR/\.forward[^/]* -- gen_context(s
HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/DovecotMail(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)

/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
Index: refpolicy-2.20170224/policy/modules/contrib/mta.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/mta.te
+++ refpolicy-2.20170224/policy/modules/contrib/mta.te
@@ -199,10 +199,15 @@ selinux_getattr_fs(system_mail_t)
term_dontaudit_use_unallocated_ttys(system_mail_t)

init_use_script_ptys(system_mail_t)
+init_use_fds(system_mail_t)

userdom_use_user_terminals(system_mail_t)

optional_policy(`
+ unconfined_use_fds(system_mail_t)
+')
+
+optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
apache_append_squirrelmail_data(system_mail_t)
apache_dontaudit_append_log(system_mail_t)
@@ -233,6 +238,7 @@ optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
cron_rw_system_job_stream_sockets(system_mail_t)
+ cron_rw_tmp_files(system_mail_t)
')

optional_policy(`
Index: refpolicy-2.20170224/policy/modules/contrib/perdition.fc
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/perdition.fc
+++ refpolicy-2.20170224/policy/modules/contrib/perdition.fc
@@ -2,6 +2,6 @@

/etc/perdition(/.*)? gen_context(system_u:object_r:perdition_etc_t,s0)

-/usr/sbin/perdition -- gen_context(system_u:object_r:perdition_exec_t,s0)
+/usr/sbin/perdition.* -- gen_context(system_u:object_r:perdition_exec_t,s0)

/run/perdition\.pid -- gen_context(system_u:object_r:perdition_var_run_t,s0)
Index: refpolicy-2.20170224/policy/modules/contrib/perdition.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/perdition.te
+++ refpolicy-2.20170224/policy/modules/contrib/perdition.te
@@ -23,7 +23,7 @@ files_pid_file(perdition_var_run_t)
# Local policy
#

-allow perdition_t self:capability { setgid setuid };
+allow perdition_t self:capability { chown dac_override fowner setgid setuid };
dontaudit perdition_t self:capability sys_tty_config;
allow perdition_t self:process signal_perms;
allow perdition_t self:tcp_socket { accept listen };
@@ -33,7 +33,8 @@ allow perdition_t perdition_etc_t:file r
allow perdition_t perdition_etc_t:lnk_file read_lnk_file_perms;

manage_files_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t)
-files_pid_filetrans(perdition_t, perdition_var_run_t, file)
+allow perdition_t perdition_var_run_t:dir manage_dir_perms;
+files_pid_filetrans(perdition_t, perdition_var_run_t, { file dir })

kernel_read_kernel_sysctls(perdition_t)
kernel_list_proc(perdition_t)
@@ -46,11 +47,18 @@ corenet_tcp_sendrecv_generic_node(perdit
corenet_tcp_sendrecv_all_ports(perdition_t)
corenet_tcp_bind_generic_node(perdition_t)

+corenet_tcp_connect_pop_port(perdition_t)
corenet_sendrecv_pop_server_packets(perdition_t)
corenet_tcp_bind_pop_port(perdition_t)
corenet_tcp_sendrecv_pop_port(perdition_t)

+corenet_tcp_connect_sieve_port(perdition_t)
+corenet_sendrecv_sieve_server_packets(perdition_t)
+corenet_tcp_bind_sieve_port(perdition_t)
+corenet_tcp_sendrecv_sieve_port(perdition_t)
+
dev_read_sysfs(perdition_t)
+dev_read_urand(perdition_t)

domain_use_interactive_fds(perdition_t)

@@ -71,5 +79,10 @@ optional_policy(`
')

optional_policy(`
+ mysql_tcp_connect(perdition_t)
+ mysql_stream_connect(perdition_t)
+')
+
+optional_policy(`
udev_read_db(perdition_t)
')
Index: refpolicy-2.20170224/policy/modules/contrib/postfix.fc
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/postfix.fc
+++ refpolicy-2.20170224/policy/modules/contrib/postfix.fc
@@ -1,23 +1,23 @@
-/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
+/etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0)
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)

/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)

-/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
-/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
-/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
-/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
-/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
-/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+/usr/lib/postfix/(sbin/)?.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/lib/postfix/(sbin/)?cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/lib/postfix/(sbin/)?local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
+/usr/lib/postfix/(sbin/)?master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/lib/postfix/(sbin/)?pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+/usr/lib/postfix/(sbin/)?(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/lib/postfix/(sbin/)?showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+/usr/lib/postfix/(sbin/)?smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/(sbin/)?lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/(sbin/)?scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/(sbin/)?smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+/usr/lib/postfix/(sbin/)?bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+/usr/lib/postfix/(sbin/)?pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+/usr/lib/postfix/(sbin/)?virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)

/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
Index: refpolicy-2.20170224/policy/modules/contrib/postfixpolicyd.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/postfixpolicyd.te
+++ refpolicy-2.20170224/policy/modules/contrib/postfixpolicyd.te
@@ -18,13 +18,16 @@ init_script_file(postfix_policyd_initrc_
type postfix_policyd_var_run_t;
files_pid_file(postfix_policyd_var_run_t)

+type postfix_policyd_tmp_t;
+files_type(postfix_policyd_tmp_t)
+
########################################
#
# Local policy
#

-allow postfix_policyd_t self:capability { setgid setuid sys_chroot sys_resource };
-allow postfix_policyd_t self:process setrlimit;
+allow postfix_policyd_t self:capability { chown sys_chroot sys_resource setgid setuid };
+allow postfix_policyd_t self:process { setrlimit signal signull };
allow postfix_policyd_t self:tcp_socket { accept listen };

allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;
@@ -34,6 +37,9 @@ allow postfix_policyd_t postfix_policyd_
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)

+files_tmp_filetrans(postfix_policyd_t, postfix_policyd_tmp_t, { file sock_file })
+allow postfix_policyd_t postfix_policyd_tmp_t:{ file sock_file } manage_file_perms;
+
corenet_all_recvfrom_unlabeled(postfix_policyd_t)
corenet_tcp_sendrecv_generic_if(postfix_policyd_t)
corenet_tcp_sendrecv_generic_node(postfix_policyd_t)
@@ -49,9 +55,14 @@ corenet_tcp_sendrecv_mysqld_port(postfix

files_read_etc_files(postfix_policyd_t)
files_read_usr_files(postfix_policyd_t)
+corecmd_exec_bin(postfix_policyd_t)
+dev_read_urand(postfix_policyd_t)

logging_send_syslog_msg(postfix_policyd_t)

miscfiles_read_localization(postfix_policyd_t)

sysnet_dns_name_resolve(postfix_policyd_t)
+
+kernel_search_network_sysctl(postfix_policyd_t)
+
Index: refpolicy-2.20170224/policy/modules/contrib/postfix.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/postfix.te
+++ refpolicy-2.20170224/policy/modules/contrib/postfix.te
@@ -172,6 +172,7 @@ optional_policy(`
#

allow postfix_server_domain self:capability { dac_override setgid setuid };
+allow postfix_master_t self:process getsched;

allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };

@@ -234,6 +235,8 @@ manage_files_pattern(postfix_master_t, p
manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush")

+hostname_exec(postfix_master_t)
+
create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t)
manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
@@ -272,6 +275,7 @@ corenet_udp_sendrecv_generic_node(postfi
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
corenet_tcp_bind_generic_node(postfix_master_t)
+corenet_udp_bind_generic_node(postfix_master_t)

corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
@@ -326,6 +330,11 @@ optional_policy(`

optional_policy(`
mailman_manage_data_files(postfix_master_t)
+ mailman_search_data(postfix_pipe_t)
+')
+
+optional_policy(`
+ milter_getattr_data_dir(postfix_master_t)
')

optional_policy(`
@@ -371,6 +380,7 @@ allow postfix_cleanup_t self:process set

allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms;
allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
+allow postfix_cleanup_t postfix_smtpd_t:fd use;

allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
@@ -400,6 +410,10 @@ optional_policy(`
mailman_read_data_files(postfix_cleanup_t)
')

+optional_policy(`
+ dkim_stream_connect(postfix_cleanup_t)
+')
+
########################################
#
# Local local policy
@@ -432,6 +446,7 @@ tunable_policy(`postfix_local_write_mail
optional_policy(`
clamav_search_lib(postfix_local_t)
clamav_exec_clamscan(postfix_local_t)
+ clamav_stream_connect(postfix_smtpd_t)
')

optional_policy(`
@@ -557,6 +572,10 @@ domtrans_pattern(postfix_pipe_t, postfix

corecmd_exec_bin(postfix_pipe_t)

+write_sock_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
+
+
+
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
@@ -567,6 +586,7 @@ optional_policy(`

optional_policy(`
mailman_domtrans_queue(postfix_pipe_t)
+ mailman_domtrans(postfix_pipe_t)
')

optional_policy(`
@@ -596,6 +616,10 @@ manage_files_pattern(postfix_postdrop_t,

allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };

+# for /var/spool/postfix/public/pickup
+allow postfix_postdrop_t postfix_public_t:sock_file { getattr write };
+allow postfix_postdrop_t postfix_master_t:unix_stream_socket connectto;
+
mcs_file_read_all(postfix_postdrop_t)
mcs_file_write_all(postfix_postdrop_t)

@@ -654,6 +678,10 @@ optional_policy(`
ppp_sigchld(postfix_postqueue_t)
')

+optional_policy(`
+ userdom_sigchld_all_users(postfix_postqueue_t)
+')
+
########################################
#
# Qmgr local policy
Index: refpolicy-2.20170224/policy/modules/contrib/postgrey.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/postgrey.te
+++ refpolicy-2.20170224/policy/modules/contrib/postgrey.te
@@ -34,6 +34,8 @@ dontaudit postgrey_t self:capability sys
allow postgrey_t self:process signal_perms;
allow postgrey_t self:fifo_file create_fifo_file_perms;
allow postgrey_t self:tcp_socket create_stream_socket_perms;
+allow postgrey_t self:netlink_route_socket r_netlink_socket_perms;
+allow postgrey_t self:udp_socket { connect connected_socket_perms };

allow postgrey_t postgrey_etc_t:dir list_dir_perms;
allow postgrey_t postgrey_etc_t:file read_file_perms;
@@ -55,7 +57,8 @@ files_pid_filetrans(postgrey_t, postgrey
kernel_read_system_state(postgrey_t)
kernel_read_kernel_sysctls(postgrey_t)

-corecmd_search_bin(postgrey_t)
+corecmd_read_bin_files(postgrey_t)
+corecmd_exec_bin(postgrey_t)

corenet_all_recvfrom_unlabeled(postgrey_t)
corenet_all_recvfrom_netlabel(postgrey_t)
Index: refpolicy-2.20170224/policy/modules/contrib/procmail.fc
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/procmail.fc
+++ refpolicy-2.20170224/policy/modules/contrib/procmail.fc
@@ -1,6 +1,7 @@
HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0)

/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
+/usr/bin/maildrop -- gen_context(system_u:object_r:procmail_exec_t,s0)

/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
Index: refpolicy-2.20170224/policy/modules/contrib/procmail.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/procmail.te
+++ refpolicy-2.20170224/policy/modules/contrib/procmail.te
@@ -145,3 +145,8 @@ optional_policy(`
spamassassin_domtrans_client(procmail_t)
spamassassin_read_lib_files(procmail_t)
')
+
+optional_policy(`
+ courier_read_config(procmail_t)
+ courier_stream_connect_authdaemon(procmail_t)
+')
Index: refpolicy-2.20170224/policy/modules/contrib/spamassassin.fc
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/spamassassin.fc
+++ refpolicy-2.20170224/policy/modules/contrib/spamassassin.fc
@@ -23,6 +23,7 @@ HOME_DIR/\.spamd(/.*)? gen_context(syste
/var/log/mimedefang.* -- gen_context(system_u:object_r:spamd_log_t,s0)

/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/run/spamassassin\.pid gen_context(system_u:object_r:spamd_var_run_t,s0)

/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
Index: refpolicy-2.20170224/policy/modules/contrib/spamassassin.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/contrib/spamassassin.te
+++ refpolicy-2.20170224/policy/modules/contrib/spamassassin.te
@@ -46,6 +46,7 @@ type spamc_exec_t;
typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
userdom_user_application_domain(spamc_t, spamc_exec_t)
+role system_r types spamc_t;

type spamc_tmp_t;
typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
Index: refpolicy-2.20170224/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/system/unconfined.if
+++ refpolicy-2.20170224/policy/modules/system/unconfined.if
@@ -319,6 +319,24 @@ interface(`unconfined_run_to',`

########################################
## <summary>
+## Allow the specified domain to be in the unconfined role
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to permit in unconfined_r
+## </summary>
+## </param>
+#
+interface(`permit_in_unconfined_r',`
+ gen_require(`
+ role unconfined_r;
+ ')
+
+ role unconfined_r types $1;
+')
+
+########################################
+## <summary>
## Inherit file descriptors from the unconfined domain.
## </summary>
## <param name="domain">


2017-02-25 15:39:49

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] mta patches

On 02/24/17 01:25, Russell Coker via refpolicy wrote:
> Here are patches for clamav, courier, opendkim, dovecot, spamass_milter, mta,
> perdition, postfix, postfixpolicyd, postgrey, procmail, and spamassassin.

Merged, though I made some minor revisions.


> Index: refpolicy-2.20170224/policy/modules/contrib/clamav.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/clamav.te
> +++ refpolicy-2.20170224/policy/modules/contrib/clamav.te
> @@ -73,7 +73,7 @@ logging_log_file(freshclam_var_log_t)
> # Clamd local policy
> #
>
> -allow clamd_t self:capability { dac_override kill setgid setuid };
> +allow clamd_t self:capability { chown fowner fsetid kill setgid setuid dac_override };
> dontaudit clamd_t self:capability sys_tty_config;
> allow clamd_t self:process signal;
> allow clamd_t self:fifo_file rw_fifo_file_perms;
> @@ -107,6 +107,9 @@ kernel_dontaudit_list_proc(clamd_t)
> kernel_read_sysctl(clamd_t)
> kernel_read_kernel_sysctls(clamd_t)
> kernel_read_system_state(clamd_t)
> +kernel_read_vm_sysctls(clamd_t)
> +kernel_read_vm_overcommit_sysctl(clamd_t)
> +dev_read_sysfs(clamd_t)
>
> corecmd_exec_shell(clamd_t)
>
> @@ -215,6 +218,10 @@ corenet_sendrecv_http_client_packets(fre
> corenet_tcp_connect_http_port(freshclam_t)
> corenet_tcp_sendrecv_http_port(freshclam_t)
>
> +corenet_sendrecv_http_cache_client_packets(freshclam_t)
> +corenet_tcp_connect_http_cache_port(freshclam_t)
> +corenet_tcp_sendrecv_http_cache_port(freshclam_t)
> +
> corenet_sendrecv_squid_client_packets(freshclam_t)
> corenet_tcp_connect_squid_port(freshclam_t)
> corenet_tcp_sendrecv_squid_port(freshclam_t)
> Index: refpolicy-2.20170224/policy/modules/contrib/courier.if
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/courier.if
> +++ refpolicy-2.20170224/policy/modules/contrib/courier.if
> @@ -65,11 +65,11 @@ interface(`courier_domtrans_authdaemon',
> #
> interface(`courier_stream_connect_authdaemon',`
> gen_require(`
> - type courier_authdaemon_t, courier_spool_t;
> + type courier_authdaemon_t, courier_var_run_t;
> ')
>
> files_search_spool($1)
> - stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
> + stream_connect_pattern($1, courier_var_run_t, courier_var_run_t, courier_authdaemon_t)
> ')
>
> ########################################
> Index: refpolicy-2.20170224/policy/modules/contrib/courier.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/courier.te
> +++ refpolicy-2.20170224/policy/modules/contrib/courier.te
> @@ -100,6 +100,7 @@ allow courier_authdaemon_t courier_tcpd_
> allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms;
>
> can_exec(courier_authdaemon_t, courier_exec_t)
> +corecmd_exec_shell(courier_authdaemon_t)
>
> domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)
>
> @@ -187,6 +188,8 @@ miscfiles_read_localization(courier_tcpd
>
> kernel_read_kernel_sysctls(courier_sqwebmail_t)
>
> +dev_read_urand(courier_sqwebmail_t)
> +
> optional_policy(`
> cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t)
> ')
> Index: refpolicy-2.20170224/policy/modules/contrib/dkim.if
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/dkim.if
> +++ refpolicy-2.20170224/policy/modules/contrib/dkim.if
> @@ -34,3 +34,23 @@ interface(`dkim_admin',`
> files_search_pids($1)
> admin_pattern($1, dkim_milter_data_t)
> ')
> +
> +########################################
> +## <summary>
> +## Allow a domain to talk to dkim via Unix domain socket
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dkim_stream_connect',`
> + gen_require(`
> + type dkim_milter_data_t, dkim_milter_t;
> + ')
> +
> + allow $1 dkim_milter_data_t:dir search_dir_perms;
> + allow postfix_cleanup_t dkim_milter_data_t:sock_file write;
> + allow postfix_cleanup_t dkim_milter_t:unix_stream_socket connectto;
> +')
> Index: refpolicy-2.20170224/policy/modules/contrib/dkim.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/dkim.te
> +++ refpolicy-2.20170224/policy/modules/contrib/dkim.te
> @@ -20,16 +20,25 @@ init_daemon_pid_file(dkim_milter_data_t,
> # Local policy
> #
>
> -allow dkim_milter_t self:capability { setgid setuid };
> -allow dkim_milter_t self:process signal;
> +allow dkim_milter_t self:capability { dac_override setgid setuid };
> +allow dkim_milter_t self:process { signal signull };
> allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
>
> read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
>
> kernel_read_kernel_sysctls(dkim_milter_t)
> +kernel_read_vm_sysctls(dkim_milter_t)
> +kernel_read_vm_overcommit_sysctl(dkim_milter_t)
> +
> +# for cpu/online
> +dev_read_sysfs(dkim_milter_t)
>
> dev_read_urand(dkim_milter_t)
>
> files_search_spool(dkim_milter_t)
>
> mta_read_config(dkim_milter_t)
> +
> +corenet_udp_bind_generic_node(dkim_milter_t)
> +corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
> +corenet_dontaudit_udp_bind_all_ports(dkim_milter_t)
> Index: refpolicy-2.20170224/policy/modules/contrib/dovecot.fc
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/dovecot.fc
> +++ refpolicy-2.20170224/policy/modules/contrib/dovecot.fc
> @@ -19,6 +19,9 @@
> /usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
> /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
> /usr/lib/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
> +/usr/lib/dovecot/log -- gen_context(system_u:object_r:dovecot_exec_t,s0)
> +/usr/lib/dovecot/ssl-params -- gen_context(system_u:object_r:dovecot_exec_t,s0)
> +/usr/lib/dovecot/anvil -- gen_context(system_u:object_r:dovecot_exec_t,s0)
>
> /usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
> /usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
> Index: refpolicy-2.20170224/policy/modules/contrib/dovecot.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/dovecot.te
> +++ refpolicy-2.20170224/policy/modules/contrib/dovecot.te
> @@ -92,7 +92,7 @@ miscfiles_read_localization(dovecot_doma
> # Local policy
> #
>
> -allow dovecot_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_chroot };
> +allow dovecot_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_chroot sys_resource };
> dontaudit dovecot_t self:capability sys_tty_config;
> allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
> allow dovecot_t self:tcp_socket { accept listen };
> @@ -133,6 +133,9 @@ allow dovecot_t dovecot_auth_t:process s
>
> domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
>
> +files_list_usr(dovecot_t)
> +files_read_usr_files(dovecot_t)
> +
> corenet_all_recvfrom_unlabeled(dovecot_t)
> corenet_all_recvfrom_netlabel(dovecot_t)
> corenet_tcp_sendrecv_generic_if(dovecot_t)
> @@ -242,9 +245,14 @@ files_tmp_filetrans(dovecot_auth_t, dove
>
> allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
> manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
> +allow dovecot_auth_t dovecot_var_run_t:file manage_file_perms;
> +allow dovecot_auth_t dovecot_var_run_t:fifo_file write_fifo_file_perms;
>
> allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
>
> +selinux_get_enforce_mode(dovecot_auth_t)
> +selinux_get_fs_mount(dovecot_auth_t)
> +
> files_search_pids(dovecot_auth_t)
> files_read_usr_files(dovecot_auth_t)
> files_read_var_lib_files(dovecot_auth_t)
> @@ -256,7 +264,7 @@ init_rw_utmp(dovecot_auth_t)
>
> logging_send_audit_msgs(dovecot_auth_t)
>
> -seutil_dontaudit_search_config(dovecot_auth_t)
> +seutil_search_default_contexts(dovecot_auth_t)
>
> sysnet_use_ldap(dovecot_auth_t)
>
> Index: refpolicy-2.20170224/policy/modules/contrib/milter.if
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/milter.if
> +++ refpolicy-2.20170224/policy/modules/contrib/milter.if
> @@ -97,3 +97,21 @@ interface(`milter_manage_spamass_state',
> manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
> manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
> ')
> +
> +########################################
> +## <summary>
> +## stat spamassissin milter data dir
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`milter_getattr_data_dir',`
> + gen_require(`
> + type spamass_milter_data_t;
> + ')
> +
> + allow $1 spamass_milter_data_t:dir getattr;
> +')
> Index: refpolicy-2.20170224/policy/modules/contrib/milter.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/milter.te
> +++ refpolicy-2.20170224/policy/modules/contrib/milter.te
> @@ -94,8 +94,11 @@ mta_read_config(regex_milter_t)
> #
>
> allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
> +allow spamass_milter_t self:process sigkill;
>
> kernel_read_system_state(spamass_milter_t)
> +kernel_read_vm_overcommit_sysctl(spamass_milter_t)
> +dev_read_sysfs(spamass_milter_t)
>
> corecmd_exec_shell(spamass_milter_t)
>
> @@ -106,3 +109,7 @@ mta_send_mail(spamass_milter_t)
> optional_policy(`
> spamassassin_domtrans_client(spamass_milter_t)
> ')
> +
> +optional_policy(`
> + postfix_search_spool(spamass_milter_t)
> +')
> Index: refpolicy-2.20170224/policy/modules/contrib/mta.fc
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/mta.fc
> +++ refpolicy-2.20170224/policy/modules/contrib/mta.fc
> @@ -3,6 +3,7 @@ HOME_DIR/\.forward[^/]* -- gen_context(s
> HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
> HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
> HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
> +HOME_DIR/DovecotMail(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
> HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
>
> /etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
> Index: refpolicy-2.20170224/policy/modules/contrib/mta.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/mta.te
> +++ refpolicy-2.20170224/policy/modules/contrib/mta.te
> @@ -199,10 +199,15 @@ selinux_getattr_fs(system_mail_t)
> term_dontaudit_use_unallocated_ttys(system_mail_t)
>
> init_use_script_ptys(system_mail_t)
> +init_use_fds(system_mail_t)
>
> userdom_use_user_terminals(system_mail_t)
>
> optional_policy(`
> + unconfined_use_fds(system_mail_t)
> +')
> +
> +optional_policy(`
> apache_read_squirrelmail_data(system_mail_t)
> apache_append_squirrelmail_data(system_mail_t)
> apache_dontaudit_append_log(system_mail_t)
> @@ -233,6 +238,7 @@ optional_policy(`
> cron_read_system_job_tmp_files(system_mail_t)
> cron_dontaudit_write_pipes(system_mail_t)
> cron_rw_system_job_stream_sockets(system_mail_t)
> + cron_rw_tmp_files(system_mail_t)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20170224/policy/modules/contrib/perdition.fc
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/perdition.fc
> +++ refpolicy-2.20170224/policy/modules/contrib/perdition.fc
> @@ -2,6 +2,6 @@
>
> /etc/perdition(/.*)? gen_context(system_u:object_r:perdition_etc_t,s0)
>
> -/usr/sbin/perdition -- gen_context(system_u:object_r:perdition_exec_t,s0)
> +/usr/sbin/perdition.* -- gen_context(system_u:object_r:perdition_exec_t,s0)
>
> /run/perdition\.pid -- gen_context(system_u:object_r:perdition_var_run_t,s0)
> Index: refpolicy-2.20170224/policy/modules/contrib/perdition.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/perdition.te
> +++ refpolicy-2.20170224/policy/modules/contrib/perdition.te
> @@ -23,7 +23,7 @@ files_pid_file(perdition_var_run_t)
> # Local policy
> #
>
> -allow perdition_t self:capability { setgid setuid };
> +allow perdition_t self:capability { chown dac_override fowner setgid setuid };
> dontaudit perdition_t self:capability sys_tty_config;
> allow perdition_t self:process signal_perms;
> allow perdition_t self:tcp_socket { accept listen };
> @@ -33,7 +33,8 @@ allow perdition_t perdition_etc_t:file r
> allow perdition_t perdition_etc_t:lnk_file read_lnk_file_perms;
>
> manage_files_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t)
> -files_pid_filetrans(perdition_t, perdition_var_run_t, file)
> +allow perdition_t perdition_var_run_t:dir manage_dir_perms;
> +files_pid_filetrans(perdition_t, perdition_var_run_t, { file dir })
>
> kernel_read_kernel_sysctls(perdition_t)
> kernel_list_proc(perdition_t)
> @@ -46,11 +47,18 @@ corenet_tcp_sendrecv_generic_node(perdit
> corenet_tcp_sendrecv_all_ports(perdition_t)
> corenet_tcp_bind_generic_node(perdition_t)
>
> +corenet_tcp_connect_pop_port(perdition_t)
> corenet_sendrecv_pop_server_packets(perdition_t)
> corenet_tcp_bind_pop_port(perdition_t)
> corenet_tcp_sendrecv_pop_port(perdition_t)
>
> +corenet_tcp_connect_sieve_port(perdition_t)
> +corenet_sendrecv_sieve_server_packets(perdition_t)
> +corenet_tcp_bind_sieve_port(perdition_t)
> +corenet_tcp_sendrecv_sieve_port(perdition_t)
> +
> dev_read_sysfs(perdition_t)
> +dev_read_urand(perdition_t)
>
> domain_use_interactive_fds(perdition_t)
>
> @@ -71,5 +79,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + mysql_tcp_connect(perdition_t)
> + mysql_stream_connect(perdition_t)
> +')
> +
> +optional_policy(`
> udev_read_db(perdition_t)
> ')
> Index: refpolicy-2.20170224/policy/modules/contrib/postfix.fc
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/postfix.fc
> +++ refpolicy-2.20170224/policy/modules/contrib/postfix.fc
> @@ -1,23 +1,23 @@
> -/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
> +/etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0)
> /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
> /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
>
> /etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
>
> -/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
> -/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
> -/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
> -/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
> -/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
> -/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
> -/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
> -/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
> -/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
> -/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
> -/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
> -/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
> -/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
> -/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
> +/usr/lib/postfix/(sbin/)?.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
> +/usr/lib/postfix/(sbin/)?cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
> +/usr/lib/postfix/(sbin/)?local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
> +/usr/lib/postfix/(sbin/)?master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
> +/usr/lib/postfix/(sbin/)?pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
> +/usr/lib/postfix/(sbin/)?(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
> +/usr/lib/postfix/(sbin/)?showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
> +/usr/lib/postfix/(sbin/)?smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
> +/usr/lib/postfix/(sbin/)?lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
> +/usr/lib/postfix/(sbin/)?scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
> +/usr/lib/postfix/(sbin/)?smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
> +/usr/lib/postfix/(sbin/)?bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
> +/usr/lib/postfix/(sbin/)?pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
> +/usr/lib/postfix/(sbin/)?virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
>
> /usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
> /usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
> Index: refpolicy-2.20170224/policy/modules/contrib/postfixpolicyd.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/postfixpolicyd.te
> +++ refpolicy-2.20170224/policy/modules/contrib/postfixpolicyd.te
> @@ -18,13 +18,16 @@ init_script_file(postfix_policyd_initrc_
> type postfix_policyd_var_run_t;
> files_pid_file(postfix_policyd_var_run_t)
>
> +type postfix_policyd_tmp_t;
> +files_type(postfix_policyd_tmp_t)
> +
> ########################################
> #
> # Local policy
> #
>
> -allow postfix_policyd_t self:capability { setgid setuid sys_chroot sys_resource };
> -allow postfix_policyd_t self:process setrlimit;
> +allow postfix_policyd_t self:capability { chown sys_chroot sys_resource setgid setuid };
> +allow postfix_policyd_t self:process { setrlimit signal signull };
> allow postfix_policyd_t self:tcp_socket { accept listen };
>
> allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;
> @@ -34,6 +37,9 @@ allow postfix_policyd_t postfix_policyd_
> manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
> files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
>
> +files_tmp_filetrans(postfix_policyd_t, postfix_policyd_tmp_t, { file sock_file })
> +allow postfix_policyd_t postfix_policyd_tmp_t:{ file sock_file } manage_file_perms;
> +
> corenet_all_recvfrom_unlabeled(postfix_policyd_t)
> corenet_tcp_sendrecv_generic_if(postfix_policyd_t)
> corenet_tcp_sendrecv_generic_node(postfix_policyd_t)
> @@ -49,9 +55,14 @@ corenet_tcp_sendrecv_mysqld_port(postfix
>
> files_read_etc_files(postfix_policyd_t)
> files_read_usr_files(postfix_policyd_t)
> +corecmd_exec_bin(postfix_policyd_t)
> +dev_read_urand(postfix_policyd_t)
>
> logging_send_syslog_msg(postfix_policyd_t)
>
> miscfiles_read_localization(postfix_policyd_t)
>
> sysnet_dns_name_resolve(postfix_policyd_t)
> +
> +kernel_search_network_sysctl(postfix_policyd_t)
> +
> Index: refpolicy-2.20170224/policy/modules/contrib/postfix.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/postfix.te
> +++ refpolicy-2.20170224/policy/modules/contrib/postfix.te
> @@ -172,6 +172,7 @@ optional_policy(`
> #
>
> allow postfix_server_domain self:capability { dac_override setgid setuid };
> +allow postfix_master_t self:process getsched;
>
> allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
>
> @@ -234,6 +235,8 @@ manage_files_pattern(postfix_master_t, p
> manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
> filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush")
>
> +hostname_exec(postfix_master_t)
> +
> create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t)
> manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
> manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
> @@ -272,6 +275,7 @@ corenet_udp_sendrecv_generic_node(postfi
> corenet_tcp_sendrecv_all_ports(postfix_master_t)
> corenet_udp_sendrecv_all_ports(postfix_master_t)
> corenet_tcp_bind_generic_node(postfix_master_t)
> +corenet_udp_bind_generic_node(postfix_master_t)
>
> corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
> corenet_tcp_bind_amavisd_send_port(postfix_master_t)
> @@ -326,6 +330,11 @@ optional_policy(`
>
> optional_policy(`
> mailman_manage_data_files(postfix_master_t)
> + mailman_search_data(postfix_pipe_t)
> +')
> +
> +optional_policy(`
> + milter_getattr_data_dir(postfix_master_t)
> ')
>
> optional_policy(`
> @@ -371,6 +380,7 @@ allow postfix_cleanup_t self:process set
>
> allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms;
> allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
> +allow postfix_cleanup_t postfix_smtpd_t:fd use;
>
> allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
> allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
> @@ -400,6 +410,10 @@ optional_policy(`
> mailman_read_data_files(postfix_cleanup_t)
> ')
>
> +optional_policy(`
> + dkim_stream_connect(postfix_cleanup_t)
> +')
> +
> ########################################
> #
> # Local local policy
> @@ -432,6 +446,7 @@ tunable_policy(`postfix_local_write_mail
> optional_policy(`
> clamav_search_lib(postfix_local_t)
> clamav_exec_clamscan(postfix_local_t)
> + clamav_stream_connect(postfix_smtpd_t)
> ')
>
> optional_policy(`
> @@ -557,6 +572,10 @@ domtrans_pattern(postfix_pipe_t, postfix
>
> corecmd_exec_bin(postfix_pipe_t)
>
> +write_sock_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
> +
> +
> +
> optional_policy(`
> dovecot_domtrans_deliver(postfix_pipe_t)
> ')
> @@ -567,6 +586,7 @@ optional_policy(`
>
> optional_policy(`
> mailman_domtrans_queue(postfix_pipe_t)
> + mailman_domtrans(postfix_pipe_t)
> ')
>
> optional_policy(`
> @@ -596,6 +616,10 @@ manage_files_pattern(postfix_postdrop_t,
>
> allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
>
> +# for /var/spool/postfix/public/pickup
> +allow postfix_postdrop_t postfix_public_t:sock_file { getattr write };
> +allow postfix_postdrop_t postfix_master_t:unix_stream_socket connectto;
> +
> mcs_file_read_all(postfix_postdrop_t)
> mcs_file_write_all(postfix_postdrop_t)
>
> @@ -654,6 +678,10 @@ optional_policy(`
> ppp_sigchld(postfix_postqueue_t)
> ')
>
> +optional_policy(`
> + userdom_sigchld_all_users(postfix_postqueue_t)
> +')
> +
> ########################################
> #
> # Qmgr local policy
> Index: refpolicy-2.20170224/policy/modules/contrib/postgrey.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/postgrey.te
> +++ refpolicy-2.20170224/policy/modules/contrib/postgrey.te
> @@ -34,6 +34,8 @@ dontaudit postgrey_t self:capability sys
> allow postgrey_t self:process signal_perms;
> allow postgrey_t self:fifo_file create_fifo_file_perms;
> allow postgrey_t self:tcp_socket create_stream_socket_perms;
> +allow postgrey_t self:netlink_route_socket r_netlink_socket_perms;
> +allow postgrey_t self:udp_socket { connect connected_socket_perms };
>
> allow postgrey_t postgrey_etc_t:dir list_dir_perms;
> allow postgrey_t postgrey_etc_t:file read_file_perms;
> @@ -55,7 +57,8 @@ files_pid_filetrans(postgrey_t, postgrey
> kernel_read_system_state(postgrey_t)
> kernel_read_kernel_sysctls(postgrey_t)
>
> -corecmd_search_bin(postgrey_t)
> +corecmd_read_bin_files(postgrey_t)
> +corecmd_exec_bin(postgrey_t)
>
> corenet_all_recvfrom_unlabeled(postgrey_t)
> corenet_all_recvfrom_netlabel(postgrey_t)
> Index: refpolicy-2.20170224/policy/modules/contrib/procmail.fc
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/procmail.fc
> +++ refpolicy-2.20170224/policy/modules/contrib/procmail.fc
> @@ -1,6 +1,7 @@
> HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0)
>
> /usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
> +/usr/bin/maildrop -- gen_context(system_u:object_r:procmail_exec_t,s0)
>
> /var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
> /var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
> Index: refpolicy-2.20170224/policy/modules/contrib/procmail.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/procmail.te
> +++ refpolicy-2.20170224/policy/modules/contrib/procmail.te
> @@ -145,3 +145,8 @@ optional_policy(`
> spamassassin_domtrans_client(procmail_t)
> spamassassin_read_lib_files(procmail_t)
> ')
> +
> +optional_policy(`
> + courier_read_config(procmail_t)
> + courier_stream_connect_authdaemon(procmail_t)
> +')
> Index: refpolicy-2.20170224/policy/modules/contrib/spamassassin.fc
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/spamassassin.fc
> +++ refpolicy-2.20170224/policy/modules/contrib/spamassassin.fc
> @@ -23,6 +23,7 @@ HOME_DIR/\.spamd(/.*)? gen_context(syste
> /var/log/mimedefang.* -- gen_context(system_u:object_r:spamd_log_t,s0)
>
> /run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
> +/run/spamassassin\.pid gen_context(system_u:object_r:spamd_var_run_t,s0)
>
> /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
> /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
> Index: refpolicy-2.20170224/policy/modules/contrib/spamassassin.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/contrib/spamassassin.te
> +++ refpolicy-2.20170224/policy/modules/contrib/spamassassin.te
> @@ -46,6 +46,7 @@ type spamc_exec_t;
> typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
> typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
> userdom_user_application_domain(spamc_t, spamc_exec_t)
> +role system_r types spamc_t;
>
> type spamc_tmp_t;
> typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
> Index: refpolicy-2.20170224/policy/modules/system/unconfined.if
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/system/unconfined.if
> +++ refpolicy-2.20170224/policy/modules/system/unconfined.if
> @@ -319,6 +319,24 @@ interface(`unconfined_run_to',`
>
> ########################################
> ## <summary>
> +## Allow the specified domain to be in the unconfined role
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to permit in unconfined_r
> +## </summary>
> +## </param>
> +#
> +interface(`permit_in_unconfined_r',`
> + gen_require(`
> + role unconfined_r;
> + ')
> +
> + role unconfined_r types $1;
> +')
> +
> +########################################
> +## <summary>
> ## Inherit file descriptors from the unconfined domain.
> ## </summary>
> ## <param name="domain">
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


--
Chris PeBenito