2017-09-11 03:18:27

by Mira Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/3] postfix: Some table drivers (notably cdb) need to mmap() their databases

This change also grants exim (the other caller of the mta_read_aliases
interface) to map the mail aliases, but that seems minor enough not to
warrant the creation of a new interface.
---
mta.if | 2 +-
postfix.te | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/mta.if b/mta.if
index 2b99dd5..8565982 100644
--- a/mta.if
+++ b/mta.if
@@ -586,7 +586,7 @@ interface(`mta_read_aliases',`
')

files_search_etc($1)
- allow $1 etc_aliases_t:file read_file_perms;
+ allow $1 etc_aliases_t:file { read_file_perms map };
')

########################################
diff --git a/postfix.te b/postfix.te
index 84e0b5e..eb4af6c 100644
--- a/postfix.te
+++ b/postfix.te
@@ -115,7 +115,7 @@ allow postfix_domain self:fifo_file rw_fifo_file_perms;
allow postfix_domain self:unix_stream_socket { accept connectto listen };

allow postfix_domain postfix_etc_t:dir list_dir_perms;
-allow postfix_domain postfix_etc_t:file read_file_perms;
+allow postfix_domain postfix_etc_t:file { read_file_perms map };
allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms;

allow postfix_domain postfix_master_t:file read_file_perms;
@@ -489,7 +489,7 @@ allow postfix_map_t self:capability { dac_override setgid setuid };
allow postfix_map_t self:tcp_socket { accept listen };

allow postfix_map_t postfix_etc_t:dir manage_dir_perms;
-allow postfix_map_t postfix_etc_t:file manage_file_perms;
+allow postfix_map_t postfix_etc_t:file { manage_file_perms map };
allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms;

manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
--
2.14.1


2017-09-11 03:18:28

by Mira Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/3] postfix: Silence cap_dac_read_search denials

As far as I can see, dac_override is indeed required everywhere.
---
postfix.te | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/postfix.te b/postfix.te
index eb4af6c..9b140af 100644
--- a/postfix.te
+++ b/postfix.te
@@ -171,7 +171,7 @@ optional_policy(`
# Common postfix server domain local policy
#

-allow postfix_server_domain self:capability { dac_override setgid setuid };
+allow postfix_server_domain self:capability { dac_read_search dac_override setgid setuid };
allow postfix_master_t self:process getsched;

allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
@@ -190,7 +190,7 @@ corenet_tcp_sendrecv_all_ports(postfix_server_domain)
# Common postfix user domain local policy
#

-allow postfix_user_domains self:capability dac_override;
+allow postfix_user_domains self:capability { dac_read_search dac_override };

domain_use_interactive_fds(postfix_user_domains)

@@ -199,7 +199,7 @@ domain_use_interactive_fds(postfix_user_domains)
# Master local policy
#

-allow postfix_master_t self:capability { chown dac_override fowner kill setgid setuid sys_tty_config };
+allow postfix_master_t self:capability { chown dac_read_search dac_override fowner kill setgid setuid sys_tty_config };
allow postfix_master_t self:capability2 block_suspend;
allow postfix_master_t self:process setrlimit;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
@@ -485,7 +485,7 @@ optional_policy(`
# Map local policy
#

-allow postfix_map_t self:capability { dac_override setgid setuid };
+allow postfix_map_t self:capability { dac_read_search dac_override setgid setuid };
allow postfix_map_t self:tcp_socket { accept listen };

allow postfix_map_t postfix_etc_t:dir manage_dir_perms;
--
2.14.1

2017-09-11 03:18:29

by Mira Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH 3/3] portage: Allow portage_t and portage_sandbox_t to access locale_t

This didn't crop out until now due to portage's wideranging access, but
it's neccessary now for the map permission.

I'm aware adding the interface directly for portage_t is redundant, but
I'm doing it nevertheless in case we ever remove
portage_compile_domain(portage_t).
---
portage.if | 2 ++
portage.te | 2 ++
2 files changed, 4 insertions(+)

diff --git a/portage.if b/portage.if
index 3447a45..5e8eb2b 100644
--- a/portage.if
+++ b/portage.if
@@ -180,6 +180,8 @@ interface(`portage_compile_domain',`

logging_send_syslog_msg($1)

+ miscfiles_read_localization($1)
+
userdom_use_user_terminals($1)

# SELinux-enabled programs running in the sandbox
diff --git a/portage.te b/portage.te
index 903d0d1..4a80703 100644
--- a/portage.te
+++ b/portage.te
@@ -195,6 +195,8 @@ auth_manage_shadow(portage_t)
# merging baselayout will need this:
init_exec(portage_t)

+miscfiles_read_localization(portage_t)
+
# run setfiles -r
seutil_run_setfiles(portage_t, portage_roles)
# run semodule
--
2.14.1

2017-09-12 00:07:03

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/3] postfix: Some table drivers (notably cdb) need to mmap() their databases

On 09/10/2017 11:18 PM, Luis Ressel via refpolicy wrote:
> This change also grants exim (the other caller of the mta_read_aliases
> interface) to map the mail aliases, but that seems minor enough not to
> warrant the creation of a new interface.

While trivial, I'd prefer a separate interface, so any future users of
the interface don't get an extra permission they might not need.


> ---
> mta.if | 2 +-
> postfix.te | 4 ++--
> 2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/mta.if b/mta.if
> index 2b99dd5..8565982 100644
> --- a/mta.if
> +++ b/mta.if
> @@ -586,7 +586,7 @@ interface(`mta_read_aliases',`
> ')
>
> files_search_etc($1)
> - allow $1 etc_aliases_t:file read_file_perms;
> + allow $1 etc_aliases_t:file { read_file_perms map };
> ')
>
> ########################################
> diff --git a/postfix.te b/postfix.te
> index 84e0b5e..eb4af6c 100644
> --- a/postfix.te
> +++ b/postfix.te
> @@ -115,7 +115,7 @@ allow postfix_domain self:fifo_file rw_fifo_file_perms;
> allow postfix_domain self:unix_stream_socket { accept connectto listen };
>
> allow postfix_domain postfix_etc_t:dir list_dir_perms;
> -allow postfix_domain postfix_etc_t:file read_file_perms;
> +allow postfix_domain postfix_etc_t:file { read_file_perms map };
> allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms;
>
> allow postfix_domain postfix_master_t:file read_file_perms;
> @@ -489,7 +489,7 @@ allow postfix_map_t self:capability { dac_override setgid setuid };
> allow postfix_map_t self:tcp_socket { accept listen };
>
> allow postfix_map_t postfix_etc_t:dir manage_dir_perms;
> -allow postfix_map_t postfix_etc_t:file manage_file_perms;
> +allow postfix_map_t postfix_etc_t:file { manage_file_perms map };
> allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms;
>
> manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
>


--
Chris PeBenito

2017-09-12 00:10:28

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/3] postfix: Silence cap_dac_read_search denials

On 09/10/2017 11:18 PM, Luis Ressel via refpolicy wrote:
> As far as I can see, dac_override is indeed required everywhere.

Is this tested on a kernel with the swapped dac_override/dac_read_search
checks? (4.12+)

> ---
> postfix.te | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/postfix.te b/postfix.te
> index eb4af6c..9b140af 100644
> --- a/postfix.te
> +++ b/postfix.te
> @@ -171,7 +171,7 @@ optional_policy(`
> # Common postfix server domain local policy
> #
>
> -allow postfix_server_domain self:capability { dac_override setgid setuid };
> +allow postfix_server_domain self:capability { dac_read_search dac_override setgid setuid };
> allow postfix_master_t self:process getsched;
>
> allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
> @@ -190,7 +190,7 @@ corenet_tcp_sendrecv_all_ports(postfix_server_domain)
> # Common postfix user domain local policy
> #
>
> -allow postfix_user_domains self:capability dac_override;
> +allow postfix_user_domains self:capability { dac_read_search dac_override };
>
> domain_use_interactive_fds(postfix_user_domains)
>
> @@ -199,7 +199,7 @@ domain_use_interactive_fds(postfix_user_domains)
> # Master local policy
> #
>
> -allow postfix_master_t self:capability { chown dac_override fowner kill setgid setuid sys_tty_config };
> +allow postfix_master_t self:capability { chown dac_read_search dac_override fowner kill setgid setuid sys_tty_config };
> allow postfix_master_t self:capability2 block_suspend;
> allow postfix_master_t self:process setrlimit;
> allow postfix_master_t self:tcp_socket create_stream_socket_perms;
> @@ -485,7 +485,7 @@ optional_policy(`
> # Map local policy
> #
>
> -allow postfix_map_t self:capability { dac_override setgid setuid };
> +allow postfix_map_t self:capability { dac_read_search dac_override setgid setuid };
> allow postfix_map_t self:tcp_socket { accept listen };
>
> allow postfix_map_t postfix_etc_t:dir manage_dir_perms;
>


--
Chris PeBenito

2017-09-12 00:11:23

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 3/3] portage: Allow portage_t and portage_sandbox_t to access locale_t

On 09/10/2017 11:18 PM, Luis Ressel via refpolicy wrote:
> This didn't crop out until now due to portage's wideranging access, but
> it's neccessary now for the map permission.
>
> I'm aware adding the interface directly for portage_t is redundant, but
> I'm doing it nevertheless in case we ever remove
> portage_compile_domain(portage_t).
> ---
> portage.if | 2 ++
> portage.te | 2 ++
> 2 files changed, 4 insertions(+)
>
> diff --git a/portage.if b/portage.if
> index 3447a45..5e8eb2b 100644
> --- a/portage.if
> +++ b/portage.if
> @@ -180,6 +180,8 @@ interface(`portage_compile_domain',`
>
> logging_send_syslog_msg($1)
>
> + miscfiles_read_localization($1)
> +
> userdom_use_user_terminals($1)
>
> # SELinux-enabled programs running in the sandbox
> diff --git a/portage.te b/portage.te
> index 903d0d1..4a80703 100644
> --- a/portage.te
> +++ b/portage.te
> @@ -195,6 +195,8 @@ auth_manage_shadow(portage_t)
> # merging baselayout will need this:
> init_exec(portage_t)
>
> +miscfiles_read_localization(portage_t)
> +
> # run setfiles -r
> seutil_run_setfiles(portage_t, portage_roles)
> # run semodule

Merged.

--
Chris PeBenito

2017-09-12 01:52:21

by Mira Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/3] postfix: Silence cap_dac_read_search denials

On Mon, 11 Sep 2017 20:10:28 -0400
Chris PeBenito via refpolicy <[email protected]> wrote:

> On 09/10/2017 11:18 PM, Luis Ressel via refpolicy wrote:
> > As far as I can see, dac_override is indeed required everywhere.
>
> Is this tested on a kernel with the swapped
> dac_override/dac_read_search checks? (4.12+)

Yes, exactly. As for dac_override being required, it seems the daemons
open some unix sockets which only the postfix user has permission for,
while they're still running with root permissions.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170912/0ecf9640/attachment.bin

2017-09-12 06:32:03

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/3] postfix: Silence cap_dac_read_search denials

On Tue, Sep 12, 2017 at 03:52:21AM +0200, Luis Ressel via refpolicy wrote:
> On Mon, 11 Sep 2017 20:10:28 -0400
> Chris PeBenito via refpolicy <[email protected]> wrote:
>
> > On 09/10/2017 11:18 PM, Luis Ressel via refpolicy wrote:
> > > As far as I can see, dac_override is indeed required everywhere.
> >
> > Is this tested on a kernel with the swapped
> > dac_override/dac_read_search checks? (4.12+)
>
> Yes, exactly. As for dac_override being required, it seems the daemons
> open some unix sockets which only the postfix user has permission for,
> while they're still running with root permissions.

Then the dac_read_search could be dontaudited (although i suppose it doesnt strictly have to since dac_override is a superset of it)

> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170912/b128a1a2/attachment.bin

2017-09-17 10:30:03

by Mira Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/3] postfix: Silence cap_dac_read_search denials

On Tue, 12 Sep 2017 08:32:03 +0200
Dominick Grift via refpolicy <[email protected]> wrote:

> On Tue, Sep 12, 2017 at 03:52:21AM +0200, Luis Ressel via refpolicy
> wrote:
> > On Mon, 11 Sep 2017 20:10:28 -0400
> > Chris PeBenito via refpolicy <[email protected]> wrote:
> >
> > > On 09/10/2017 11:18 PM, Luis Ressel via refpolicy wrote:
> > > > As far as I can see, dac_override is indeed required
> > > > everywhere.
> > >
> > > Is this tested on a kernel with the swapped
> > > dac_override/dac_read_search checks? (4.12+)
> >
> > Yes, exactly. As for dac_override being required, it seems the
> > daemons open some unix sockets which only the postfix user has
> > permission for, while they're still running with root permissions.
>
> Then the dac_read_search could be dontaudited (although i suppose it
> doesnt strictly have to since dac_override is a superset of it)

Given that there's zero difference in the permissions that postfix will
ultimately end up with, I'd prefer to allow it. Both because it keeps
the policy a few lines shorter, and because there can be a /lot/ of
denials for this perm depending on the postfix setup, which may be
annoying when one has to disable dontaudit rules to debug something.

(CCing Chris in case he has forgotten about this patch.)

Regards,
Luis Ressel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170917/34f94350/attachment.bin

2017-09-17 14:10:34

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/3] postfix: Some table drivers (notably cdb) need to mmap() their databases

On 09/10/2017 11:18 PM, Luis Ressel via refpolicy wrote:
> This change also grants exim (the other caller of the mta_read_aliases
> interface) to map the mail aliases, but that seems minor enough not to
> warrant the creation of a new interface.
> ---
> mta.if | 2 +-
> postfix.te | 4 ++--
> 2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/mta.if b/mta.if
> index 2b99dd5..8565982 100644
> --- a/mta.if
> +++ b/mta.if
> @@ -586,7 +586,7 @@ interface(`mta_read_aliases',`
> ')
>
> files_search_etc($1)
> - allow $1 etc_aliases_t:file read_file_perms;
> + allow $1 etc_aliases_t:file { read_file_perms map };
> ')
>
> ########################################

Merged, the above. The below already came in from Jason Zaman.


> diff --git a/postfix.te b/postfix.te
> index 84e0b5e..eb4af6c 100644
> --- a/postfix.te
> +++ b/postfix.te
> @@ -115,7 +115,7 @@ allow postfix_domain self:fifo_file rw_fifo_file_perms;
> allow postfix_domain self:unix_stream_socket { accept connectto listen };
>
> allow postfix_domain postfix_etc_t:dir list_dir_perms;
> -allow postfix_domain postfix_etc_t:file read_file_perms;
> +allow postfix_domain postfix_etc_t:file { read_file_perms map };
> allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms;
>
> allow postfix_domain postfix_master_t:file read_file_perms;
> @@ -489,7 +489,7 @@ allow postfix_map_t self:capability { dac_override setgid setuid };
> allow postfix_map_t self:tcp_socket { accept listen };
>
> allow postfix_map_t postfix_etc_t:dir manage_dir_perms;
> -allow postfix_map_t postfix_etc_t:file manage_file_perms;
> +allow postfix_map_t postfix_etc_t:file { manage_file_perms map };
> allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms;
>
> manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
>


--
Chris PeBenito

2017-09-17 20:47:14

by Mira Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/3] postfix: Some table drivers (notably cdb) need to mmap() their databases

On Sun, 17 Sep 2017 10:10:34 -0400
Chris PeBenito <[email protected]> wrote:

> On 09/10/2017 11:18 PM, Luis Ressel via refpolicy wrote:
> > This change also grants exim (the other caller of the
> > mta_read_aliases interface) to map the mail aliases, but that seems
> > minor enough not to warrant the creation of a new interface.
> > ---
> > mta.if | 2 +-
> > postfix.te | 4 ++--
> > 2 files changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/mta.if b/mta.if
> > index 2b99dd5..8565982 100644
> > --- a/mta.if
> > +++ b/mta.if
> > @@ -586,7 +586,7 @@ interface(`mta_read_aliases',`
> > ')
> >
> > files_search_etc($1)
> > - allow $1 etc_aliases_t:file read_file_perms;
> > + allow $1 etc_aliases_t:file { read_file_perms map };
> > ')
> >
> > ########################################
>
> Merged, the above. The below already came in from Jason Zaman.

Umm, this wasn't supposed to be merged. I submitted a second revision
of this patch based on your feedback, and you merged it last Tuesday
(commit b17eacb). Please revert commit ac27e919; I'm sorry about the
confusion.

When I wrote earlier today that one of my postfix patches was still
waiting to be merged, I was refering to "postfix: Silence
cap_dac_read_search denials".

Regards,
Luis Ressel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170917/1d6b7304/attachment-0001.bin

2017-09-18 01:06:49

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/3] postfix: Silence cap_dac_read_search denials

On 09/10/2017 11:18 PM, Luis Ressel via refpolicy wrote:
> As far as I can see, dac_override is indeed required everywhere.
> ---
> postfix.te | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/postfix.te b/postfix.te
> index eb4af6c..9b140af 100644
> --- a/postfix.te
> +++ b/postfix.te
> @@ -171,7 +171,7 @@ optional_policy(`
> # Common postfix server domain local policy
> #
>
> -allow postfix_server_domain self:capability { dac_override setgid setuid };
> +allow postfix_server_domain self:capability { dac_read_search dac_override setgid setuid };
> allow postfix_master_t self:process getsched;
>
> allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
> @@ -190,7 +190,7 @@ corenet_tcp_sendrecv_all_ports(postfix_server_domain)
> # Common postfix user domain local policy
> #
>
> -allow postfix_user_domains self:capability dac_override;
> +allow postfix_user_domains self:capability { dac_read_search dac_override };
>
> domain_use_interactive_fds(postfix_user_domains)
>
> @@ -199,7 +199,7 @@ domain_use_interactive_fds(postfix_user_domains)
> # Master local policy
> #
>
> -allow postfix_master_t self:capability { chown dac_override fowner kill setgid setuid sys_tty_config };
> +allow postfix_master_t self:capability { chown dac_read_search dac_override fowner kill setgid setuid sys_tty_config };
> allow postfix_master_t self:capability2 block_suspend;
> allow postfix_master_t self:process setrlimit;
> allow postfix_master_t self:tcp_socket create_stream_socket_perms;
> @@ -485,7 +485,7 @@ optional_policy(`
> # Map local policy
> #
>
> -allow postfix_map_t self:capability { dac_override setgid setuid };
> +allow postfix_map_t self:capability { dac_read_search dac_override setgid setuid };
> allow postfix_map_t self:tcp_socket { accept listen };
>
> allow postfix_map_t postfix_etc_t:dir manage_dir_perms;

Merged.

--
Chris PeBenito

2017-09-18 01:09:00

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/3] postfix: Some table drivers (notably cdb) need to mmap() their databases

On 09/17/2017 04:47 PM, Luis Ressel wrote:
> On Sun, 17 Sep 2017 10:10:34 -0400
> Chris PeBenito <[email protected]> wrote:
>
>> On 09/10/2017 11:18 PM, Luis Ressel via refpolicy wrote:
>>> This change also grants exim (the other caller of the
>>> mta_read_aliases interface) to map the mail aliases, but that seems
>>> minor enough not to warrant the creation of a new interface.
>>> ---
>>> mta.if | 2 +-
>>> postfix.te | 4 ++--
>>> 2 files changed, 3 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/mta.if b/mta.if
>>> index 2b99dd5..8565982 100644
>>> --- a/mta.if
>>> +++ b/mta.if
>>> @@ -586,7 +586,7 @@ interface(`mta_read_aliases',`
>>> ')
>>>
>>> files_search_etc($1)
>>> - allow $1 etc_aliases_t:file read_file_perms;
>>> + allow $1 etc_aliases_t:file { read_file_perms map };
>>> ')
>>>
>>> ########################################
>>
>> Merged, the above. The below already came in from Jason Zaman.
>
> Umm, this wasn't supposed to be merged. I submitted a second revision
> of this patch based on your feedback, and you merged it last Tuesday
> (commit b17eacb). Please revert commit ac27e919; I'm sorry about the
> confusion.

No worries. I was confused by how the email thread looked with
Thunderbird's threading.

--
Chris PeBenito