From: dwalsh@redhat.com (Daniel J Walsh)
Date: Thu, 07 Jan 2010 10:22:20 -0500
Subject: [refpolicy] services_razor.patch
In-Reply-To: <1262872891.2553.5599.camel@gorn.columbia.tresys.com>
References: <4AFC8410.8040403@redhat.com>
	<1262872891.2553.5599.camel@gorn.columbia.tresys.com>
Message-ID: <4B45FC2C.3050007@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 01/07/2010 09:01 AM, Christopher J. PeBenito wrote:
> On Thu, 2009-11-12 at 16:54 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_razor.patch
>>
>> Consolodated with spam
> 
> I need more information on this consolidation.
> 
> 

I believe we went way over board of the Least Priv, when it came to handling spam.  I think that spamassassin, razor, pyzor, 

should all be consolidated into one spam handling plicy spamd_t for services spamc_t for client apps.

Trying to get all of the different spam handlers to work together created a huge spaghetti of shared access, with little if any additional security.

typealias spamc_t alias pyzor_t;
typealias spamc_t alias razor_t;
typealias spamc_t alias spamassassin_t;

+	typealias spamd_t alias pyzord_t;

My overall patch has something like this in it.
grep -r "typealias.*spam" policy-F13.patch 
+	typealias spamc_t alias pyzor_t;
+	typealias spamc_exec_t alias pyzor_exec_t;
+	typealias spamd_t alias pyzord_t;
+	typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t;
+	typealias spamd_exec_t alias pyzord_exec_t;
+	typealias spamc_tmp_t alias pyzor_tmp_t;
+	typealias spamd_log_t alias pyzor_log_t;
+	typealias spamd_log_t alias pyzord_log_t;
+	typealias spamd_var_lib_t alias pyzor_var_lib_t;
+	typealias spamd_etc_t alias pyzor_etc_t;
+	typealias spamc_home_t alias pyzor_home_t;
+	typealias spamc_home_t alias user_pyzor_home_t;
+	typealias spamc_t alias razor_t;
+	typealias spamc_exec_t alias razor_exec_t;
+	typealias spamd_log_t alias razor_log_t;
+	typealias spamd_var_lib_t alias razor_var_lib_t;
+	typealias spamd_etc_t alias razor_etc_t;
+	typealias spamc_home_t alias razor_home_t;
+	typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+	typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+	typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+	typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+typealias spamc_exec_t  alias spamassassin_exec_t;
+typealias spamc_t alias spamassassin_t;
+typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
+typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
+typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t };
+typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t };
+typealias spamc_tmp_t alias spamassassin_tmp_t;
+typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
+typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
+typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
+typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
 typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
 typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };