From: russell@coker.com.au (Russell Coker)
Date: Tue, 21 Feb 2017 19:33:17 +1100
Subject: [refpolicy]  [PATCH] mailman
Message-ID: <20170221083317.xqkkuiaoiyjme54g@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com


Description: Mailman patches
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-02-21

Index: refpolicy-2.20170221/policy/modules/contrib/mailman.te
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/contrib/mailman.te
+++ refpolicy-2.20170221/policy/modules/contrib/mailman.te
@@ -91,11 +91,31 @@ miscfiles_read_localization(mailman_doma
 # CGI local policy
 #
 
-dev_read_urand(mailman_cgi_t)
+allow mailman_cgi_t self:unix_dgram_socket { create connect };
 
-term_use_controlling_term(mailman_cgi_t)
+allow mailman_cgi_t mailman_data_t:dir rw_dir_perms;
+allow mailman_cgi_t mailman_data_t:file manage_file_perms;
+allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms;
+
+allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms };
+allow mailman_cgi_t mailman_log_t:dir search_dir_perms;
+
+allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms;
+allow mailman_cgi_t mailman_lock_t:file manage_file_perms;
 
+allow mailman_cgi_t mailman_archive_t:dir search_dir_perms;
+allow mailman_cgi_t mailman_archive_t:file read_file_perms;
+
+kernel_read_crypto_sysctls(mailman_cgi_t)
+kernel_read_system_state(mailman_cgi_t)
+
+corecmd_exec_bin(mailman_cgi_t)
+dev_read_urand(mailman_cgi_t)
+files_search_locks(mailman_cgi_t)
 libs_dontaudit_write_lib_dirs(mailman_cgi_t)
+logging_search_logs(mailman_cgi_t)
+miscfiles_read_localization(mailman_cgi_t)
+term_use_controlling_term(mailman_cgi_t)
 
 optional_policy(`
 	apache_sigchld(mailman_cgi_t)
@@ -118,21 +138,55 @@ optional_policy(`
 allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config };
 allow mailman_mail_t self:process { signal signull };
 
+allow mailman_mail_t mailman_data_t:dir rw_dir_perms;
+allow mailman_mail_t mailman_data_t:file manage_file_perms;
+allow mailman_mail_t mailman_data_t:lnk_file read_lnk_file_perms;
+
+allow mailman_mail_t mailman_log_t:dir search;
+allow mailman_mail_t mailman_log_t:file read_file_perms;
+
+allow mailman_mail_t mailman_archive_t:dir manage_dir_perms;
+allow mailman_mail_t mailman_archive_t:file manage_file_perms;
+allow mailman_mail_t mailman_archive_t:lnk_file manage_lnk_file_perms;
+
+allow mailman_mail_t self:process setsched;
+
+domain_auto_transition_pattern(mailman_mail_t, mailman_queue_exec_t, mailman_queue_t)
+allow mailman_mail_t mailman_queue_exec_t:file ioctl;
+
+can_exec(mailman_mail_t, mailman_mail_exec_t)
+
 manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
 manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
 files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
 
-corenet_sendrecv_innd_client_packets(mailman_mail_t)
-corenet_tcp_connect_innd_port(mailman_mail_t)
-corenet_tcp_sendrecv_innd_port(mailman_mail_t)
+allow mailman_mail_t mailman_lock_t:dir rw_dir_perms;
+allow mailman_mail_t mailman_lock_t:file manage_file_perms;
+
+kernel_read_system_state(mailman_mail_t)
 
+corenet_tcp_connect_smtp_port(mailman_mail_t)
 corenet_sendrecv_spamd_client_packets(mailman_mail_t)
+corenet_sendrecv_innd_client_packets(mailman_mail_t)
+corenet_tcp_connect_innd_port(mailman_mail_t)
 corenet_tcp_connect_spamd_port(mailman_mail_t)
+corenet_tcp_sendrecv_innd_port(mailman_mail_t)
 corenet_tcp_sendrecv_spamd_port(mailman_mail_t)
 
 dev_read_urand(mailman_mail_t)
+corecmd_exec_bin(mailman_mail_t)
 
+files_search_locks(mailman_mail_t)
 fs_rw_anon_inodefs_files(mailman_mail_t)
+inherit_mailserver_fd(mailman_mail_t)
+# this is far from ideal, but systemd reduces the importance of initrc_t
+init_signal_script(mailman_mail_t)
+init_signull_script(mailman_mail_t)
+# for python .path file
+libs_read_lib_files(mailman_mail_t)
+
+logging_search_logs(mailman_mail_t)
+miscfiles_read_localization(mailman_mail_t)
 
 mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
 mta_dontaudit_rw_queue(mailman_mail_t)
@@ -159,16 +213,33 @@ allow mailman_queue_t self:capability {
 allow mailman_queue_t self:process { setsched signal_perms };
 allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
 
+allow mailman_queue_t mailman_data_t:dir rw_dir_perms;
+allow mailman_queue_t mailman_data_t:file manage_file_perms;
+allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms;
+
+allow mailman_queue_t mailman_log_t:dir list_dir_perms;
+allow mailman_queue_t mailman_log_t:file manage_file_perms;
+
+allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;
+allow mailman_queue_t mailman_archive_t:file manage_file_perms;
+
+allow mailman_queue_t mailman_lock_t:dir rw_dir_perms;
+allow mailman_queue_t mailman_lock_t:file manage_file_perms;
+
+kernel_read_system_state(mailman_queue_t)
+
+auth_domtrans_chk_passwd(mailman_queue_t)
+corecmd_read_bin_files(mailman_queue_t)
+corecmd_read_bin_symlinks(mailman_queue_t)
 corenet_sendrecv_innd_client_packets(mailman_queue_t)
 corenet_tcp_connect_innd_port(mailman_queue_t)
 corenet_tcp_sendrecv_innd_port(mailman_queue_t)
 
-auth_domtrans_chk_passwd(mailman_queue_t)
-
 files_dontaudit_search_pids(mailman_queue_t)
-
+files_search_locks(mailman_queue_t)
+miscfiles_read_localization(mailman_queue_t)
+read_write_crond_tmp(mailman_queue_t)
 seutil_dontaudit_search_config(mailman_queue_t)
-
 userdom_search_user_home_dirs(mailman_queue_t)
 
 optional_policy(`
Index: refpolicy-2.20170221/policy/modules/contrib/mta.if
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/contrib/mta.if
+++ refpolicy-2.20170221/policy/modules/contrib/mta.if
@@ -286,6 +286,24 @@ interface(`mta_home_filetrans_mail_home_
 
 ########################################
 ## <summary>
+##	Inherit FDs from mailserver_domain domains
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type for a list server or delivery agent that inherits fds
+##	</summary>
+## </param>
+#
+interface(`inherit_mailserver_fd',`
+	gen_require(`
+		attribute mailserver_domain;
+	')
+
+	allow $1 mailserver_domain:fd use;
+')
+
+########################################
+## <summary>
 ##	Make the specified type by a system MTA.
 ## </summary>
 ## <param name="type">
Index: refpolicy-2.20170221/policy/modules/contrib/mailman.fc
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/contrib/mailman.fc
+++ refpolicy-2.20170221/policy/modules/contrib/mailman.fc
@@ -2,11 +2,11 @@
 
 /etc/mailman.*	gen_context(system_u:object_r:mailman_data_t,s0)
 
-/usr/lib/mailman.*/bin/mailmanctl	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/bin/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/cron/.*	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman/bin/mailmanctl	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/bin/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/cron/.*	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
 /var/lib/mailman.*	gen_context(system_u:object_r:mailman_data_t,s0)
-/var/lib/mailman.*/archives(/.*)?	gen_context(system_u:object_r:mailman_archive_t,s0)
+/var/lib/mailman/archives(/.*)?	gen_context(system_u:object_r:mailman_archive_t,s0)
 
 /var/lock/mailman.*	gen_context(system_u:object_r:mailman_lock_t,s0)
 /var/lock/subsys/mailman.*	--	gen_context(system_u:object_r:mailman_lock_t,s0)
@@ -17,13 +17,13 @@
 
 /var/spool/mailman.*	gen_context(system_u:object_r:mailman_data_t,s0)
 
-/usr/lib/cgi-bin/mailman.*/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-/usr/lib/mailman.*/bin/qrunner	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-/usr/lib/mailman.*/cgi-bin/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-/usr/lib/mailman.*/mail/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/scripts/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/cgi-bin/mailman/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/bin/qrunner	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman/cgi-bin/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/mail/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/scripts/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 
-/usr/mailman.*/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/mailman/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 
-/usr/share/doc/mailman.*/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/share/doc/mailman/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
Index: refpolicy-2.20170220/policy/modules/contrib/cron.if
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/contrib/cron.if
+++ refpolicy-2.20170220/policy/modules/contrib/cron.if
@@ -910,3 +824,21 @@ interface(`cron_manage_system_spool',`
 	files_search_spool($1)
 	manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
 ')
+
+########################################
+## <summary>
+##      Access temporary files crond creates for script output
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`read_write_crond_tmp',`
+	gen_require(`
+		type crond_tmp_t;
+	')
+
+	allow $1 crond_tmp_t:file rw_file_perms;
+')