From: russell@coker.com.au (Russell Coker) Date: Tue, 21 Feb 2017 19:33:17 +1100 Subject: [refpolicy] [PATCH] mailman Message-ID: <20170221083317.xqkkuiaoiyjme54g@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Description: Mailman patches Author: Russell Coker Last-Update: 2017-02-21 Index: refpolicy-2.20170221/policy/modules/contrib/mailman.te =================================================================== --- refpolicy-2.20170221.orig/policy/modules/contrib/mailman.te +++ refpolicy-2.20170221/policy/modules/contrib/mailman.te @@ -91,11 +91,31 @@ miscfiles_read_localization(mailman_doma # CGI local policy # -dev_read_urand(mailman_cgi_t) +allow mailman_cgi_t self:unix_dgram_socket { create connect }; -term_use_controlling_term(mailman_cgi_t) +allow mailman_cgi_t mailman_data_t:dir rw_dir_perms; +allow mailman_cgi_t mailman_data_t:file manage_file_perms; +allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms; + +allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms }; +allow mailman_cgi_t mailman_log_t:dir search_dir_perms; + +allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms; +allow mailman_cgi_t mailman_lock_t:file manage_file_perms; +allow mailman_cgi_t mailman_archive_t:dir search_dir_perms; +allow mailman_cgi_t mailman_archive_t:file read_file_perms; + +kernel_read_crypto_sysctls(mailman_cgi_t) +kernel_read_system_state(mailman_cgi_t) + +corecmd_exec_bin(mailman_cgi_t) +dev_read_urand(mailman_cgi_t) +files_search_locks(mailman_cgi_t) libs_dontaudit_write_lib_dirs(mailman_cgi_t) +logging_search_logs(mailman_cgi_t) +miscfiles_read_localization(mailman_cgi_t) +term_use_controlling_term(mailman_cgi_t) optional_policy(` apache_sigchld(mailman_cgi_t) @@ -118,21 +138,55 @@ optional_policy(` allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config }; allow mailman_mail_t self:process { signal signull }; +allow mailman_mail_t mailman_data_t:dir rw_dir_perms; +allow mailman_mail_t mailman_data_t:file manage_file_perms; +allow mailman_mail_t mailman_data_t:lnk_file read_lnk_file_perms; + +allow mailman_mail_t mailman_log_t:dir search; +allow mailman_mail_t mailman_log_t:file read_file_perms; + +allow mailman_mail_t mailman_archive_t:dir manage_dir_perms; +allow mailman_mail_t mailman_archive_t:file manage_file_perms; +allow mailman_mail_t mailman_archive_t:lnk_file manage_lnk_file_perms; + +allow mailman_mail_t self:process setsched; + +domain_auto_transition_pattern(mailman_mail_t, mailman_queue_exec_t, mailman_queue_t) +allow mailman_mail_t mailman_queue_exec_t:file ioctl; + +can_exec(mailman_mail_t, mailman_mail_exec_t) + manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir }) -corenet_sendrecv_innd_client_packets(mailman_mail_t) -corenet_tcp_connect_innd_port(mailman_mail_t) -corenet_tcp_sendrecv_innd_port(mailman_mail_t) +allow mailman_mail_t mailman_lock_t:dir rw_dir_perms; +allow mailman_mail_t mailman_lock_t:file manage_file_perms; + +kernel_read_system_state(mailman_mail_t) +corenet_tcp_connect_smtp_port(mailman_mail_t) corenet_sendrecv_spamd_client_packets(mailman_mail_t) +corenet_sendrecv_innd_client_packets(mailman_mail_t) +corenet_tcp_connect_innd_port(mailman_mail_t) corenet_tcp_connect_spamd_port(mailman_mail_t) +corenet_tcp_sendrecv_innd_port(mailman_mail_t) corenet_tcp_sendrecv_spamd_port(mailman_mail_t) dev_read_urand(mailman_mail_t) +corecmd_exec_bin(mailman_mail_t) +files_search_locks(mailman_mail_t) fs_rw_anon_inodefs_files(mailman_mail_t) +inherit_mailserver_fd(mailman_mail_t) +# this is far from ideal, but systemd reduces the importance of initrc_t +init_signal_script(mailman_mail_t) +init_signull_script(mailman_mail_t) +# for python .path file +libs_read_lib_files(mailman_mail_t) + +logging_search_logs(mailman_mail_t) +miscfiles_read_localization(mailman_mail_t) mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) mta_dontaudit_rw_queue(mailman_mail_t) @@ -159,16 +213,33 @@ allow mailman_queue_t self:capability { allow mailman_queue_t self:process { setsched signal_perms }; allow mailman_queue_t self:fifo_file rw_fifo_file_perms; +allow mailman_queue_t mailman_data_t:dir rw_dir_perms; +allow mailman_queue_t mailman_data_t:file manage_file_perms; +allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms; + +allow mailman_queue_t mailman_log_t:dir list_dir_perms; +allow mailman_queue_t mailman_log_t:file manage_file_perms; + +allow mailman_queue_t mailman_archive_t:dir manage_dir_perms; +allow mailman_queue_t mailman_archive_t:file manage_file_perms; + +allow mailman_queue_t mailman_lock_t:dir rw_dir_perms; +allow mailman_queue_t mailman_lock_t:file manage_file_perms; + +kernel_read_system_state(mailman_queue_t) + +auth_domtrans_chk_passwd(mailman_queue_t) +corecmd_read_bin_files(mailman_queue_t) +corecmd_read_bin_symlinks(mailman_queue_t) corenet_sendrecv_innd_client_packets(mailman_queue_t) corenet_tcp_connect_innd_port(mailman_queue_t) corenet_tcp_sendrecv_innd_port(mailman_queue_t) -auth_domtrans_chk_passwd(mailman_queue_t) - files_dontaudit_search_pids(mailman_queue_t) - +files_search_locks(mailman_queue_t) +miscfiles_read_localization(mailman_queue_t) +read_write_crond_tmp(mailman_queue_t) seutil_dontaudit_search_config(mailman_queue_t) - userdom_search_user_home_dirs(mailman_queue_t) optional_policy(` Index: refpolicy-2.20170221/policy/modules/contrib/mta.if =================================================================== --- refpolicy-2.20170221.orig/policy/modules/contrib/mta.if +++ refpolicy-2.20170221/policy/modules/contrib/mta.if @@ -286,6 +286,24 @@ interface(`mta_home_filetrans_mail_home_ ######################################## ## +## Inherit FDs from mailserver_domain domains +## +## +## +## Type for a list server or delivery agent that inherits fds +## +## +# +interface(`inherit_mailserver_fd',` + gen_require(` + attribute mailserver_domain; + ') + + allow $1 mailserver_domain:fd use; +') + +######################################## +## ## Make the specified type by a system MTA. ## ## Index: refpolicy-2.20170221/policy/modules/contrib/mailman.fc =================================================================== --- refpolicy-2.20170221.orig/policy/modules/contrib/mailman.fc +++ refpolicy-2.20170221/policy/modules/contrib/mailman.fc @@ -2,11 +2,11 @@ /etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) -/usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/lib/mailman.*/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/lib/mailman.*/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) +/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) /var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) -/var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) +/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) /var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0) /var/lock/subsys/mailman.* -- gen_context(system_u:object_r:mailman_lock_t,s0) @@ -17,13 +17,13 @@ /var/spool/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) -/usr/lib/cgi-bin/mailman.*/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) -/usr/lib/mailman.*/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) -/usr/lib/mailman.*/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) -/usr/lib/mailman.*/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/lib/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/lib/mailman.*/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) +/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) +/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) +/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/share/doc/mailman.*/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) Index: refpolicy-2.20170220/policy/modules/contrib/cron.if =================================================================== --- refpolicy-2.20170220.orig/policy/modules/contrib/cron.if +++ refpolicy-2.20170220/policy/modules/contrib/cron.if @@ -910,3 +824,21 @@ interface(`cron_manage_system_spool',` files_search_spool($1) manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t) ') + +######################################## +## +## Access temporary files crond creates for script output +## +## +## +## Domain allowed access. +## +## +# +interface(`read_write_crond_tmp',` + gen_require(` + type crond_tmp_t; + ') + + allow $1 crond_tmp_t:file rw_file_perms; +')