From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 23 Feb 2017 20:51:13 -0500 Subject: [refpolicy] [PATCH] mailman In-Reply-To: <20170221083317.xqkkuiaoiyjme54g@athena.coker.com.au> References: <20170221083317.xqkkuiaoiyjme54g@athena.coker.com.au> Message-ID: <2866ad13-6fbc-c762-c00f-17141247b99d@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/21/17 03:33, Russell Coker via refpolicy wrote: > > Description: Mailman patches > Author: Russell Coker > Last-Update: 2017-02-21 > > Index: refpolicy-2.20170221/policy/modules/contrib/mailman.te > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/contrib/mailman.te > +++ refpolicy-2.20170221/policy/modules/contrib/mailman.te > @@ -91,11 +91,31 @@ miscfiles_read_localization(mailman_doma > # CGI local policy > # > > -dev_read_urand(mailman_cgi_t) > +allow mailman_cgi_t self:unix_dgram_socket { create connect }; > > -term_use_controlling_term(mailman_cgi_t) > +allow mailman_cgi_t mailman_data_t:dir rw_dir_perms; > +allow mailman_cgi_t mailman_data_t:file manage_file_perms; > +allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms; > + > +allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms }; > +allow mailman_cgi_t mailman_log_t:dir search_dir_perms; > + > +allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms; > +allow mailman_cgi_t mailman_lock_t:file manage_file_perms; > > +allow mailman_cgi_t mailman_archive_t:dir search_dir_perms; > +allow mailman_cgi_t mailman_archive_t:file read_file_perms; > + > +kernel_read_crypto_sysctls(mailman_cgi_t) > +kernel_read_system_state(mailman_cgi_t) > + > +corecmd_exec_bin(mailman_cgi_t) > +dev_read_urand(mailman_cgi_t) > +files_search_locks(mailman_cgi_t) > libs_dontaudit_write_lib_dirs(mailman_cgi_t) > +logging_search_logs(mailman_cgi_t) > +miscfiles_read_localization(mailman_cgi_t) > +term_use_controlling_term(mailman_cgi_t) > > optional_policy(` > apache_sigchld(mailman_cgi_t) > @@ -118,21 +138,55 @@ optional_policy(` > allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config }; > allow mailman_mail_t self:process { signal signull }; > > +allow mailman_mail_t mailman_data_t:dir rw_dir_perms; > +allow mailman_mail_t mailman_data_t:file manage_file_perms; > +allow mailman_mail_t mailman_data_t:lnk_file read_lnk_file_perms; > + > +allow mailman_mail_t mailman_log_t:dir search; > +allow mailman_mail_t mailman_log_t:file read_file_perms; > + > +allow mailman_mail_t mailman_archive_t:dir manage_dir_perms; > +allow mailman_mail_t mailman_archive_t:file manage_file_perms; > +allow mailman_mail_t mailman_archive_t:lnk_file manage_lnk_file_perms; > + > +allow mailman_mail_t self:process setsched; > + > +domain_auto_transition_pattern(mailman_mail_t, mailman_queue_exec_t, mailman_queue_t) > +allow mailman_mail_t mailman_queue_exec_t:file ioctl; > + > +can_exec(mailman_mail_t, mailman_mail_exec_t) > + > manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) > manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) > files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir }) > > -corenet_sendrecv_innd_client_packets(mailman_mail_t) > -corenet_tcp_connect_innd_port(mailman_mail_t) > -corenet_tcp_sendrecv_innd_port(mailman_mail_t) > +allow mailman_mail_t mailman_lock_t:dir rw_dir_perms; > +allow mailman_mail_t mailman_lock_t:file manage_file_perms; > + > +kernel_read_system_state(mailman_mail_t) > > +corenet_tcp_connect_smtp_port(mailman_mail_t) > corenet_sendrecv_spamd_client_packets(mailman_mail_t) > +corenet_sendrecv_innd_client_packets(mailman_mail_t) > +corenet_tcp_connect_innd_port(mailman_mail_t) > corenet_tcp_connect_spamd_port(mailman_mail_t) > +corenet_tcp_sendrecv_innd_port(mailman_mail_t) > corenet_tcp_sendrecv_spamd_port(mailman_mail_t) > > dev_read_urand(mailman_mail_t) > +corecmd_exec_bin(mailman_mail_t) > > +files_search_locks(mailman_mail_t) > fs_rw_anon_inodefs_files(mailman_mail_t) > +inherit_mailserver_fd(mailman_mail_t) > +# this is far from ideal, but systemd reduces the importance of initrc_t > +init_signal_script(mailman_mail_t) > +init_signull_script(mailman_mail_t) > +# for python .path file > +libs_read_lib_files(mailman_mail_t) > + > +logging_search_logs(mailman_mail_t) > +miscfiles_read_localization(mailman_mail_t) > > mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) > mta_dontaudit_rw_queue(mailman_mail_t) > @@ -159,16 +213,33 @@ allow mailman_queue_t self:capability { > allow mailman_queue_t self:process { setsched signal_perms }; > allow mailman_queue_t self:fifo_file rw_fifo_file_perms; > > +allow mailman_queue_t mailman_data_t:dir rw_dir_perms; > +allow mailman_queue_t mailman_data_t:file manage_file_perms; > +allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms; > + > +allow mailman_queue_t mailman_log_t:dir list_dir_perms; > +allow mailman_queue_t mailman_log_t:file manage_file_perms; > + > +allow mailman_queue_t mailman_archive_t:dir manage_dir_perms; > +allow mailman_queue_t mailman_archive_t:file manage_file_perms; > + > +allow mailman_queue_t mailman_lock_t:dir rw_dir_perms; > +allow mailman_queue_t mailman_lock_t:file manage_file_perms; > + > +kernel_read_system_state(mailman_queue_t) > + > +auth_domtrans_chk_passwd(mailman_queue_t) > +corecmd_read_bin_files(mailman_queue_t) > +corecmd_read_bin_symlinks(mailman_queue_t) > corenet_sendrecv_innd_client_packets(mailman_queue_t) > corenet_tcp_connect_innd_port(mailman_queue_t) > corenet_tcp_sendrecv_innd_port(mailman_queue_t) > > -auth_domtrans_chk_passwd(mailman_queue_t) > - > files_dontaudit_search_pids(mailman_queue_t) > - > +files_search_locks(mailman_queue_t) > +miscfiles_read_localization(mailman_queue_t) > +read_write_crond_tmp(mailman_queue_t) > seutil_dontaudit_search_config(mailman_queue_t) > - > userdom_search_user_home_dirs(mailman_queue_t) > > optional_policy(` > Index: refpolicy-2.20170221/policy/modules/contrib/mta.if > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/contrib/mta.if > +++ refpolicy-2.20170221/policy/modules/contrib/mta.if > @@ -286,6 +286,24 @@ interface(`mta_home_filetrans_mail_home_ > > ######################################## > ## > +## Inherit FDs from mailserver_domain domains > +## > +## > +## > +## Type for a list server or delivery agent that inherits fds > +## > +## > +# > +interface(`inherit_mailserver_fd',` > + gen_require(` > + attribute mailserver_domain; > + ') > + > + allow $1 mailserver_domain:fd use; > +') > + > +######################################## > +## > ## Make the specified type by a system MTA. > ## > ## > Index: refpolicy-2.20170221/policy/modules/contrib/mailman.fc > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/contrib/mailman.fc > +++ refpolicy-2.20170221/policy/modules/contrib/mailman.fc > @@ -2,11 +2,11 @@ > > /etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) > > -/usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) > -/usr/lib/mailman.*/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) > -/usr/lib/mailman.*/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) > +/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) > +/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) > +/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) > /var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) > -/var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) > +/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) > > /var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0) > /var/lock/subsys/mailman.* -- gen_context(system_u:object_r:mailman_lock_t,s0) > @@ -17,13 +17,13 @@ > > /var/spool/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) > > -/usr/lib/cgi-bin/mailman.*/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) > -/usr/lib/mailman.*/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) > -/usr/lib/mailman.*/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) > -/usr/lib/mailman.*/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) > -/usr/lib/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) > -/usr/lib/mailman.*/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) > +/usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) > +/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) > +/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) > +/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) > +/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) > +/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) > > -/usr/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) > +/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) > > -/usr/share/doc/mailman.*/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) > +/usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) > Index: refpolicy-2.20170220/policy/modules/contrib/cron.if > =================================================================== > --- refpolicy-2.20170220.orig/policy/modules/contrib/cron.if > +++ refpolicy-2.20170220/policy/modules/contrib/cron.if > @@ -910,3 +824,21 @@ interface(`cron_manage_system_spool',` > files_search_spool($1) > manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t) > ') > + > +######################################## > +## > +## Access temporary files crond creates for script output > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`read_write_crond_tmp',` > + gen_require(` > + type crond_tmp_t; > + ') > + > + allow $1 crond_tmp_t:file rw_file_perms; > +') Merged, though I renamed some interfaces and moved lines around. -- Chris PeBenito