From: pebenito@ieee.org (Chris PeBenito)
Date: Thu, 23 Feb 2017 20:51:13 -0500
Subject: [refpolicy] [PATCH] mailman
In-Reply-To: <20170221083317.xqkkuiaoiyjme54g@athena.coker.com.au>
References: <20170221083317.xqkkuiaoiyjme54g@athena.coker.com.au>
Message-ID: <2866ad13-6fbc-c762-c00f-17141247b99d@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/21/17 03:33, Russell Coker via refpolicy wrote:
>
> Description: Mailman patches
> Author: Russell Coker <russell@coker.com.au>
> Last-Update: 2017-02-21
>
> Index: refpolicy-2.20170221/policy/modules/contrib/mailman.te
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/contrib/mailman.te
> +++ refpolicy-2.20170221/policy/modules/contrib/mailman.te
> @@ -91,11 +91,31 @@ miscfiles_read_localization(mailman_doma
>  # CGI local policy
>  #
>
> -dev_read_urand(mailman_cgi_t)
> +allow mailman_cgi_t self:unix_dgram_socket { create connect };
>
> -term_use_controlling_term(mailman_cgi_t)
> +allow mailman_cgi_t mailman_data_t:dir rw_dir_perms;
> +allow mailman_cgi_t mailman_data_t:file manage_file_perms;
> +allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms;
> +
> +allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms };
> +allow mailman_cgi_t mailman_log_t:dir search_dir_perms;
> +
> +allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms;
> +allow mailman_cgi_t mailman_lock_t:file manage_file_perms;
>
> +allow mailman_cgi_t mailman_archive_t:dir search_dir_perms;
> +allow mailman_cgi_t mailman_archive_t:file read_file_perms;
> +
> +kernel_read_crypto_sysctls(mailman_cgi_t)
> +kernel_read_system_state(mailman_cgi_t)
> +
> +corecmd_exec_bin(mailman_cgi_t)
> +dev_read_urand(mailman_cgi_t)
> +files_search_locks(mailman_cgi_t)
>  libs_dontaudit_write_lib_dirs(mailman_cgi_t)
> +logging_search_logs(mailman_cgi_t)
> +miscfiles_read_localization(mailman_cgi_t)
> +term_use_controlling_term(mailman_cgi_t)
>
>  optional_policy(`
>  	apache_sigchld(mailman_cgi_t)
> @@ -118,21 +138,55 @@ optional_policy(`
>  allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config };
>  allow mailman_mail_t self:process { signal signull };
>
> +allow mailman_mail_t mailman_data_t:dir rw_dir_perms;
> +allow mailman_mail_t mailman_data_t:file manage_file_perms;
> +allow mailman_mail_t mailman_data_t:lnk_file read_lnk_file_perms;
> +
> +allow mailman_mail_t mailman_log_t:dir search;
> +allow mailman_mail_t mailman_log_t:file read_file_perms;
> +
> +allow mailman_mail_t mailman_archive_t:dir manage_dir_perms;
> +allow mailman_mail_t mailman_archive_t:file manage_file_perms;
> +allow mailman_mail_t mailman_archive_t:lnk_file manage_lnk_file_perms;
> +
> +allow mailman_mail_t self:process setsched;
> +
> +domain_auto_transition_pattern(mailman_mail_t, mailman_queue_exec_t, mailman_queue_t)
> +allow mailman_mail_t mailman_queue_exec_t:file ioctl;
> +
> +can_exec(mailman_mail_t, mailman_mail_exec_t)
> +
>  manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
>  manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
>  files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
>
> -corenet_sendrecv_innd_client_packets(mailman_mail_t)
> -corenet_tcp_connect_innd_port(mailman_mail_t)
> -corenet_tcp_sendrecv_innd_port(mailman_mail_t)
> +allow mailman_mail_t mailman_lock_t:dir rw_dir_perms;
> +allow mailman_mail_t mailman_lock_t:file manage_file_perms;
> +
> +kernel_read_system_state(mailman_mail_t)
>
> +corenet_tcp_connect_smtp_port(mailman_mail_t)
>  corenet_sendrecv_spamd_client_packets(mailman_mail_t)
> +corenet_sendrecv_innd_client_packets(mailman_mail_t)
> +corenet_tcp_connect_innd_port(mailman_mail_t)
>  corenet_tcp_connect_spamd_port(mailman_mail_t)
> +corenet_tcp_sendrecv_innd_port(mailman_mail_t)
>  corenet_tcp_sendrecv_spamd_port(mailman_mail_t)
>
>  dev_read_urand(mailman_mail_t)
> +corecmd_exec_bin(mailman_mail_t)
>
> +files_search_locks(mailman_mail_t)
>  fs_rw_anon_inodefs_files(mailman_mail_t)
> +inherit_mailserver_fd(mailman_mail_t)
> +# this is far from ideal, but systemd reduces the importance of initrc_t
> +init_signal_script(mailman_mail_t)
> +init_signull_script(mailman_mail_t)
> +# for python .path file
> +libs_read_lib_files(mailman_mail_t)
> +
> +logging_search_logs(mailman_mail_t)
> +miscfiles_read_localization(mailman_mail_t)
>
>  mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
>  mta_dontaudit_rw_queue(mailman_mail_t)
> @@ -159,16 +213,33 @@ allow mailman_queue_t self:capability {
>  allow mailman_queue_t self:process { setsched signal_perms };
>  allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
>
> +allow mailman_queue_t mailman_data_t:dir rw_dir_perms;
> +allow mailman_queue_t mailman_data_t:file manage_file_perms;
> +allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms;
> +
> +allow mailman_queue_t mailman_log_t:dir list_dir_perms;
> +allow mailman_queue_t mailman_log_t:file manage_file_perms;
> +
> +allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;
> +allow mailman_queue_t mailman_archive_t:file manage_file_perms;
> +
> +allow mailman_queue_t mailman_lock_t:dir rw_dir_perms;
> +allow mailman_queue_t mailman_lock_t:file manage_file_perms;
> +
> +kernel_read_system_state(mailman_queue_t)
> +
> +auth_domtrans_chk_passwd(mailman_queue_t)
> +corecmd_read_bin_files(mailman_queue_t)
> +corecmd_read_bin_symlinks(mailman_queue_t)
>  corenet_sendrecv_innd_client_packets(mailman_queue_t)
>  corenet_tcp_connect_innd_port(mailman_queue_t)
>  corenet_tcp_sendrecv_innd_port(mailman_queue_t)
>
> -auth_domtrans_chk_passwd(mailman_queue_t)
> -
>  files_dontaudit_search_pids(mailman_queue_t)
> -
> +files_search_locks(mailman_queue_t)
> +miscfiles_read_localization(mailman_queue_t)
> +read_write_crond_tmp(mailman_queue_t)
>  seutil_dontaudit_search_config(mailman_queue_t)
> -
>  userdom_search_user_home_dirs(mailman_queue_t)
>
>  optional_policy(`
> Index: refpolicy-2.20170221/policy/modules/contrib/mta.if
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/contrib/mta.if
> +++ refpolicy-2.20170221/policy/modules/contrib/mta.if
> @@ -286,6 +286,24 @@ interface(`mta_home_filetrans_mail_home_
>
>  ########################################
>  ## <summary>
> +##	Inherit FDs from mailserver_domain domains
> +## </summary>
> +## <param name="type">
> +##	<summary>
> +##	Type for a list server or delivery agent that inherits fds
> +##	</summary>
> +## </param>
> +#
> +interface(`inherit_mailserver_fd',`
> +	gen_require(`
> +		attribute mailserver_domain;
> +	')
> +
> +	allow $1 mailserver_domain:fd use;
> +')
> +
> +########################################
> +## <summary>
>  ##	Make the specified type by a system MTA.
>  ## </summary>
>  ## <param name="type">
> Index: refpolicy-2.20170221/policy/modules/contrib/mailman.fc
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/contrib/mailman.fc
> +++ refpolicy-2.20170221/policy/modules/contrib/mailman.fc
> @@ -2,11 +2,11 @@
>
>  /etc/mailman.*	gen_context(system_u:object_r:mailman_data_t,s0)
>
> -/usr/lib/mailman.*/bin/mailmanctl	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> -/usr/lib/mailman.*/bin/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> -/usr/lib/mailman.*/cron/.*	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
> +/usr/lib/mailman/bin/mailmanctl	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> +/usr/lib/mailman/bin/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> +/usr/lib/mailman/cron/.*	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
>  /var/lib/mailman.*	gen_context(system_u:object_r:mailman_data_t,s0)
> -/var/lib/mailman.*/archives(/.*)?	gen_context(system_u:object_r:mailman_archive_t,s0)
> +/var/lib/mailman/archives(/.*)?	gen_context(system_u:object_r:mailman_archive_t,s0)
>
>  /var/lock/mailman.*	gen_context(system_u:object_r:mailman_lock_t,s0)
>  /var/lock/subsys/mailman.*	--	gen_context(system_u:object_r:mailman_lock_t,s0)
> @@ -17,13 +17,13 @@
>
>  /var/spool/mailman.*	gen_context(system_u:object_r:mailman_data_t,s0)
>
> -/usr/lib/cgi-bin/mailman.*/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
> -/usr/lib/mailman.*/bin/qrunner	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
> -/usr/lib/mailman.*/cgi-bin/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
> -/usr/lib/mailman.*/mail/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> -/usr/lib/mailman.*/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> -/usr/lib/mailman.*/scripts/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> +/usr/lib/cgi-bin/mailman/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
> +/usr/lib/mailman/bin/qrunner	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
> +/usr/lib/mailman/cgi-bin/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
> +/usr/lib/mailman/mail/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> +/usr/lib/mailman/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> +/usr/lib/mailman/scripts/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
>
> -/usr/mailman.*/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> +/usr/mailman/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
>
> -/usr/share/doc/mailman.*/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> +/usr/share/doc/mailman/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
> Index: refpolicy-2.20170220/policy/modules/contrib/cron.if
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/contrib/cron.if
> +++ refpolicy-2.20170220/policy/modules/contrib/cron.if
> @@ -910,3 +824,21 @@ interface(`cron_manage_system_spool',`
>  	files_search_spool($1)
>  	manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
>  ')
> +
> +########################################
> +## <summary>
> +##      Access temporary files crond creates for script output
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`read_write_crond_tmp',`
> +	gen_require(`
> +		type crond_tmp_t;
> +	')
> +
> +	allow $1 crond_tmp_t:file rw_file_perms;
> +')

Merged, though I renamed some interfaces and moved lines around.

-- 
Chris PeBenito