From: cgzones@googlemail.com (=?UTF-8?q?Christian=20G=C3=B6ttsche?=)
Date: Sun, 10 Sep 2017 16:39:38 +0200
Subject: [refpolicy] [PATCH 2/2] spamassassin: update
In-Reply-To: <20170910143938.3875-1-cgzones@googlemail.com>
References: <20170910143938.3875-1-cgzones@googlemail.com>
Message-ID: <20170910143938.3875-2-cgzones@googlemail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

- add filecontexts
- review admin interfaces
- enhance sa-update policy
- remove old type aliases
- rename spamd_var_run_t to spamd_runtime_t
---
 spamassassin.fc |  14 +++++--
 spamassassin.if |  60 ++++++++++++++++++++--------
 spamassassin.te | 119 ++++++++++++++++++++++++++++++++++----------------------
 3 files changed, 126 insertions(+), 67 deletions(-)

diff --git a/spamassassin.fc b/spamassassin.fc
index 18fa75f..4357976 100644
--- a/spamassassin.fc
+++ b/spamassassin.fc
@@ -1,6 +1,7 @@
 HOME_DIR/\.spamassassin(/.*)?		gen_context(system_u:object_r:spamassassin_home_t,s0)
 HOME_DIR/\.spamd(/.*)?			gen_context(system_u:object_r:spamd_home_t,s0)
 
+/etc/rc\.d/init\.d/spamassassin	--	gen_context(system_u:object_r:spamassassin_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/spamd	--	gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/spampd	--	gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/mimedefang.*	--	gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
@@ -17,17 +18,22 @@ HOME_DIR/\.spamd(/.*)?			gen_context(system_u:object_r:spamd_home_t,s0)
 /usr/sbin/spamd			--	gen_context(system_u:object_r:spamd_exec_t,s0)
 /usr/sbin/spampd		--	gen_context(system_u:object_r:spamd_exec_t,s0)
 
+/usr/lib/systemd/system/spamassassin\.service	--	gen_context(system_u:object_r:spamassassin_unit_t,s0)
+
 /var/lib/spamassassin(/.*)?		gen_context(system_u:object_r:spamd_var_lib_t,s0)
 /var/lib/spamassassin/compiled(/.*)?	gen_context(system_u:object_r:spamd_compiled_t,s0)
 
 /var/log/spamd\.log.*		--	gen_context(system_u:object_r:spamd_log_t,s0)
 /var/log/mimedefang.*		--	gen_context(system_u:object_r:spamd_log_t,s0)
 
-/run/spamassassin(/.*)?			gen_context(system_u:object_r:spamd_var_run_t,s0)
-/run/spamassassin\.pid			gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/vmail/\.spamassassin(/.*)?		gen_context(system_u:object_r:spamassassin_home_t,s0)
+
+/run/spamassassin(/.*)?			gen_context(system_u:object_r:spamd_runtime_t,s0)
+/run/spamassassin\.pid		--	gen_context(system_u:object_r:spamd_runtime_t,s0)
+/run/spamd\.pid			--	gen_context(system_u:object_r:spamd_runtime_t,s0)
 
 /var/spool/spamassassin(/.*)?		gen_context(system_u:object_r:spamd_spool_t,s0)
 /var/spool/spamd(/.*)?			gen_context(system_u:object_r:spamd_spool_t,s0)
 /var/spool/spampd(/.*)?			gen_context(system_u:object_r:spamd_spool_t,s0)
-/var/spool/MD-Quarantine(/.*)?		gen_context(system_u:object_r:spamd_var_run_t,s0)
-/var/spool/MIMEDefang(/.*)?		gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/spool/MD-Quarantine(/.*)?		gen_context(system_u:object_r:spamd_runtime_t,s0)
+/var/spool/MIMEDefang(/.*)?		gen_context(system_u:object_r:spamd_runtime_t,s0)
diff --git a/spamassassin.if b/spamassassin.if
index e915b5f..832968c 100644
--- a/spamassassin.if
+++ b/spamassassin.if
@@ -27,8 +27,7 @@ interface(`spamassassin_role',`
 	domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
 	domtrans_pattern($2, spamc_exec_t, spamc_t)
 
-	allow $2 { spamc_t spamassassin_t}:process { ptrace signal_perms };
-	ps_process_pattern($2, { spamc_t spamassassin_t })
+	admin_process_pattern($2, { spamc_t spamassassin_t })
 
 	allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
 	allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms };
@@ -37,6 +36,30 @@ interface(`spamassassin_role',`
 	userdom_user_home_dir_filetrans($2, spamd_home_t, dir, ".spamd")
 ')
 
+########################################
+## <summary>
+##	Role access for spamassassin.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+#
+interface(`spamassassin_update_role',`
+	gen_require(`
+		type spamd_gpg_t, spamd_update_exec_t, spamd_update_t;
+	')
+
+	role $1 types { spamd_update_t spamd_gpg_t };
+        domtrans_pattern($2, spamd_update_exec_t, spamd_update_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute the standalone spamassassin
@@ -293,11 +316,11 @@ interface(`spamassassin_manage_lib_files',`
 #
 interface(`spamassassin_read_spamd_pid_files',`
 	gen_require(`
-		type spamd_var_run_t;
+		type spamd_runtime_t;
 	')
 
 	files_search_pids($1)
-	read_files_pattern($1, spamd_var_run_t, spamd_var_run_t)
+	read_files_pattern($1, spamd_runtime_t, spamd_runtime_t)
 ')
 
 ########################################
@@ -350,11 +373,11 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
 #
 interface(`spamassassin_stream_connect_spamd',`
 	gen_require(`
-		type spamd_t, spamd_var_run_t;
+		type spamd_t, spamd_runtime_t;
 	')
 
 	files_search_pids($1)
-	stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
+	stream_connect_pattern($1, spamd_runtime_t, spamd_runtime_t, spamd_t)
 ')
 
 ########################################
@@ -377,30 +400,33 @@ interface(`spamassassin_stream_connect_spamd',`
 interface(`spamassassin_admin',`
 	gen_require(`
 		type spamd_t, spamd_tmp_t, spamd_log_t;
-		type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t;
-		type spamd_initrc_exec_t;
+		type spamd_spool_t, spamd_var_lib_t, spamd_runtime_t;
+		type spamd_initrc_exec_t, spamassassin_unit_t;
+		type spamd_update_t, spamd_update_exec_t, spamd_gpg_t;
 	')
 
-	allow $1 spamd_t:process { ptrace signal_perms };
-	ps_process_pattern($1, spamd_t)
+	admin_process_pattern($1, spamd_t)
 
-	init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t)
+	init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t, spamassassin_unit_t)
 
-	files_list_tmp($1)
+	files_search_tmp($1)
 	admin_pattern($1, spamd_tmp_t)
 
-	logging_list_logs($1)
+	logging_search_logs($1)
 	admin_pattern($1, spamd_log_t)
 
-	files_list_spool($1)
+	files_search_spool($1)
 	admin_pattern($1, spamd_spool_t)
 
-	files_list_var_lib($1)
+	files_search_var_lib($1)
 	admin_pattern($1, spamd_var_lib_t)
 
-	files_list_pids($1)
-	admin_pattern($1, spamd_var_run_t)
+	files_search_pids($1)
+	admin_pattern($1, spamd_runtime_t)
 
 	# This makes it impossible to apply _admin if _role has already been applied
 	#spamassassin_role($2, $1)
+
+	# sa-update
+	spamassassin_update_role($2, $1)
 ')
diff --git a/spamassassin.te b/spamassassin.te
index 72e781e..3292af5 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -25,32 +25,31 @@ type spamd_update_t;
 type spamd_update_exec_t;
 init_system_domain(spamd_update_t, spamd_update_exec_t)
 
+type spamd_update_tmp_t;
+files_tmp_file(spamd_update_tmp_t)
+
 type spamassassin_t;
 type spamassassin_exec_t;
-typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
-typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
 userdom_user_application_domain(spamassassin_t, spamassassin_exec_t)
 
 type spamassassin_home_t;
-typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
-typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
 userdom_user_home_content(spamassassin_home_t)
 
+type spamassassin_initrc_exec_t;
+init_script_file(spamassassin_initrc_exec_t)
+
 type spamassassin_tmp_t;
-typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
-typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
 userdom_user_tmp_file(spamassassin_tmp_t)
 
+type spamassassin_unit_t;
+init_unit_file(spamassassin_unit_t)
+
 type spamc_t;
 type spamc_exec_t;
-typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
-typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
 userdom_user_application_domain(spamc_t, spamc_exec_t)
 role system_r types spamc_t;
 
 type spamc_tmp_t;
-typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
-typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
 userdom_user_tmp_file(spamc_tmp_t)
 
 type spamd_t;
@@ -63,6 +62,9 @@ files_type(spamd_compiled_t)
 type spamd_etc_t;
 files_config_file(spamd_etc_t)
 
+type spamd_gpg_t;
+domain_type(spamd_gpg_t)
+
 type spamd_home_t;
 userdom_user_home_content(spamd_home_t)
 
@@ -81,8 +83,8 @@ files_tmp_file(spamd_tmp_t)
 type spamd_var_lib_t;
 files_type(spamd_var_lib_t)
 
-type spamd_var_run_t;
-files_pid_file(spamd_var_run_t)
+type spamd_runtime_t alias spamd_var_run_t;
+files_pid_file(spamd_runtime_t)
 
 ########################################
 #
@@ -119,7 +121,6 @@ files_read_etc_files(spamassassin_t)
 files_read_etc_runtime_files(spamassassin_t)
 files_list_home(spamassassin_t)
 files_read_usr_files(spamassassin_t)
-files_dontaudit_search_var(spamassassin_t)
 
 logging_send_syslog_msg(spamassassin_t)
 
@@ -190,7 +191,7 @@ userdom_user_home_dir_filetrans(spamc_t, spamassassin_home_t, dir, ".spamassassi
 list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
 read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
 
-stream_connect_pattern(spamc_t, { spamd_var_run_t spamd_tmp_t }, { spamd_var_run_t spamd_tmp_t }, spamd_t)
+stream_connect_pattern(spamc_t, { spamd_runtime_t spamd_tmp_t }, { spamd_runtime_t spamd_tmp_t }, spamd_t)
 
 kernel_read_kernel_sysctls(spamc_t)
 kernel_read_system_state(spamc_t)
@@ -216,7 +217,6 @@ fs_search_auto_mountpoints(spamc_t)
 
 files_read_etc_runtime_files(spamc_t)
 files_read_usr_files(spamc_t)
-files_dontaudit_search_var(spamc_t)
 files_list_home(spamc_t)
 files_list_var_lib(spamc_t)
 
@@ -276,8 +276,7 @@ optional_policy(`
 # Daemon local policy
 #
 
-allow spamd_t self:capability { dac_override kill setgid setuid sys_tty_config };
-dontaudit spamd_t self:capability sys_tty_config;
+allow spamd_t self:capability { dac_override kill setgid setuid };
 allow spamd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow spamd_t self:fd use;
 allow spamd_t self:fifo_file rw_fifo_file_perms;
@@ -318,16 +317,19 @@ allow spamd_t spamd_var_lib_t:dir list_dir_perms;
 manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
 manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
 
-manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
-manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
-manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
-files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
+manage_dirs_pattern(spamd_t, spamd_runtime_t, spamd_runtime_t)
+manage_files_pattern(spamd_t, spamd_runtime_t, spamd_runtime_t)
+manage_sock_files_pattern(spamd_t, spamd_runtime_t, spamd_runtime_t)
+files_pid_filetrans(spamd_t, spamd_runtime_t, { file dir })
 
 can_exec(spamd_t, { spamd_exec_t spamd_compiled_t })
 
 kernel_read_all_sysctls(spamd_t)
 kernel_read_system_state(spamd_t)
 
+auth_dontaudit_read_shadow(spamd_t)
+auth_use_nsswitch(spamd_t)
+
 corenet_all_recvfrom_unlabeled(spamd_t)
 corenet_all_recvfrom_netlabel(spamd_t)
 corenet_tcp_sendrecv_generic_if(spamd_t)
@@ -369,11 +371,6 @@ files_read_etc_runtime_files(spamd_t)
 fs_getattr_all_fs(spamd_t)
 fs_search_auto_mountpoints(spamd_t)
 
-auth_use_nsswitch(spamd_t)
-auth_dontaudit_read_shadow(spamd_t)
-
-init_dontaudit_rw_utmp(spamd_t)
-
 libs_use_ld_so(spamd_t)
 libs_use_shared_libs(spamd_t)
 
@@ -383,8 +380,6 @@ miscfiles_read_localization(spamd_t)
 
 sysnet_use_ldap(spamd_t)
 
-userdom_use_unpriv_users_fds(spamd_t)
-
 tunable_policy(`spamd_enable_home_dirs',`
 	userdom_manage_user_home_content_dirs(spamd_t)
 	userdom_manage_user_home_content_files(spamd_t)
@@ -439,6 +434,10 @@ optional_policy(`
 	milter_manage_spamass_state(spamd_t)
 ')
 
+optional_policy(`
+	mta_getattr_spool(spamd_t)
+')
+
 optional_policy(`
 	mysql_stream_connect(spamd_t)
 	mysql_tcp_connect(spamd_t)
@@ -464,10 +463,6 @@ optional_policy(`
 	razor_manage_home_content(spamd_t)
 ')
 
-optional_policy(`
-	seutil_sigchld_newrole(spamd_t)
-')
-
 optional_policy(`
 	sendmail_stub(spamd_t)
 	mta_read_config(spamd_t)
@@ -483,13 +478,14 @@ optional_policy(`
 # Update local policy
 #
 
-allow spamd_update_t self:capability dac_override;
+allow spamd_update_t self:capability dac_read_search;
+allow spamd_update_t self:process signal;
 allow spamd_update_t self:fifo_file manage_fifo_file_perms;
 allow spamd_update_t self:unix_stream_socket create_stream_socket_perms;
 
-manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
-manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
-files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir })
+manage_dirs_pattern(spamd_update_t, spamd_update_tmp_t, spamd_update_tmp_t)
+manage_files_pattern(spamd_update_t, spamd_update_tmp_t, spamd_update_tmp_t)
+files_tmp_filetrans(spamd_update_t, spamd_update_tmp_t, { file dir })
 
 manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
 manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
@@ -497,6 +493,9 @@ manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
 
 kernel_read_system_state(spamd_update_t)
 
+auth_use_nsswitch(spamd_update_t)
+auth_dontaudit_read_shadow(spamd_update_t)
+
 corenet_all_recvfrom_unlabeled(spamd_update_t)
 corenet_all_recvfrom_netlabel(spamd_update_t)
 corenet_tcp_sendrecv_generic_if(spamd_update_t)
@@ -510,29 +509,57 @@ corenet_tcp_sendrecv_http_port(spamd_update_t)
 corecmd_exec_bin(spamd_update_t)
 corecmd_exec_shell(spamd_update_t)
 
+corenet_tcp_bind_generic_node(spamd_update_t)
+corenet_udp_bind_generic_node(spamd_update_t)
+
 dev_read_urand(spamd_update_t)
 
 domain_use_interactive_fds(spamd_update_t)
 
 files_read_usr_files(spamd_update_t)
 
-auth_use_nsswitch(spamd_update_t)
-auth_dontaudit_read_shadow(spamd_update_t)
+fs_getattr_xattr_fs(spamd_update_t)
 
 miscfiles_read_localization(spamd_update_t)
 
-userdom_use_user_terminals(spamd_update_t)
+userdom_use_inherited_user_terminals(spamd_update_t)
+userdom_dontaudit_search_user_home_dirs(spamd_update_t)
+userdom_dontaudit_search_user_home_content(spamd_update_t)
 
 optional_policy(`
 	cron_system_entry(spamd_update_t, spamd_update_exec_t)
 ')
 
-# probably want a solution same as httpd_use_gpg since this will
-# give spamd_update a path to users gpg keys
-# optional_policy(`
-#	gpg_domtrans(spamd_update_t)
-# ')
-
 optional_policy(`
-	mta_read_config(spamd_update_t)
+	gpg_spec_domtrans(spamd_update_t, spamd_gpg_t)
+	gpg_entry_type(spamd_gpg_t)
+	role system_r types spamd_gpg_t;
+
+	allow spamd_gpg_t self:capability { dac_override dac_read_search };
+	allow spamd_gpg_t self:unix_stream_socket { connect create };
+
+	allow spamd_gpg_t spamd_update_t:fd use;
+	allow spamd_gpg_t spamd_update_t:process sigchld;
+	allow spamd_gpg_t spamd_update_t:fifo_file { getattr write };
+	allow spamd_gpg_t spamd_var_lib_t:dir search_dir_perms;
+	allow spamd_gpg_t spamd_var_lib_t:file rw_file_perms;
+	allow spamd_gpg_t spamd_update_tmp_t:file read_file_perms;
+
+	# fips
+	kernel_search_crypto_sysctls(spamd_gpg_t)
+
+	domain_use_interactive_fds(spamd_gpg_t)
+
+	files_read_etc_files(spamd_gpg_t)
+	files_read_usr_files(spamd_gpg_t)
+	files_search_var_lib(spamd_gpg_t)
+	files_search_pids(spamd_gpg_t)
+	files_search_tmp(spamd_gpg_t)
+
+	init_use_fds(spamd_gpg_t)
+	init_rw_inherited_stream_socket(spamd_gpg_t)
+
+	miscfiles_read_localization(spamd_gpg_t)
+
+	userdom_use_inherited_user_terminals(spamd_gpg_t)
 ')
-- 
2.14.1