From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 11 Sep 2017 19:07:57 -0400 Subject: [refpolicy] [PATCH 2/2] milter: update In-Reply-To: <20170910145523.5213-2-cgzones@googlemail.com> References: <20170910145523.5213-1-cgzones@googlemail.com> <20170910145523.5213-2-cgzones@googlemail.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/10/2017 10:55 AM, Christian G?ttsche via refpolicy wrote: > - add initrc filecontext > - remove unnecessary permissions While I'd like to remove permissions, how do you know they're not needed? Did you test all the combinations and error paths? > --- > milter.fc | 2 ++ > milter.te | 16 ++++++---------- > 2 files changed, 8 insertions(+), 10 deletions(-) > > diff --git a/milter.fc b/milter.fc > index 9310401..42fe5e9 100644 > --- a/milter.fc > +++ b/milter.fc > @@ -1,3 +1,5 @@ > +/etc/rc\.d/init\.d/spamass-milter -- gen_context(system_u:object_r:spamass_milter_initrc_exec_t,s0) > + > /usr/bin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) > /usr/bin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) > /usr/bin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) > diff --git a/milter.te b/milter.te > index d0e9c1b..a908466 100644 > --- a/milter.te > +++ b/milter.te > @@ -12,6 +12,9 @@ milter_template(greylist) > milter_template(regex) > milter_template(spamass) > > +type spamass_milter_initrc_exec_t; > +init_script_file(spamass_milter_initrc_exec_t) > + > type spamass_milter_state_t; > files_type(spamass_milter_state_t) > > @@ -23,8 +26,6 @@ files_type(spamass_milter_state_t) > allow milter_domains self:fifo_file rw_fifo_file_perms; > allow milter_domains self:tcp_socket { accept listen }; > > -kernel_dontaudit_read_system_state(milter_domains) > - > corenet_all_recvfrom_unlabeled(milter_domains) > corenet_all_recvfrom_netlabel(milter_domains) > corenet_tcp_sendrecv_generic_if(milter_domains) > @@ -44,7 +45,7 @@ logging_send_syslog_msg(milter_domains) > # > > allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice }; > -allow greylist_milter_t self:process { setsched getsched }; > +allow greylist_milter_t self:process { getsched setsched }; > > files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file) > > @@ -93,20 +94,15 @@ mta_read_config(regex_milter_t) > # spamass local policy > # > > -allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms; > allow spamass_milter_t self:process sigkill; > +allow spamass_milter_t self:unix_stream_socket { accept listen }; > > -kernel_read_system_state(spamass_milter_t) > -kernel_read_vm_overcommit_sysctl(spamass_milter_t) > +allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms; > > corecmd_exec_shell(spamass_milter_t) > > -dev_read_sysfs(spamass_milter_t) > - > files_search_var_lib(spamass_milter_t) > > -mta_send_mail(spamass_milter_t) > - > optional_policy(` > postfix_search_spool(spamass_milter_t) > ') > -- Chris PeBenito