From: pebenito@ieee.org (Chris PeBenito)
Date: Tue, 12 Sep 2017 19:48:52 -0400
Subject: [refpolicy] [PATCH] spamassassin: update
In-Reply-To: <20170912094818.5632-1-cgzones@googlemail.com>
References: <20170912094818.5632-1-cgzones@googlemail.com>
Message-ID: <1cef68cc-3c8b-7828-6e76-6da699efe800@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/12/2017 05:48 AM, Christian G?ttsche via refpolicy wrote:
> - add filecontexts
> - review admin interfaces
> - enhance sa-update policy
> 
> v2:
> 
> - drop list -> search changes in admin interface
> - use run instead of role interface for spamd_update
> - drop runtime_t rename
> - drop alias removal
> ---
>   spamassassin.fc |  8 ++++-
>   spamassassin.if | 43 +++++++++++++++++++++-----
>   spamassassin.te | 95 +++++++++++++++++++++++++++++++++++++++------------------
>   3 files changed, 109 insertions(+), 37 deletions(-)
> 
> diff --git a/spamassassin.fc b/spamassassin.fc
> index 18fa75f..a8b3c01 100644
> --- a/spamassassin.fc
> +++ b/spamassassin.fc
> @@ -1,6 +1,7 @@
>   HOME_DIR/\.spamassassin(/.*)?		gen_context(system_u:object_r:spamassassin_home_t,s0)
>   HOME_DIR/\.spamd(/.*)?			gen_context(system_u:object_r:spamd_home_t,s0)
>   
> +/etc/rc\.d/init\.d/spamassassin	--	gen_context(system_u:object_r:spamassassin_initrc_exec_t,s0)
>   /etc/rc\.d/init\.d/spamd	--	gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
>   /etc/rc\.d/init\.d/spampd	--	gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
>   /etc/rc\.d/init\.d/mimedefang.*	--	gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
> @@ -17,14 +18,19 @@ HOME_DIR/\.spamd(/.*)?			gen_context(system_u:object_r:spamd_home_t,s0)
>   /usr/sbin/spamd			--	gen_context(system_u:object_r:spamd_exec_t,s0)
>   /usr/sbin/spampd		--	gen_context(system_u:object_r:spamd_exec_t,s0)
>   
> +/usr/lib/systemd/system/spamassassin\.service	--	gen_context(system_u:object_r:spamassassin_unit_t,s0)
> +
>   /var/lib/spamassassin(/.*)?		gen_context(system_u:object_r:spamd_var_lib_t,s0)
>   /var/lib/spamassassin/compiled(/.*)?	gen_context(system_u:object_r:spamd_compiled_t,s0)
>   
>   /var/log/spamd\.log.*		--	gen_context(system_u:object_r:spamd_log_t,s0)
>   /var/log/mimedefang.*		--	gen_context(system_u:object_r:spamd_log_t,s0)
>   
> +/var/vmail/\.spamassassin(/.*)?		gen_context(system_u:object_r:spamassassin_home_t,s0)
> +
>   /run/spamassassin(/.*)?			gen_context(system_u:object_r:spamd_var_run_t,s0)
> -/run/spamassassin\.pid			gen_context(system_u:object_r:spamd_var_run_t,s0)
> +/run/spamassassin\.pid		--	gen_context(system_u:object_r:spamd_var_run_t,s0)
> +/run/spamd\.pid			--	gen_context(system_u:object_r:spamd_var_run_t,s0)
>   
>   /var/spool/spamassassin(/.*)?		gen_context(system_u:object_r:spamd_spool_t,s0)
>   /var/spool/spamd(/.*)?			gen_context(system_u:object_r:spamd_spool_t,s0)
> diff --git a/spamassassin.if b/spamassassin.if
> index e915b5f..ddfff8c 100644
> --- a/spamassassin.if
> +++ b/spamassassin.if
> @@ -27,8 +27,7 @@ interface(`spamassassin_role',`
>   	domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
>   	domtrans_pattern($2, spamc_exec_t, spamc_t)
>   
> -	allow $2 { spamc_t spamassassin_t}:process { ptrace signal_perms };
> -	ps_process_pattern($2, { spamc_t spamassassin_t })
> +	admin_process_pattern($2, { spamc_t spamassassin_t })
>   
>   	allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
>   	allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms };
> @@ -37,6 +36,33 @@ interface(`spamassassin_role',`
>   	userdom_user_home_dir_filetrans($2, spamd_home_t, dir, ".spamd")
>   ')
>   
> +########################################
> +## <summary>
> +##	Execute sa-update in the spamd-update domain,
> +##	and allow the specified role
> +##	the spamd-update domain. Also allow transitive
> +##	access to the private gpg domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`spamassassin_run_update',`
> +	gen_require(`
> +		type spamd_gpg_t, spamd_update_exec_t, spamd_update_t;
> +	')
> +
> +	role 21 types { spamd_update_t spamd_gpg_t };

A patch issue here.


> +        domtrans_pattern($1, spamd_update_exec_t, spamd_update_t)
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Execute the standalone spamassassin
> @@ -378,16 +404,16 @@ interface(`spamassassin_admin',`
>   	gen_require(`
>   		type spamd_t, spamd_tmp_t, spamd_log_t;
>   		type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t;
> -		type spamd_initrc_exec_t;
> +		type spamd_initrc_exec_t, spamassassin_unit_t;
> +		type spamd_gpg_t, spamd_update_t;
>   	')
>   
> -	allow $1 spamd_t:process { ptrace signal_perms };
> -	ps_process_pattern($1, spamd_t)
> +	admin_process_pattern($1, { spamd_t spamd_gpg_t spamd_update_t })
>   
> -	init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t)
> +	init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t, spamassassin_unit_t)
>   
>   	files_list_tmp($1)
> -	admin_pattern($1, spamd_tmp_t)
> +	admin_pattern($1, { spamd_tmp_t spamd_update_tmp_t })
>   
>   	logging_list_logs($1)
>   	admin_pattern($1, spamd_log_t)
> @@ -403,4 +429,7 @@ interface(`spamassassin_admin',`
>   
>   	# This makes it impossible to apply _admin if _role has already been applied
>   	#spamassassin_role($2, $1)
> +
> +	# sa-update
> +	spamassassin_run_update($1, $2)
>   ')
> diff --git a/spamassassin.te b/spamassassin.te
> index 72e781e..08c153d 100644
> --- a/spamassassin.te
> +++ b/spamassassin.te
> @@ -25,6 +25,9 @@ type spamd_update_t;
>   type spamd_update_exec_t;
>   init_system_domain(spamd_update_t, spamd_update_exec_t)
>   
> +type spamd_update_tmp_t;
> +files_tmp_file(spamd_update_tmp_t)
> +
>   type spamassassin_t;
>   type spamassassin_exec_t;
>   typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
> @@ -36,11 +39,17 @@ typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassi
>   typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
>   userdom_user_home_content(spamassassin_home_t)
>   
> +type spamassassin_initrc_exec_t;
> +init_script_file(spamassassin_initrc_exec_t)
> +
>   type spamassassin_tmp_t;
>   typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
>   typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
>   userdom_user_tmp_file(spamassassin_tmp_t)
>   
> +type spamassassin_unit_t;
> +init_unit_file(spamassassin_unit_t)
> +
>   type spamc_t;
>   type spamc_exec_t;
>   typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
> @@ -63,6 +72,9 @@ files_type(spamd_compiled_t)
>   type spamd_etc_t;
>   files_config_file(spamd_etc_t)
>   
> +type spamd_gpg_t;
> +domain_type(spamd_gpg_t)
> +
>   type spamd_home_t;
>   userdom_user_home_content(spamd_home_t)
>   
> @@ -119,7 +131,6 @@ files_read_etc_files(spamassassin_t)
>   files_read_etc_runtime_files(spamassassin_t)
>   files_list_home(spamassassin_t)
>   files_read_usr_files(spamassassin_t)
> -files_dontaudit_search_var(spamassassin_t)
>   
>   logging_send_syslog_msg(spamassassin_t)
>   
> @@ -216,7 +227,6 @@ fs_search_auto_mountpoints(spamc_t)
>   
>   files_read_etc_runtime_files(spamc_t)
>   files_read_usr_files(spamc_t)
> -files_dontaudit_search_var(spamc_t)
>   files_list_home(spamc_t)
>   files_list_var_lib(spamc_t)
>   
> @@ -276,8 +286,7 @@ optional_policy(`
>   # Daemon local policy
>   #
>   
> -allow spamd_t self:capability { dac_override kill setgid setuid sys_tty_config };
> -dontaudit spamd_t self:capability sys_tty_config;
> +allow spamd_t self:capability { dac_override kill setgid setuid };
>   allow spamd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
>   allow spamd_t self:fd use;
>   allow spamd_t self:fifo_file rw_fifo_file_perms;
> @@ -328,6 +337,9 @@ can_exec(spamd_t, { spamd_exec_t spamd_compiled_t })
>   kernel_read_all_sysctls(spamd_t)
>   kernel_read_system_state(spamd_t)
>   
> +auth_dontaudit_read_shadow(spamd_t)
> +auth_use_nsswitch(spamd_t)

These lines were in the correct location below.

>   corenet_all_recvfrom_unlabeled(spamd_t)
>   corenet_all_recvfrom_netlabel(spamd_t)
>   corenet_tcp_sendrecv_generic_if(spamd_t)
> @@ -369,11 +381,6 @@ files_read_etc_runtime_files(spamd_t)
>   fs_getattr_all_fs(spamd_t)
>   fs_search_auto_mountpoints(spamd_t)
>   
> -auth_use_nsswitch(spamd_t)
> -auth_dontaudit_read_shadow(spamd_t)
> -
> -init_dontaudit_rw_utmp(spamd_t)
> -
>   libs_use_ld_so(spamd_t)
>   libs_use_shared_libs(spamd_t)
>   
> @@ -383,8 +390,6 @@ miscfiles_read_localization(spamd_t)
>   
>   sysnet_use_ldap(spamd_t)
>   
> -userdom_use_unpriv_users_fds(spamd_t)
> -
>   tunable_policy(`spamd_enable_home_dirs',`
>   	userdom_manage_user_home_content_dirs(spamd_t)
>   	userdom_manage_user_home_content_files(spamd_t)
> @@ -439,6 +444,10 @@ optional_policy(`
>   	milter_manage_spamass_state(spamd_t)
>   ')
>   
> +optional_policy(`
> +	mta_getattr_spool(spamd_t)
> +')
> +
>   optional_policy(`
>   	mysql_stream_connect(spamd_t)
>   	mysql_tcp_connect(spamd_t)
> @@ -464,10 +473,6 @@ optional_policy(`
>   	razor_manage_home_content(spamd_t)
>   ')
>   
> -optional_policy(`
> -	seutil_sigchld_newrole(spamd_t)
> -')
> -
>   optional_policy(`
>   	sendmail_stub(spamd_t)
>   	mta_read_config(spamd_t)
> @@ -483,13 +488,14 @@ optional_policy(`
>   # Update local policy
>   #
>   
> -allow spamd_update_t self:capability dac_override;
> +allow spamd_update_t self:capability dac_read_search;
> +allow spamd_update_t self:process signal;
>   allow spamd_update_t self:fifo_file manage_fifo_file_perms;
>   allow spamd_update_t self:unix_stream_socket create_stream_socket_perms;
>   
> -manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
> -manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
> -files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir })
> +manage_dirs_pattern(spamd_update_t, spamd_update_tmp_t, spamd_update_tmp_t)
> +manage_files_pattern(spamd_update_t, spamd_update_tmp_t, spamd_update_tmp_t)
> +files_tmp_filetrans(spamd_update_t, spamd_update_tmp_t, { file dir })
>   
>   manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
>   manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
> @@ -497,6 +503,9 @@ manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
>   
>   kernel_read_system_state(spamd_update_t)
>   
> +auth_use_nsswitch(spamd_update_t)
> +auth_dontaudit_read_shadow(spamd_update_t)

These lines were in the correct place.

>   corenet_all_recvfrom_unlabeled(spamd_update_t)
>   corenet_all_recvfrom_netlabel(spamd_update_t)
>   corenet_tcp_sendrecv_generic_if(spamd_update_t)
> @@ -510,29 +519,57 @@ corenet_tcp_sendrecv_http_port(spamd_update_t)
>   corecmd_exec_bin(spamd_update_t)
>   corecmd_exec_shell(spamd_update_t)
>   
> +corenet_tcp_bind_generic_node(spamd_update_t)
> +corenet_udp_bind_generic_node(spamd_update_t)
> +
>   dev_read_urand(spamd_update_t)
>   
>   domain_use_interactive_fds(spamd_update_t)
>   
>   files_read_usr_files(spamd_update_t)
>   
> -auth_use_nsswitch(spamd_update_t)
> -auth_dontaudit_read_shadow(spamd_update_t)
> +fs_getattr_xattr_fs(spamd_update_t)
>   
>   miscfiles_read_localization(spamd_update_t)
>   
> -userdom_use_user_terminals(spamd_update_t)
> +userdom_use_inherited_user_terminals(spamd_update_t)
> +userdom_dontaudit_search_user_home_dirs(spamd_update_t)
> +userdom_dontaudit_search_user_home_content(spamd_update_t)
>   
>   optional_policy(`
>   	cron_system_entry(spamd_update_t, spamd_update_exec_t)
>   ')
>   
> -# probably want a solution same as httpd_use_gpg since this will
> -# give spamd_update a path to users gpg keys
> -# optional_policy(`
> -#	gpg_domtrans(spamd_update_t)
> -# ')
> -
>   optional_policy(`
> -	mta_read_config(spamd_update_t)
> +	gpg_spec_domtrans(spamd_update_t, spamd_gpg_t)
> +	gpg_entry_type(spamd_gpg_t)
> +	role system_r types spamd_gpg_t;
> +
> +	allow spamd_gpg_t self:capability { dac_override dac_read_search };
> +	allow spamd_gpg_t self:unix_stream_socket { connect create };
> +
> +	allow spamd_gpg_t spamd_update_t:fd use;
> +	allow spamd_gpg_t spamd_update_t:process sigchld;
> +	allow spamd_gpg_t spamd_update_t:fifo_file { getattr write };
> +	allow spamd_gpg_t spamd_var_lib_t:dir search_dir_perms;
> +	allow spamd_gpg_t spamd_var_lib_t:file rw_file_perms;
> +	allow spamd_gpg_t spamd_update_tmp_t:file read_file_perms;
> +
> +	# fips
> +	kernel_search_crypto_sysctls(spamd_gpg_t)
> +
> +	domain_use_interactive_fds(spamd_gpg_t)
> +
> +	files_read_etc_files(spamd_gpg_t)
> +	files_read_usr_files(spamd_gpg_t)
> +	files_search_var_lib(spamd_gpg_t)
> +	files_search_pids(spamd_gpg_t)
> +	files_search_tmp(spamd_gpg_t)
> +
> +	init_use_fds(spamd_gpg_t)
> +	init_rw_inherited_stream_socket(spamd_gpg_t)
> +
> +	miscfiles_read_localization(spamd_gpg_t)
> +
> +	userdom_use_inherited_user_terminals(spamd_gpg_t)
>   ')
> 


-- 
Chris PeBenito