From: cgzones@googlemail.com (=?UTF-8?Q?Christian_G=C3=B6ttsche?=) Date: Wed, 13 Sep 2017 10:17:06 +0200 Subject: [refpolicy] [PATCH] spamassassin: update In-Reply-To: <1cef68cc-3c8b-7828-6e76-6da699efe800@ieee.org> References: <20170912094818.5632-1-cgzones@googlemail.com> <1cef68cc-3c8b-7828-6e76-6da699efe800@ieee.org> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com 2017-09-13 1:48 GMT+02:00 Chris PeBenito : > On 09/12/2017 05:48 AM, Christian G?ttsche via refpolicy wrote: >> >> - add filecontexts >> - review admin interfaces >> - enhance sa-update policy >> >> v2: >> >> - drop list -> search changes in admin interface >> - use run instead of role interface for spamd_update >> - drop runtime_t rename >> - drop alias removal >> --- >> spamassassin.fc | 8 ++++- >> spamassassin.if | 43 +++++++++++++++++++++----- >> spamassassin.te | 95 >> +++++++++++++++++++++++++++++++++++++++------------------ >> 3 files changed, 109 insertions(+), 37 deletions(-) >> >> diff --git a/spamassassin.fc b/spamassassin.fc >> index 18fa75f..a8b3c01 100644 >> --- a/spamassassin.fc >> +++ b/spamassassin.fc >> @@ -1,6 +1,7 @@ >> HOME_DIR/\.spamassassin(/.*)? >> gen_context(system_u:object_r:spamassassin_home_t,s0) >> HOME_DIR/\.spamd(/.*)? >> gen_context(system_u:object_r:spamd_home_t,s0) >> +/etc/rc\.d/init\.d/spamassassin -- >> gen_context(system_u:object_r:spamassassin_initrc_exec_t,s0) >> /etc/rc\.d/init\.d/spamd -- >> gen_context(system_u:object_r:spamd_initrc_exec_t,s0) >> /etc/rc\.d/init\.d/spampd -- >> gen_context(system_u:object_r:spamd_initrc_exec_t,s0) >> /etc/rc\.d/init\.d/mimedefang.* -- >> gen_context(system_u:object_r:spamd_initrc_exec_t,s0) >> @@ -17,14 +18,19 @@ HOME_DIR/\.spamd(/.*)? >> gen_context(system_u:object_r:spamd_home_t,s0) >> /usr/sbin/spamd -- >> gen_context(system_u:object_r:spamd_exec_t,s0) >> /usr/sbin/spampd -- >> gen_context(system_u:object_r:spamd_exec_t,s0) >> +/usr/lib/systemd/system/spamassassin\.service -- >> gen_context(system_u:object_r:spamassassin_unit_t,s0) >> + >> /var/lib/spamassassin(/.*)? >> gen_context(system_u:object_r:spamd_var_lib_t,s0) >> /var/lib/spamassassin/compiled(/.*)? >> gen_context(system_u:object_r:spamd_compiled_t,s0) >> /var/log/spamd\.log.* -- >> gen_context(system_u:object_r:spamd_log_t,s0) >> /var/log/mimedefang.* -- >> gen_context(system_u:object_r:spamd_log_t,s0) >> +/var/vmail/\.spamassassin(/.*)? >> gen_context(system_u:object_r:spamassassin_home_t,s0) >> + >> /run/spamassassin(/.*)? >> gen_context(system_u:object_r:spamd_var_run_t,s0) >> -/run/spamassassin\.pid >> gen_context(system_u:object_r:spamd_var_run_t,s0) >> +/run/spamassassin\.pid -- >> gen_context(system_u:object_r:spamd_var_run_t,s0) >> +/run/spamd\.pid -- >> gen_context(system_u:object_r:spamd_var_run_t,s0) >> /var/spool/spamassassin(/.*)? >> gen_context(system_u:object_r:spamd_spool_t,s0) >> /var/spool/spamd(/.*)? >> gen_context(system_u:object_r:spamd_spool_t,s0) >> diff --git a/spamassassin.if b/spamassassin.if >> index e915b5f..ddfff8c 100644 >> --- a/spamassassin.if >> +++ b/spamassassin.if >> @@ -27,8 +27,7 @@ interface(`spamassassin_role',` >> domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) >> domtrans_pattern($2, spamc_exec_t, spamc_t) >> - allow $2 { spamc_t spamassassin_t}:process { ptrace signal_perms >> }; >> - ps_process_pattern($2, { spamc_t spamassassin_t }) >> + admin_process_pattern($2, { spamc_t spamassassin_t }) >> allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t >> spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; >> allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t >> spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms }; >> @@ -37,6 +36,33 @@ interface(`spamassassin_role',` >> userdom_user_home_dir_filetrans($2, spamd_home_t, dir, ".spamd") >> ') >> +######################################## >> +## >> +## Execute sa-update in the spamd-update domain, >> +## and allow the specified role >> +## the spamd-update domain. Also allow transitive >> +## access to the private gpg domain. >> +## >> +## >> +## >> +## Domain allowed to transition. >> +## >> +## >> +## >> +## >> +## Role allowed access. >> +## >> +## >> +# >> +interface(`spamassassin_run_update',` >> + gen_require(` >> + type spamd_gpg_t, spamd_update_exec_t, spamd_update_t; >> + ') >> + >> + role 21 types { spamd_update_t spamd_gpg_t }; > > > A patch issue here. > > > >> + domtrans_pattern($1, spamd_update_exec_t, spamd_update_t) >> +') >> + >> ######################################## >> ## >> ## Execute the standalone spamassassin >> @@ -378,16 +404,16 @@ interface(`spamassassin_admin',` >> gen_require(` >> type spamd_t, spamd_tmp_t, spamd_log_t; >> type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t; >> - type spamd_initrc_exec_t; >> + type spamd_initrc_exec_t, spamassassin_unit_t; >> + type spamd_gpg_t, spamd_update_t; >> ') >> - allow $1 spamd_t:process { ptrace signal_perms }; >> - ps_process_pattern($1, spamd_t) >> + admin_process_pattern($1, { spamd_t spamd_gpg_t spamd_update_t }) >> - init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t) >> + init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t, >> spamassassin_unit_t) >> files_list_tmp($1) >> - admin_pattern($1, spamd_tmp_t) >> + admin_pattern($1, { spamd_tmp_t spamd_update_tmp_t }) >> logging_list_logs($1) >> admin_pattern($1, spamd_log_t) >> @@ -403,4 +429,7 @@ interface(`spamassassin_admin',` >> # This makes it impossible to apply _admin if _role has already >> been applied >> #spamassassin_role($2, $1) >> + >> + # sa-update >> + spamassassin_run_update($1, $2) >> ') >> diff --git a/spamassassin.te b/spamassassin.te >> index 72e781e..08c153d 100644 >> --- a/spamassassin.te >> +++ b/spamassassin.te >> @@ -25,6 +25,9 @@ type spamd_update_t; >> type spamd_update_exec_t; >> init_system_domain(spamd_update_t, spamd_update_exec_t) >> +type spamd_update_tmp_t; >> +files_tmp_file(spamd_update_tmp_t) >> + >> type spamassassin_t; >> type spamassassin_exec_t; >> typealias spamassassin_t alias { user_spamassassin_t >> staff_spamassassin_t sysadm_spamassassin_t }; >> @@ -36,11 +39,17 @@ typealias spamassassin_home_t alias { >> user_spamassassin_home_t staff_spamassassi >> typealias spamassassin_home_t alias { auditadm_spamassassin_home_t >> secadm_spamassassin_home_t }; >> userdom_user_home_content(spamassassin_home_t) >> +type spamassassin_initrc_exec_t; >> +init_script_file(spamassassin_initrc_exec_t) >> + >> type spamassassin_tmp_t; >> typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t >> staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; >> typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t >> secadm_spamassassin_tmp_t }; >> userdom_user_tmp_file(spamassassin_tmp_t) >> +type spamassassin_unit_t; >> +init_unit_file(spamassassin_unit_t) >> + >> type spamc_t; >> type spamc_exec_t; >> typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t }; >> @@ -63,6 +72,9 @@ files_type(spamd_compiled_t) >> type spamd_etc_t; >> files_config_file(spamd_etc_t) >> +type spamd_gpg_t; >> +domain_type(spamd_gpg_t) >> + >> type spamd_home_t; >> userdom_user_home_content(spamd_home_t) >> @@ -119,7 +131,6 @@ files_read_etc_files(spamassassin_t) >> files_read_etc_runtime_files(spamassassin_t) >> files_list_home(spamassassin_t) >> files_read_usr_files(spamassassin_t) >> -files_dontaudit_search_var(spamassassin_t) >> logging_send_syslog_msg(spamassassin_t) >> @@ -216,7 +227,6 @@ fs_search_auto_mountpoints(spamc_t) >> files_read_etc_runtime_files(spamc_t) >> files_read_usr_files(spamc_t) >> -files_dontaudit_search_var(spamc_t) >> files_list_home(spamc_t) >> files_list_var_lib(spamc_t) >> @@ -276,8 +286,7 @@ optional_policy(` >> # Daemon local policy >> # >> -allow spamd_t self:capability { dac_override kill setgid setuid >> sys_tty_config }; >> -dontaudit spamd_t self:capability sys_tty_config; >> +allow spamd_t self:capability { dac_override kill setgid setuid }; >> allow spamd_t self:process { transition signal_perms getsched setsched >> getsession getpgid setpgid getcap setcap share getattr noatsecure siginh >> rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; >> allow spamd_t self:fd use; >> allow spamd_t self:fifo_file rw_fifo_file_perms; >> @@ -328,6 +337,9 @@ can_exec(spamd_t, { spamd_exec_t spamd_compiled_t }) >> kernel_read_all_sysctls(spamd_t) >> kernel_read_system_state(spamd_t) >> +auth_dontaudit_read_shadow(spamd_t) >> +auth_use_nsswitch(spamd_t) > > > These lines were in the correct location below. Can you please specify in the style guard in the "Local policy rules" section, what "kernel layer modules" are? kernel_, corenet_, dev_ ... > > >> corenet_all_recvfrom_unlabeled(spamd_t) >> corenet_all_recvfrom_netlabel(spamd_t) >> corenet_tcp_sendrecv_generic_if(spamd_t) >> @@ -369,11 +381,6 @@ files_read_etc_runtime_files(spamd_t) >> fs_getattr_all_fs(spamd_t) >> fs_search_auto_mountpoints(spamd_t) >> -auth_use_nsswitch(spamd_t) >> -auth_dontaudit_read_shadow(spamd_t) >> - >> -init_dontaudit_rw_utmp(spamd_t) >> - >> libs_use_ld_so(spamd_t) >> libs_use_shared_libs(spamd_t) >> @@ -383,8 +390,6 @@ miscfiles_read_localization(spamd_t) >> sysnet_use_ldap(spamd_t) >> -userdom_use_unpriv_users_fds(spamd_t) >> - >> tunable_policy(`spamd_enable_home_dirs',` >> userdom_manage_user_home_content_dirs(spamd_t) >> userdom_manage_user_home_content_files(spamd_t) >> @@ -439,6 +444,10 @@ optional_policy(` >> milter_manage_spamass_state(spamd_t) >> ') >> +optional_policy(` >> + mta_getattr_spool(spamd_t) >> +') >> + >> optional_policy(` >> mysql_stream_connect(spamd_t) >> mysql_tcp_connect(spamd_t) >> @@ -464,10 +473,6 @@ optional_policy(` >> razor_manage_home_content(spamd_t) >> ') >> -optional_policy(` >> - seutil_sigchld_newrole(spamd_t) >> -') >> - >> optional_policy(` >> sendmail_stub(spamd_t) >> mta_read_config(spamd_t) >> @@ -483,13 +488,14 @@ optional_policy(` >> # Update local policy >> # >> -allow spamd_update_t self:capability dac_override; >> +allow spamd_update_t self:capability dac_read_search; >> +allow spamd_update_t self:process signal; >> allow spamd_update_t self:fifo_file manage_fifo_file_perms; >> allow spamd_update_t self:unix_stream_socket create_stream_socket_perms; >> -manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t) >> -manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t) >> -files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir }) >> +manage_dirs_pattern(spamd_update_t, spamd_update_tmp_t, >> spamd_update_tmp_t) >> +manage_files_pattern(spamd_update_t, spamd_update_tmp_t, >> spamd_update_tmp_t) >> +files_tmp_filetrans(spamd_update_t, spamd_update_tmp_t, { file dir }) >> manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) >> manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) >> @@ -497,6 +503,9 @@ manage_lnk_files_pattern(spamd_update_t, >> spamd_var_lib_t, spamd_var_lib_t) >> kernel_read_system_state(spamd_update_t) >> +auth_use_nsswitch(spamd_update_t) >> +auth_dontaudit_read_shadow(spamd_update_t) > > > These lines were in the correct place. > > >> corenet_all_recvfrom_unlabeled(spamd_update_t) >> corenet_all_recvfrom_netlabel(spamd_update_t) >> corenet_tcp_sendrecv_generic_if(spamd_update_t) >> @@ -510,29 +519,57 @@ corenet_tcp_sendrecv_http_port(spamd_update_t) >> corecmd_exec_bin(spamd_update_t) >> corecmd_exec_shell(spamd_update_t) >> +corenet_tcp_bind_generic_node(spamd_update_t) >> +corenet_udp_bind_generic_node(spamd_update_t) >> + >> dev_read_urand(spamd_update_t) >> domain_use_interactive_fds(spamd_update_t) >> files_read_usr_files(spamd_update_t) >> -auth_use_nsswitch(spamd_update_t) >> -auth_dontaudit_read_shadow(spamd_update_t) >> +fs_getattr_xattr_fs(spamd_update_t) >> miscfiles_read_localization(spamd_update_t) >> -userdom_use_user_terminals(spamd_update_t) >> +userdom_use_inherited_user_terminals(spamd_update_t) >> +userdom_dontaudit_search_user_home_dirs(spamd_update_t) >> +userdom_dontaudit_search_user_home_content(spamd_update_t) >> optional_policy(` >> cron_system_entry(spamd_update_t, spamd_update_exec_t) >> ') >> -# probably want a solution same as httpd_use_gpg since this will >> -# give spamd_update a path to users gpg keys >> -# optional_policy(` >> -# gpg_domtrans(spamd_update_t) >> -# ') >> - >> optional_policy(` >> - mta_read_config(spamd_update_t) >> + gpg_spec_domtrans(spamd_update_t, spamd_gpg_t) >> + gpg_entry_type(spamd_gpg_t) >> + role system_r types spamd_gpg_t; >> + >> + allow spamd_gpg_t self:capability { dac_override dac_read_search >> }; >> + allow spamd_gpg_t self:unix_stream_socket { connect create }; >> + >> + allow spamd_gpg_t spamd_update_t:fd use; >> + allow spamd_gpg_t spamd_update_t:process sigchld; >> + allow spamd_gpg_t spamd_update_t:fifo_file { getattr write }; >> + allow spamd_gpg_t spamd_var_lib_t:dir search_dir_perms; >> + allow spamd_gpg_t spamd_var_lib_t:file rw_file_perms; >> + allow spamd_gpg_t spamd_update_tmp_t:file read_file_perms; >> + >> + # fips >> + kernel_search_crypto_sysctls(spamd_gpg_t) >> + >> + domain_use_interactive_fds(spamd_gpg_t) >> + >> + files_read_etc_files(spamd_gpg_t) >> + files_read_usr_files(spamd_gpg_t) >> + files_search_var_lib(spamd_gpg_t) >> + files_search_pids(spamd_gpg_t) >> + files_search_tmp(spamd_gpg_t) >> + >> + init_use_fds(spamd_gpg_t) >> + init_rw_inherited_stream_socket(spamd_gpg_t) >> + >> + miscfiles_read_localization(spamd_gpg_t) >> + >> + userdom_use_inherited_user_terminals(spamd_gpg_t) >> ') >> > > > -- > Chris PeBenito