From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 13 Sep 2017 17:27:26 -0400
Subject: [refpolicy] [PATCH] spamassassin: update
In-Reply-To: <CAJ2a_Dfb0HiSzWAbLNr2nU8Hy1jk=-wBCA-5yXz+uzoeChxFTQ@mail.gmail.com>
References: <20170912094818.5632-1-cgzones@googlemail.com>
	<1cef68cc-3c8b-7828-6e76-6da699efe800@ieee.org>
	<CAJ2a_Dfb0HiSzWAbLNr2nU8Hy1jk=-wBCA-5yXz+uzoeChxFTQ@mail.gmail.com>
Message-ID: <6a413552-1dc7-ac6e-6d9a-944fa5f17f1b@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/13/2017 04:17 AM, Christian G?ttsche wrote:
> 2017-09-13 1:48 GMT+02:00 Chris PeBenito <pebenito@ieee.org>:
>> On 09/12/2017 05:48 AM, Christian G?ttsche via refpolicy wrote:
>>>
>>> - add filecontexts
>>> - review admin interfaces
>>> - enhance sa-update policy
>>>
>>> v2:
>>>
>>> - drop list -> search changes in admin interface
>>> - use run instead of role interface for spamd_update
>>> - drop runtime_t rename
>>> - drop alias removal
>>> ---
>>>    spamassassin.fc |  8 ++++-
>>>    spamassassin.if | 43 +++++++++++++++++++++-----
>>>    spamassassin.te | 95
>>> +++++++++++++++++++++++++++++++++++++++------------------
>>>    3 files changed, 109 insertions(+), 37 deletions(-)
>>>
>>> diff --git a/spamassassin.fc b/spamassassin.fc
>>> index 18fa75f..a8b3c01 100644
>>> --- a/spamassassin.fc
>>> +++ b/spamassassin.fc
>>> @@ -1,6 +1,7 @@
>>>    HOME_DIR/\.spamassassin(/.*)?
>>> gen_context(system_u:object_r:spamassassin_home_t,s0)
>>>    HOME_DIR/\.spamd(/.*)?
>>> gen_context(system_u:object_r:spamd_home_t,s0)
>>>    +/etc/rc\.d/init\.d/spamassassin      --
>>> gen_context(system_u:object_r:spamassassin_initrc_exec_t,s0)
>>>    /etc/rc\.d/init\.d/spamd      --
>>> gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
>>>    /etc/rc\.d/init\.d/spampd     --
>>> gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
>>>    /etc/rc\.d/init\.d/mimedefang.*       --
>>> gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
>>> @@ -17,14 +18,19 @@ HOME_DIR/\.spamd(/.*)?
>>> gen_context(system_u:object_r:spamd_home_t,s0)
>>>    /usr/sbin/spamd                       --
>>> gen_context(system_u:object_r:spamd_exec_t,s0)
>>>    /usr/sbin/spampd              --
>>> gen_context(system_u:object_r:spamd_exec_t,s0)
>>>    +/usr/lib/systemd/system/spamassassin\.service        --
>>> gen_context(system_u:object_r:spamassassin_unit_t,s0)
>>> +
>>>    /var/lib/spamassassin(/.*)?
>>> gen_context(system_u:object_r:spamd_var_lib_t,s0)
>>>    /var/lib/spamassassin/compiled(/.*)?
>>> gen_context(system_u:object_r:spamd_compiled_t,s0)
>>>      /var/log/spamd\.log.*               --
>>> gen_context(system_u:object_r:spamd_log_t,s0)
>>>    /var/log/mimedefang.*         --
>>> gen_context(system_u:object_r:spamd_log_t,s0)
>>>    +/var/vmail/\.spamassassin(/.*)?
>>> gen_context(system_u:object_r:spamassassin_home_t,s0)
>>> +
>>>    /run/spamassassin(/.*)?
>>> gen_context(system_u:object_r:spamd_var_run_t,s0)
>>> -/run/spamassassin\.pid
>>> gen_context(system_u:object_r:spamd_var_run_t,s0)
>>> +/run/spamassassin\.pid         --
>>> gen_context(system_u:object_r:spamd_var_run_t,s0)
>>> +/run/spamd\.pid                        --
>>> gen_context(system_u:object_r:spamd_var_run_t,s0)
>>>      /var/spool/spamassassin(/.*)?
>>> gen_context(system_u:object_r:spamd_spool_t,s0)
>>>    /var/spool/spamd(/.*)?
>>> gen_context(system_u:object_r:spamd_spool_t,s0)
>>> diff --git a/spamassassin.if b/spamassassin.if
>>> index e915b5f..ddfff8c 100644
>>> --- a/spamassassin.if
>>> +++ b/spamassassin.if
>>> @@ -27,8 +27,7 @@ interface(`spamassassin_role',`
>>>          domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
>>>          domtrans_pattern($2, spamc_exec_t, spamc_t)
>>>    -     allow $2 { spamc_t spamassassin_t}:process { ptrace signal_perms
>>> };
>>> -       ps_process_pattern($2, { spamc_t spamassassin_t })
>>> +       admin_process_pattern($2, { spamc_t spamassassin_t })
>>>          allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t
>>> spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
>>>          allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t
>>> spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms };
>>> @@ -37,6 +36,33 @@ interface(`spamassassin_role',`
>>>          userdom_user_home_dir_filetrans($2, spamd_home_t, dir, ".spamd")
>>>    ')
>>>    +########################################
>>> +## <summary>
>>> +##     Execute sa-update in the spamd-update domain,
>>> +##     and allow the specified role
>>> +##     the spamd-update domain. Also allow transitive
>>> +##     access to the private gpg domain.
>>> +## </summary>
>>> +## <param name="domain">
>>> +##     <summary>
>>> +##     Domain allowed to transition.
>>> +##     </summary>
>>> +## </param>
>>> +## <param name="role">
>>> +##     <summary>
>>> +##     Role allowed access.
>>> +##     </summary>
>>> +## </param>
>>> +#
>>> +interface(`spamassassin_run_update',`
>>> +       gen_require(`
>>> +               type spamd_gpg_t, spamd_update_exec_t, spamd_update_t;
>>> +       ')
>>> +
>>> +       role 21 types { spamd_update_t spamd_gpg_t };
>>
>>
>> A patch issue here.
>>
>>
>>
>>> +        domtrans_pattern($1, spamd_update_exec_t, spamd_update_t)
>>> +')
>>> +
>>>    ########################################
>>>    ## <summary>
>>>    ##    Execute the standalone spamassassin
>>> @@ -378,16 +404,16 @@ interface(`spamassassin_admin',`
>>>          gen_require(`
>>>                  type spamd_t, spamd_tmp_t, spamd_log_t;
>>>                  type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t;
>>> -               type spamd_initrc_exec_t;
>>> +               type spamd_initrc_exec_t, spamassassin_unit_t;
>>> +               type spamd_gpg_t, spamd_update_t;
>>>          ')
>>>    -     allow $1 spamd_t:process { ptrace signal_perms };
>>> -       ps_process_pattern($1, spamd_t)
>>> +       admin_process_pattern($1, { spamd_t spamd_gpg_t spamd_update_t })
>>>    -     init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t)
>>> +       init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t,
>>> spamassassin_unit_t)
>>>          files_list_tmp($1)
>>> -       admin_pattern($1, spamd_tmp_t)
>>> +       admin_pattern($1, { spamd_tmp_t spamd_update_tmp_t })
>>>          logging_list_logs($1)
>>>          admin_pattern($1, spamd_log_t)
>>> @@ -403,4 +429,7 @@ interface(`spamassassin_admin',`
>>>          # This makes it impossible to apply _admin if _role has already
>>> been applied
>>>          #spamassassin_role($2, $1)
>>> +
>>> +       # sa-update
>>> +       spamassassin_run_update($1, $2)
>>>    ')
>>> diff --git a/spamassassin.te b/spamassassin.te
>>> index 72e781e..08c153d 100644
>>> --- a/spamassassin.te
>>> +++ b/spamassassin.te
>>> @@ -25,6 +25,9 @@ type spamd_update_t;
>>>    type spamd_update_exec_t;
>>>    init_system_domain(spamd_update_t, spamd_update_exec_t)
>>>    +type spamd_update_tmp_t;
>>> +files_tmp_file(spamd_update_tmp_t)
>>> +
>>>    type spamassassin_t;
>>>    type spamassassin_exec_t;
>>>    typealias spamassassin_t alias { user_spamassassin_t
>>> staff_spamassassin_t sysadm_spamassassin_t };
>>> @@ -36,11 +39,17 @@ typealias spamassassin_home_t alias {
>>> user_spamassassin_home_t staff_spamassassi
>>>    typealias spamassassin_home_t alias { auditadm_spamassassin_home_t
>>> secadm_spamassassin_home_t };
>>>    userdom_user_home_content(spamassassin_home_t)
>>>    +type spamassassin_initrc_exec_t;
>>> +init_script_file(spamassassin_initrc_exec_t)
>>> +
>>>    type spamassassin_tmp_t;
>>>    typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t
>>> staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
>>>    typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t
>>> secadm_spamassassin_tmp_t };
>>>    userdom_user_tmp_file(spamassassin_tmp_t)
>>>    +type spamassassin_unit_t;
>>> +init_unit_file(spamassassin_unit_t)
>>> +
>>>    type spamc_t;
>>>    type spamc_exec_t;
>>>    typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
>>> @@ -63,6 +72,9 @@ files_type(spamd_compiled_t)
>>>    type spamd_etc_t;
>>>    files_config_file(spamd_etc_t)
>>>    +type spamd_gpg_t;
>>> +domain_type(spamd_gpg_t)
>>> +
>>>    type spamd_home_t;
>>>    userdom_user_home_content(spamd_home_t)
>>>    @@ -119,7 +131,6 @@ files_read_etc_files(spamassassin_t)
>>>    files_read_etc_runtime_files(spamassassin_t)
>>>    files_list_home(spamassassin_t)
>>>    files_read_usr_files(spamassassin_t)
>>> -files_dontaudit_search_var(spamassassin_t)
>>>      logging_send_syslog_msg(spamassassin_t)
>>>    @@ -216,7 +227,6 @@ fs_search_auto_mountpoints(spamc_t)
>>>      files_read_etc_runtime_files(spamc_t)
>>>    files_read_usr_files(spamc_t)
>>> -files_dontaudit_search_var(spamc_t)
>>>    files_list_home(spamc_t)
>>>    files_list_var_lib(spamc_t)
>>>    @@ -276,8 +286,7 @@ optional_policy(`
>>>    # Daemon local policy
>>>    #
>>>    -allow spamd_t self:capability { dac_override kill setgid setuid
>>> sys_tty_config };
>>> -dontaudit spamd_t self:capability sys_tty_config;
>>> +allow spamd_t self:capability { dac_override kill setgid setuid };
>>>    allow spamd_t self:process { transition signal_perms getsched setsched
>>> getsession getpgid setpgid getcap setcap share getattr noatsecure siginh
>>> rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
>>>    allow spamd_t self:fd use;
>>>    allow spamd_t self:fifo_file rw_fifo_file_perms;
>>> @@ -328,6 +337,9 @@ can_exec(spamd_t, { spamd_exec_t spamd_compiled_t })
>>>    kernel_read_all_sysctls(spamd_t)
>>>    kernel_read_system_state(spamd_t)
>>>    +auth_dontaudit_read_shadow(spamd_t)
>>> +auth_use_nsswitch(spamd_t)
>>
>>
>> These lines were in the correct location below.
> 
> Can you please specify in the style guard in the "Local policy rules"
> section, what "kernel layer modules" are?
> kernel_, corenet_, dev_ ...

It's all of the ones under policy/modules/kernel.


-- 
Chris PeBenito