From ef70117066d73c74903ef6cc6a6709be0b9936db Mon Sep 17 00:00:00 2001 From: Russell Coker Date: Sun, 25 Sep 2022 23:58:18 +1000 Subject: [PATCH 1/5] Sympa list server Policy for the Sympa mailing list server. I think this is ready to merge, it works well. Signed-off-by: Russell Coker --- policy/modules/services/apache.te | 15 +++ policy/modules/services/exim.te | 7 + policy/modules/services/mta.if | 20 +++ policy/modules/services/mta.te | 10 ++ policy/modules/services/sympa.fc | 6 + policy/modules/services/sympa.if | 209 ++++++++++++++++++++++++++++++ policy/modules/services/sympa.te | 86 ++++++++++++ 7 files changed, 353 insertions(+) create mode 100644 policy/modules/services/sympa.fc create mode 100644 policy/modules/services/sympa.if create mode 100644 policy/modules/services/sympa.te diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index e2c50da23..5587583a1 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -896,6 +896,14 @@ optional_policy(` snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') +optional_policy(` + sympa_manage_runtime_sock_files(httpd_t) + sympa_map_var_files(httpd_t) + sympa_read_conf(httpd_t) + sympa_read_var_files(httpd_t) +') + + ######################################## # # Helper local policy @@ -1237,6 +1245,8 @@ files_read_var_symlinks(httpd_sys_script_t) files_search_var_lib(httpd_sys_script_t) files_search_spool(httpd_sys_script_t) +miscfiles_read_generic_certs(httpd_sys_script_t) + apache_domtrans_rotatelogs(httpd_sys_script_t) auth_use_nsswitch(httpd_sys_script_t) @@ -1319,6 +1329,11 @@ optional_policy(` ') ') +optional_policy(` + sympa_manage_var_files(httpd_sys_script_t) + sympa_read_conf(httpd_sys_script_t) +') + ######################################## # # Rotatelogs local policy diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te index 1aab4002c..20d5cb517 100644 --- a/policy/modules/services/exim.te +++ b/policy/modules/services/exim.te @@ -250,3 +250,10 @@ optional_policy(` spamassassin_exec(exim_t) spamassassin_exec_client(exim_t) ') + +optional_policy(` + # each of these should probably be for mailserver_delivery or mailserver_domain + sympa_append_var_files(exim_t) + sympa_read_var_files(exim_t) + sympa_use_fd(exim_t) +') diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index 779c9a971..71d56eda9 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -805,6 +805,26 @@ interface(`mta_read_spool_symlinks',` allow $1 mail_spool_t:lnk_file read; ') +####################################### +## +## read and write fifo files inherited from delivery domains +## +## +## +## Domain to use fifo files +## +## +# +interface(`mta_rw_delivery_fifos',` + gen_require(` + attribute mailserver_delivery; + ') + + allow $1 mailserver_delivery:fd use; + allow $1 mailserver_delivery:fifo_file { getattr read write }; +') + + ####################################### ## ## Do not audit attempts to read diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index d4569fce2..70427f356 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -297,6 +297,11 @@ optional_policy(` smartmon_read_tmp_files(system_mail_t) ') +optional_policy(` + sympa_append_var_files(system_mail_t) + sympa_dontaudit_tcp_rw(system_mail_t) +') + optional_policy(` unconfined_use_fds(system_mail_t) ') @@ -387,6 +392,11 @@ optional_policy(` postfix_rw_inherited_master_pipes(mailserver_delivery) ') +optional_policy(` + sympa_dontaudit_tcp_rw(mailserver_delivery) + sympa_domtrans(mailserver_delivery) +') + optional_policy(` uucp_domtrans_uux(mailserver_delivery) ') diff --git a/policy/modules/services/sympa.fc b/policy/modules/services/sympa.fc new file mode 100644 index 000000000..328260c37 --- /dev/null +++ b/policy/modules/services/sympa.fc @@ -0,0 +1,6 @@ +/usr/lib/sympa/bin/.* -- gen_context(system_u:object_r:sympa_exec_t,s0) +/var/lib/sympa(/.*)? gen_context(system_u:object_r:sympa_var_t,s0) +/var/spool/sympa(/.*)? gen_context(system_u:object_r:sympa_var_t,s0) +/run/sympa(/.*)? gen_context(system_u:object_r:sympa_runtime_t,s0) +/etc/mail/sympa(/.*)? gen_context(system_u:object_r:sympa_etc_t,s0) +/etc/sympa(/.*)? gen_context(system_u:object_r:sympa_etc_t,s0) diff --git a/policy/modules/services/sympa.if b/policy/modules/services/sympa.if new file mode 100644 index 000000000..3b05ce50e --- /dev/null +++ b/policy/modules/services/sympa.if @@ -0,0 +1,209 @@ +## Sympa mailing list manager +## +## +## Sympa is a popular mailing list manager. +## https://www.sympa.org/ +## + +######################################## +## +## Allow appending to sympa_var_t (for error log) +## +## +## +## Domain allowed access. +## +## +# +interface(`sympa_append_var_files',` + gen_require(` + type sympa_var_t; + ') + + allow $1 sympa_var_t:file { append getattr }; +') + +######################################## +## +## Allow reading sympa_var_t files +## +## +## +## Domain allowed access. +## +## +# +interface(`sympa_read_var_files',` + gen_require(` + type sympa_var_t; + ') + + allow $1 sympa_var_t:dir list_dir_perms; + allow $1 sympa_var_t:file read_file_perms; +') + +######################################## +## +## Allow managing sympa_var_t files +## +## +## +## Domain allowed access. +## +## +# +interface(`sympa_manage_var_files',` + gen_require(` + type sympa_var_t; + ') + + allow $1 sympa_var_t:dir rw_dir_perms; + allow $1 sympa_var_t:file manage_file_perms; +') + +######################################## +## +## Allow mapping sympa_var_t files +## +## +## +## Domain allowed access. +## +## +# +interface(`sympa_map_var_files',` + gen_require(` + type sympa_var_t; + ') + + allow $1 sympa_var_t:file map; +') + +######################################## +## +## Transition to sympa_t when executing sympa_exec_t +## +## +## +## Domain allowed access. +## +## +# +interface(`sympa_domtrans',` + gen_require(` + type sympa_exec_t, sympa_t; + ') + + domain_auto_transition_pattern($1, sympa_exec_t, sympa_t) +') + +######################################## +## +## Use file handles inherited from sympa +## +## +## +## Domain allowed access. +## +## +# +interface(`sympa_use_fd',` + gen_require(` + type sympa_t; + ') + + allow $1 sympa_t:fd use; +') + +######################################## +## +## Dontaudit access to inherited sympa tcp sockets +## +## +## +## Domain to not audit +## +## +# +interface(`sympa_dontaudit_tcp_rw',` + gen_require(` + type sympa_t; + ') + + dontaudit $1 sympa_t:tcp_socket { read write }; +') + +######################################## +## +## Allow reading sympa config files +## +## +## +## Domain to allow +## +## +# +interface(`sympa_read_conf',` + gen_require(` + type sympa_etc_t; + ') + + allow $1 sympa_etc_t:dir list_dir_perms; + allow $1 sympa_etc_t:file read_file_perms; +') + +######################################## +## +## Allow rw sympa runtime dirs and manage sympa runtime files +## +## +## +## Domain to allow +## +## +# +interface(`sympa_manage_runtime_files',` + gen_require(` + type sympa_runtime_t; + ') + + allow $1 sympa_runtime_t:dir rw_dir_perms; + allow $1 sympa_runtime_t:file manage_file_perms; +') + +######################################## +## +## Allow rw sympa runtime dirs and manage sympa runtime sock files +## +## +## +## Domain to allow +## +## +# +interface(`sympa_manage_runtime_sock_files',` + gen_require(` + type sympa_runtime_t; + ') + + allow $1 sympa_runtime_t:dir rw_dir_perms; + allow $1 sympa_runtime_t:sock_file { setattr create unlink write }; +') + +######################################## +## +## Allow domain to connect to sympa socket +## +## +## +## Domain to allow +## +## +# +interface(`sympa_connect_runtime_sock_files',` + gen_require(` + type sympa_t; + ') + + allow $1 sympa_t:unix_stream_socket connectto; +') diff --git a/policy/modules/services/sympa.te b/policy/modules/services/sympa.te new file mode 100644 index 000000000..5db699b30 --- /dev/null +++ b/policy/modules/services/sympa.te @@ -0,0 +1,86 @@ +policy_module(sympa,1.0.0) + +######################################## +# +# Declarations +# + +type sympa_t; +type sympa_exec_t; +init_daemon_domain(sympa_t, sympa_exec_t) + +type sympa_var_t; +files_type(sympa_var_t) + +type sympa_runtime_t; +files_runtime_file(sympa_runtime_t) + +type sympa_etc_t; +files_config_file(sympa_etc_t) + +type sympa_tmp_t; +files_tmp_file(sympa_tmp_t) + +######################################## +# +# Local policy +# + +allow sympa_t self:capability { chown dac_override setgid setuid }; +allow sympa_t self:fifo_file rw_file_perms; +allow sympa_t self:tcp_socket create_socket_perms; +allow sympa_t self:unix_dgram_socket create_socket_perms; +allow sympa_t self:process signull; +allow sympa_t sympa_var_t:dir manage_dir_perms; +allow sympa_t sympa_var_t:file manage_file_perms; + +allow sympa_t sympa_runtime_t:dir manage_dir_perms; +allow sympa_t sympa_runtime_t:file manage_file_perms; +allow sympa_t sympa_runtime_t:sock_file { create setattr unlink write }; + +allow sympa_t sympa_etc_t:dir list_dir_perms; +allow sympa_t sympa_etc_t:file read_file_perms; + +files_tmp_filetrans(sympa_t, sympa_tmp_t, { file }) +allow sympa_t sympa_tmp_t:file manage_file_perms; + +can_exec(sympa_t, sympa_exec_t) + +kernel_read_kernel_sysctls(sympa_t) + +auth_dontaudit_read_shadow(sympa_t) + +# for setting SE Linux context in systemd unit file +corecmd_bin_entry_type(sympa_t) + +corecmd_exec_bin(sympa_t) +corecmd_exec_shell(sympa_t) + +dev_read_urand(sympa_t) + +files_read_etc_files(sympa_t) +files_read_usr_files(sympa_t) +files_search_spool(sympa_t) +files_search_var_lib(sympa_t) + +logging_send_syslog_msg(sympa_t) + +miscfiles_read_generic_certs(sympa_t) +miscfiles_read_localization(sympa_t) + +sysnet_read_config(sympa_t) + +optional_policy(` + apache_search_sys_scripts(sympa_t) +') + +optional_policy(` + mta_read_config(sympa_t) + mta_send_mail(sympa_t) + mta_rw_delivery_fifos(sympa_t) +') + +optional_policy(` + mysql_tcp_connect(sympa_t) + mysql_stream_connect(sympa_t) +') From 6a0a90065e1a8462e1b9fc024ee42b5644f3c7f8 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 10 Oct 2022 10:07:23 -0400 Subject: [PATCH 2/5] sympa: Move lines. Signed-off-by: Chris PeBenito --- policy/modules/services/sympa.fc | 11 +++++++---- policy/modules/services/sympa.te | 29 +++++++++++++++-------------- 2 files changed, 22 insertions(+), 18 deletions(-) diff --git a/policy/modules/services/sympa.fc b/policy/modules/services/sympa.fc index 328260c37..c40da944e 100644 --- a/policy/modules/services/sympa.fc +++ b/policy/modules/services/sympa.fc @@ -1,6 +1,9 @@ -/usr/lib/sympa/bin/.* -- gen_context(system_u:object_r:sympa_exec_t,s0) -/var/lib/sympa(/.*)? gen_context(system_u:object_r:sympa_var_t,s0) -/var/spool/sympa(/.*)? gen_context(system_u:object_r:sympa_var_t,s0) -/run/sympa(/.*)? gen_context(system_u:object_r:sympa_runtime_t,s0) /etc/mail/sympa(/.*)? gen_context(system_u:object_r:sympa_etc_t,s0) /etc/sympa(/.*)? gen_context(system_u:object_r:sympa_etc_t,s0) + +/run/sympa(/.*)? gen_context(system_u:object_r:sympa_runtime_t,s0) + +/usr/lib/sympa/bin/.* -- gen_context(system_u:object_r:sympa_exec_t,s0) + +/var/lib/sympa(/.*)? gen_context(system_u:object_r:sympa_var_t,s0) +/var/spool/sympa(/.*)? gen_context(system_u:object_r:sympa_var_t,s0) diff --git a/policy/modules/services/sympa.te b/policy/modules/services/sympa.te index 5db699b30..9689cf890 100644 --- a/policy/modules/services/sympa.te +++ b/policy/modules/services/sympa.te @@ -9,18 +9,18 @@ type sympa_t; type sympa_exec_t; init_daemon_domain(sympa_t, sympa_exec_t) -type sympa_var_t; -files_type(sympa_var_t) +type sympa_etc_t; +files_config_file(sympa_etc_t) type sympa_runtime_t; files_runtime_file(sympa_runtime_t) -type sympa_etc_t; -files_config_file(sympa_etc_t) - type sympa_tmp_t; files_tmp_file(sympa_tmp_t) +type sympa_var_t; +files_type(sympa_var_t) + ######################################## # # Local policy @@ -31,23 +31,22 @@ allow sympa_t self:fifo_file rw_file_perms; allow sympa_t self:tcp_socket create_socket_perms; allow sympa_t self:unix_dgram_socket create_socket_perms; allow sympa_t self:process signull; -allow sympa_t sympa_var_t:dir manage_dir_perms; -allow sympa_t sympa_var_t:file manage_file_perms; - -allow sympa_t sympa_runtime_t:dir manage_dir_perms; -allow sympa_t sympa_runtime_t:file manage_file_perms; -allow sympa_t sympa_runtime_t:sock_file { create setattr unlink write }; allow sympa_t sympa_etc_t:dir list_dir_perms; allow sympa_t sympa_etc_t:file read_file_perms; -files_tmp_filetrans(sympa_t, sympa_tmp_t, { file }) +allow sympa_t sympa_runtime_t:dir manage_dir_perms; +allow sympa_t sympa_runtime_t:file manage_file_perms; +allow sympa_t sympa_runtime_t:sock_file manage_sock_file_perms; + +allow sympa_t sympa_var_t:dir manage_dir_perms; +allow sympa_t sympa_var_t:file manage_file_perms; + allow sympa_t sympa_tmp_t:file manage_file_perms; +files_tmp_filetrans(sympa_t, sympa_tmp_t, { file }) can_exec(sympa_t, sympa_exec_t) -kernel_read_kernel_sysctls(sympa_t) - auth_dontaudit_read_shadow(sympa_t) # for setting SE Linux context in systemd unit file @@ -63,6 +62,8 @@ files_read_usr_files(sympa_t) files_search_spool(sympa_t) files_search_var_lib(sympa_t) +kernel_read_kernel_sysctls(sympa_t) + logging_send_syslog_msg(sympa_t) miscfiles_read_generic_certs(sympa_t) From be2ba4e4730d52687767a4b3e4cc0d9289bb38d1 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 10 Oct 2022 10:07:58 -0400 Subject: [PATCH 3/5] sympa: Drop module version. Signed-off-by: Chris PeBenito --- policy/modules/services/sympa.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/services/sympa.te b/policy/modules/services/sympa.te index 9689cf890..162505fa8 100644 --- a/policy/modules/services/sympa.te +++ b/policy/modules/services/sympa.te @@ -1,4 +1,4 @@ -policy_module(sympa,1.0.0) +policy_module(sympa) ######################################## # From 3fd5341bffde5a1ab4f9f7124af5cabc183a7dd9 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 10 Oct 2022 10:09:18 -0400 Subject: [PATCH 4/5] sympa, mta, exim: Revise interfaces. Revise interfaces added as part of sympa work. Signed-off-by: Chris PeBenito --- policy/modules/services/exim.te | 3 +-- policy/modules/services/mta.if | 4 ++-- policy/modules/services/mta.te | 6 +++--- policy/modules/services/sympa.if | 31 ++++++------------------------- policy/modules/services/sympa.te | 2 +- policy/support/obj_perm_sets.spt | 1 + 6 files changed, 14 insertions(+), 33 deletions(-) diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te index 20d5cb517..5e001b37b 100644 --- a/policy/modules/services/exim.te +++ b/policy/modules/services/exim.te @@ -253,7 +253,6 @@ optional_policy(` optional_policy(` # each of these should probably be for mailserver_delivery or mailserver_domain - sympa_append_var_files(exim_t) + sympa_append_inherited_var_files(exim_t) sympa_read_var_files(exim_t) - sympa_use_fd(exim_t) ') diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index 71d56eda9..a20b2c09d 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -815,13 +815,13 @@ interface(`mta_read_spool_symlinks',` ## ## # -interface(`mta_rw_delivery_fifos',` +interface(`mta_rw_inherited_delivery_pipes',` gen_require(` attribute mailserver_delivery; ') allow $1 mailserver_delivery:fd use; - allow $1 mailserver_delivery:fifo_file { getattr read write }; + allow $1 mailserver_delivery:fifo_file rw_inherited_fifo_file_perms; ') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index 70427f356..817cbfe49 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -298,8 +298,8 @@ optional_policy(` ') optional_policy(` - sympa_append_var_files(system_mail_t) - sympa_dontaudit_tcp_rw(system_mail_t) + sympa_append_inherited_var_files(system_mail_t) + symba_dontaudit_rw_inherited_tcp_sockets(system_mail_t) ') optional_policy(` @@ -393,7 +393,7 @@ optional_policy(` ') optional_policy(` - sympa_dontaudit_tcp_rw(mailserver_delivery) + symba_dontaudit_rw_inherited_tcp_sockets(mailserver_delivery) sympa_domtrans(mailserver_delivery) ') diff --git a/policy/modules/services/sympa.if b/policy/modules/services/sympa.if index 3b05ce50e..79ed3b2a8 100644 --- a/policy/modules/services/sympa.if +++ b/policy/modules/services/sympa.if @@ -1,5 +1,4 @@ ## Sympa mailing list manager -## ## ## Sympa is a popular mailing list manager. ## https://www.sympa.org/ @@ -15,12 +14,13 @@ ## ## # -interface(`sympa_append_var_files',` +interface(`sympa_append_inherited_var_files',` gen_require(` - type sympa_var_t; + type sympa_t, sympa_var_t; ') - allow $1 sympa_var_t:file { append getattr }; + allow $1 sympa_t:fd use; + allow $1 sympa_var_t:file append_inherited_file_perms; ') ######################################## @@ -57,8 +57,7 @@ interface(`sympa_manage_var_files',` type sympa_var_t; ') - allow $1 sympa_var_t:dir rw_dir_perms; - allow $1 sympa_var_t:file manage_file_perms; + manage_files_pattern($1, sympa_var_t, sympa_var_t) ') ######################################## @@ -97,24 +96,6 @@ interface(`sympa_domtrans',` domain_auto_transition_pattern($1, sympa_exec_t, sympa_t) ') -######################################## -## -## Use file handles inherited from sympa -## -## -## -## Domain allowed access. -## -## -# -interface(`sympa_use_fd',` - gen_require(` - type sympa_t; - ') - - allow $1 sympa_t:fd use; -') - ######################################## ## ## Dontaudit access to inherited sympa tcp sockets @@ -125,7 +106,7 @@ interface(`sympa_use_fd',` ## ## # -interface(`sympa_dontaudit_tcp_rw',` +interface(`symba_dontaudit_rw_inherited_tcp_sockets',` gen_require(` type sympa_t; ') diff --git a/policy/modules/services/sympa.te b/policy/modules/services/sympa.te index 162505fa8..b8bdaaf53 100644 --- a/policy/modules/services/sympa.te +++ b/policy/modules/services/sympa.te @@ -78,7 +78,7 @@ optional_policy(` optional_policy(` mta_read_config(sympa_t) mta_send_mail(sympa_t) - mta_rw_delivery_fifos(sympa_t) + mta_rw_inherited_delivery_pipes(sympa_t) ') optional_policy(` diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index 804a01b46..e62863f6f 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -155,6 +155,7 @@ define(`mmap_read_file_perms',`{ getattr open map read ioctl }') define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }') define(`mmap_exec_file_perms',`{ getattr open map read execute ioctl }') define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }') +define(`append_inherited_file_perms',`{ getattr append lock ioctl }') define(`append_file_perms',`{ getattr open append lock ioctl }') define(`write_inherited_file_perms',`{ getattr write append lock ioctl }') define(`write_file_perms',`{ getattr open write append lock ioctl }') From accdce94a23a77aa6f48d29b1a6d2fd1ea9f1ae5 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 10 Oct 2022 10:39:05 -0400 Subject: [PATCH 5/5] sympa, logging; Fix lint errors. Logging is from new append_inherited_file_perms set. Signed-off-by: Chris PeBenito --- policy/modules/services/sympa.te | 2 +- policy/modules/system/logging.if | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/services/sympa.te b/policy/modules/services/sympa.te index b8bdaaf53..b2aea679d 100644 --- a/policy/modules/services/sympa.te +++ b/policy/modules/services/sympa.te @@ -27,7 +27,7 @@ files_type(sympa_var_t) # allow sympa_t self:capability { chown dac_override setgid setuid }; -allow sympa_t self:fifo_file rw_file_perms; +allow sympa_t self:fifo_file rw_fifo_file_perms; allow sympa_t self:tcp_socket create_socket_perms; allow sympa_t self:unix_dgram_socket create_socket_perms; allow sympa_t self:process signull; diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 341763730..cf7ef1721 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -1069,7 +1069,7 @@ interface(`logging_append_all_inherited_logs',` attribute logfile; ') - allow $1 logfile:file { getattr append ioctl lock }; + allow $1 logfile:file append_inherited_file_perms; ') ########################################