latest ver of trivial mail server patch

Yes mmap is the standard way of accessing the mail spool. Removed spamd_gpg_t because there's no point to it, the separation doesn't provide an actual benefit. Made the other requested changes. Signed-off-by: Russell Coker <russell@coker.com.au>
2020-04-05 19:04:28 +10:00 · 2020-04-05 19:04:28 +10:00 · 47b44a0fc7
parent 886aa39bfb
commit 47b44a0fc7
10 changed files with 76 additions and 34 deletions
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@ -146,6 +146,7 @@ auth_use_nsswitch(clamd_t)

 logging_send_syslog_msg(clamd_t)

+miscfiles_read_generic_certs(clamd_t)
 miscfiles_read_localization(clamd_t)

 tunable_policy(`clamd_use_jit',`
@ -235,6 +236,7 @@ auth_use_nsswitch(freshclam_t)

 logging_send_syslog_msg(freshclam_t)

+miscfiles_read_generic_certs(freshclam_t)
 miscfiles_read_localization(freshclam_t)

 tunable_policy(`clamd_use_jit',`
--- a/policy/modules/services/dkim.te
+++ b/policy/modules/services/dkim.te
@ -44,6 +44,8 @@ files_pid_filetrans(dkim_milter_t, dkim_milter_data_t, { dir file })
 files_read_usr_files(dkim_milter_t)
 files_search_spool(dkim_milter_t)

+miscfiles_read_generic_certs(dkim_milter_t)
+
 optional_policy(`
 	mta_read_config(dkim_milter_t)
 ')
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@ -173,6 +173,7 @@ files_read_usr_files(dovecot_t)

 fs_getattr_all_fs(dovecot_t)
 fs_getattr_all_dirs(dovecot_t)
+fs_read_tmpfs_symlinks(dovecot_t)
 fs_search_auto_mountpoints(dovecot_t)
 fs_list_inotifyfs(dovecot_t)

@ -269,7 +270,12 @@ selinux_get_fs_mount(dovecot_auth_t)
 auth_domtrans_chk_passwd(dovecot_auth_t)
 auth_use_nsswitch(dovecot_auth_t)

+fs_search_tmpfs(dovecot_auth_t)
+fs_read_tmpfs_symlinks(dovecot_auth_t)
+
 init_rw_utmp(dovecot_auth_t)
+init_rw_inherited_stream_socket(dovecot_auth_t)
+init_use_fds(dovecot_auth_t)

 logging_send_audit_msgs(dovecot_auth_t)

--- a/policy/modules/services/mailman.fc
+++ b/policy/modules/services/mailman.fc
@ -1,6 +1,7 @@
 /etc/cron\.(daily|monthly)/mailman	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)

 /etc/mailman.*	gen_context(system_u:object_r:mailman_data_t,s0)
+/etc/mailman/postfix-to-mailman.py	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)

 /usr/lib/mailman/bin/mailmanctl	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 /usr/lib/mailman/bin/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
--- a/policy/modules/services/mailman.if
+++ b/policy/modules/services/mailman.if
@ -319,6 +319,7 @@ interface(`mailman_read_archive',`
 	files_search_var_lib($1)
 	allow $1 mailman_archive_t:dir list_dir_perms;
 	read_files_pattern($1, mailman_archive_t, mailman_archive_t)
+	allow $1 mailman_archive_t:file map;
 	read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t)
 ')

--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@ -182,6 +182,7 @@ corecmd_exec_bin(mailman_mail_t)
 files_search_locks(mailman_mail_t)

 fs_rw_anon_inodefs_files(mailman_mail_t)
+fs_search_tmpfs(mailman_mail_t)

 # this is far from ideal, but systemd reduces the importance of initrc_t
 init_signal_script(mailman_mail_t)
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@ -251,6 +251,7 @@ interface(`mta_manage_mail_home_rw_content',`
 	userdom_search_user_home_dirs($1)
 	manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
 	manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+	allow $1 mail_home_rw_t:file map;
 	manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
 ')

@ -867,6 +868,7 @@ interface(`mta_read_spool_files',`

 	files_search_spool($1)
 	read_files_pattern($1, mail_spool_t, mail_spool_t)
+	allow $1 mail_spool_t:file map;
 ')

 ########################################
@ -949,6 +951,7 @@ interface(`mta_manage_spool',`
 	files_search_spool($1)
 	manage_dirs_pattern($1, mail_spool_t, mail_spool_t)
 	manage_files_pattern($1, mail_spool_t, mail_spool_t)
+	allow $1 mail_spool_t:file map;
 	manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
 ')

--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@ -336,6 +336,7 @@ optional_policy(`
 ')

 optional_policy(`
+	mysql_read_config(postfix_master_t)
 	mysql_stream_connect(postfix_master_t)
 ')

@ -426,6 +427,10 @@ optional_policy(`
 	mailman_read_data_files(postfix_cleanup_t)
 ')

+optional_policy(`
+	mysql_read_config(postfix_cleanup_t)
+')
+
 optional_policy(`
 	dbus_send_system_bus(postfix_cleanup_t)
 	dbus_system_bus_client(postfix_cleanup_t)
@ -648,6 +653,7 @@ mta_rw_user_mail_stream_sockets(postfix_postdrop_t)

 optional_policy(`
 	apache_dontaudit_rw_fifo_file(postfix_postdrop_t)
+	apache_use_fds(postfix_postdrop_t)
 ')

 optional_policy(`
@ -825,6 +831,10 @@ optional_policy(`
 	milter_stream_connect_all(postfix_smtpd_t)
 ')

+optional_policy(`
+	mysql_read_config(postfix_smtpd_t)
+')
+
 optional_policy(`
 	postgrey_stream_connect(postfix_smtpd_t)
 ')
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@ -433,3 +433,41 @@ interface(`spamassassin_admin',`
 	# sa-update
 	spamassassin_run_update($1, $2)
 ')
+
+########################################
+## <summary>
+##	reload SA service
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`spamassassin_service_reload',`
+	gen_require(`
+		type spamassassin_unit_t;
+	')
+
+	allow $1 spamassassin_unit_t:service reload;
+')
+
+########################################
+## <summary>
+##	Get SA service status
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`spamassassin_service_status',`
+	gen_require(`
+		type spamassassin_unit_t;
+	')
+
+	allow $1 spamassassin_unit_t:service status;
+')
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@ -22,6 +22,7 @@ gen_tunable(spamassassin_can_network, false)
 gen_tunable(spamd_enable_home_dirs, false)

 type spamd_update_t;
+typealias spamd_update_t alias { spamd_gpg_t };
 type spamd_update_exec_t;
 init_system_domain(spamd_update_t, spamd_update_exec_t)

@ -62,9 +63,6 @@ files_type(spamd_compiled_t)
 type spamd_etc_t;
 files_config_file(spamd_etc_t)

-type spamd_gpg_t;
-domain_type(spamd_gpg_t)
-
 type spamd_home_t;
 userdom_user_home_content(spamd_home_t)

@ -199,11 +197,13 @@ corenet_all_recvfrom_unlabeled(spamc_t)
 corenet_all_recvfrom_netlabel(spamc_t)
 corenet_tcp_sendrecv_generic_if(spamc_t)
 corenet_tcp_sendrecv_generic_node(spamc_t)
+corenet_udp_bind_generic_node(spamc_t)

 corenet_sendrecv_all_client_packets(spamc_t)
 corenet_tcp_connect_all_ports(spamc_t)

 corecmd_exec_bin(spamc_t)
+corecmd_exec_shell(spamc_t)

 dev_read_rand(spamc_t)
 dev_read_urand(spamc_t)
@ -256,6 +256,8 @@ optional_policy(`

 optional_policy(`
 	mta_send_mail(spamc_t)
+	mta_getattr_spool(spamc_t)
+	mta_read_spool_files(spamc_t)
 	mta_read_config(spamc_t)
 	mta_read_queue(spamc_t)
 	sendmail_rw_pipes(spamc_t)
@ -351,6 +353,7 @@ corenet_udp_bind_imaze_port(spamd_t)

 corenet_dontaudit_udp_bind_all_ports(spamd_t)

+corecmd_exec_shell(spamd_t)
 corecmd_exec_bin(spamd_t)

 dev_read_sysfs(spamd_t)
@ -358,6 +361,7 @@ dev_read_urand(spamd_t)

 domain_use_interactive_fds(spamd_t)

+files_map_etc_files(spamd_t)
 files_read_usr_files(spamd_t)
 files_read_etc_runtime_files(spamd_t)

@ -372,6 +376,7 @@ libs_use_shared_libs(spamd_t)

 logging_send_syslog_msg(spamd_t)

+miscfiles_read_generic_certs(spamd_t)
 miscfiles_read_localization(spamd_t)

 sysnet_use_ldap(spamd_t)
@ -487,6 +492,8 @@ manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
 manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
 manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)

+kernel_read_crypto_sysctls(spamd_update_t)
+kernel_search_fs_sysctls(spamd_update_t)
 kernel_read_system_state(spamd_update_t)

 corecmd_exec_bin(spamd_update_t)
@ -512,6 +519,7 @@ fs_getattr_xattr_fs(spamd_update_t)
 auth_use_nsswitch(spamd_update_t)
 auth_dontaudit_read_shadow(spamd_update_t)

+miscfiles_read_generic_certs(spamd_update_t)
 miscfiles_read_localization(spamd_update_t)

 userdom_use_inherited_user_terminals(spamd_update_t)
@ -523,35 +531,5 @@ optional_policy(`
 ')

 optional_policy(`
-	gpg_spec_domtrans(spamd_update_t, spamd_gpg_t)
-	gpg_entry_type(spamd_gpg_t)
-	role system_r types spamd_gpg_t;
-
-	allow spamd_gpg_t self:capability { dac_override dac_read_search };
-	allow spamd_gpg_t self:unix_stream_socket { connect create };
-
-	allow spamd_gpg_t spamd_update_t:fd use;
-	allow spamd_gpg_t spamd_update_t:process sigchld;
-	allow spamd_gpg_t spamd_update_t:fifo_file { getattr write };
-	allow spamd_gpg_t spamd_var_lib_t:dir rw_dir_perms;
-	allow spamd_gpg_t spamd_var_lib_t:file manage_file_perms;
-	allow spamd_gpg_t spamd_update_tmp_t:file read_file_perms;
-
-	# fips
-	kernel_read_crypto_sysctls(spamd_gpg_t)
-
-	domain_use_interactive_fds(spamd_gpg_t)
-
-	files_read_etc_files(spamd_gpg_t)
-	files_read_usr_files(spamd_gpg_t)
-	files_search_var_lib(spamd_gpg_t)
-	files_search_pids(spamd_gpg_t)
-	files_search_tmp(spamd_gpg_t)
-
-	init_use_fds(spamd_gpg_t)
-	init_rw_inherited_stream_socket(spamd_gpg_t)
-
-	miscfiles_read_localization(spamd_gpg_t)
-
-	userdom_use_inherited_user_terminals(spamd_gpg_t)
+	gpg_exec(spamd_update_t)
 ')