11d17b2e57
two spamassassin rules updating SELinux domains introduced in the previous change in order to reduce the non-swappable kernel memory used by the policy. This reduces complexity, but unfortunately it probably also reduces an existing safety margin by breaking the isolation between network-facing binaries and binaries such as GPG that potentially deal with secret information (at the moment there is no "neverallow" rule protecting the gpg_secret_t file access). Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/services/spamassassin.if | 3 - policy/modules/services/spamassassin.te | 56 ++++++-------------------------- 2 files changed, 12 insertions(+), 47 deletions(-)
494 lines
10 KiB
Plaintext
494 lines
10 KiB
Plaintext
## <summary>Filter used for removing unsolicited email.</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Role access for spamassassin.
|
|
## </summary>
|
|
## <param name="role_prefix">
|
|
## <summary>
|
|
## The prefix of the user role (e.g., user
|
|
## is the prefix for user_r).
|
|
## </summary>
|
|
## </param>
|
|
## <param name="user_domain">
|
|
## <summary>
|
|
## User domain for the role.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="user_exec_domain">
|
|
## <summary>
|
|
## User exec domain for execute and transition access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`spamassassin_role',`
|
|
gen_require(`
|
|
type spamc_t, spamc_exec_t, spamc_tmp_t;
|
|
type spamassassin_t, spamassassin_exec_t, spamd_home_t;
|
|
type spamd_update_t, spamd_update_exec_t;
|
|
type spamassassin_home_t, spamassassin_tmp_t;
|
|
')
|
|
|
|
role $4 types { spamc_t spamassassin_t spamd_update_t };
|
|
|
|
domtrans_pattern($3, spamassassin_exec_t, spamassassin_t)
|
|
domtrans_pattern($3, spamc_exec_t, spamc_t)
|
|
domtrans_pattern($3, spamd_update_exec_t, spamd_update_t)
|
|
|
|
admin_process_pattern($3, { spamc_t spamassassin_t spamd_update_t })
|
|
|
|
allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
|
|
allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms };
|
|
allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
|
userdom_user_home_dir_filetrans($2, spamassassin_home_t, dir, ".spamassassin")
|
|
userdom_user_home_dir_filetrans($2, spamd_home_t, dir, ".spamd")
|
|
|
|
optional_policy(`
|
|
systemd_user_app_status($1, spamassassin_t)
|
|
systemd_user_app_status($1, spamc_t)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute sa-update in the spamd-update domain,
|
|
## and allow the specified role
|
|
## the spamd-update domain. Also allow transitive
|
|
## access to the private gpg domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`spamassassin_run_update',`
|
|
gen_require(`
|
|
type spamd_update_t, spamd_update_exec_t, spamd_update_t;
|
|
')
|
|
|
|
role $2 types { spamd_update_t spamd_update_t };
|
|
domtrans_pattern($1, spamd_update_exec_t, spamd_update_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute the standalone spamassassin
|
|
## program in the caller directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`spamassassin_exec',`
|
|
gen_require(`
|
|
type spamassassin_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
can_exec($1, spamassassin_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send generic signals to spamd.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`spamassassin_signal_spamd',`
|
|
gen_require(`
|
|
type spamd_t;
|
|
')
|
|
|
|
allow $1 spamd_t:process signal;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## reload SA service
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`spamassassin_reload',`
|
|
gen_require(`
|
|
type spamassassin_unit_t;
|
|
class service reload;
|
|
')
|
|
|
|
allow $1 spamassassin_unit_t:service reload;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Get SA service status
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`spamassassin_status',`
|
|
gen_require(`
|
|
type spamassassin_unit_t;
|
|
class service status;
|
|
')
|
|
|
|
allow $1 spamassassin_unit_t:service status;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute spamd in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`spamassassin_exec_spamd',`
|
|
gen_require(`
|
|
type spamd_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
can_exec($1, spamd_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute spamc in the spamc domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`spamassassin_domtrans_client',`
|
|
gen_require(`
|
|
type spamc_t, spamc_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, spamc_exec_t, spamc_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute spamc in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`spamassassin_exec_client',`
|
|
gen_require(`
|
|
type spamc_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
can_exec($1, spamc_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send kill signals to spamc.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`spamassassin_kill_client',`
|
|
gen_require(`
|
|
type spamc_t;
|
|
')
|
|
|
|
allow $1 spamc_t:process sigkill;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute spamassassin standalone client
|
|
## in the user spamassassin domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`spamassassin_domtrans_local_client',`
|
|
gen_require(`
|
|
type spamassassin_t, spamassassin_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, spamassassin_exec_t, spamassassin_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete
|
|
## spamd home content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`spamassassin_manage_spamd_home_content',`
|
|
gen_require(`
|
|
type spamd_home_t;
|
|
')
|
|
|
|
userdom_search_user_home_dirs($1)
|
|
allow $1 spamd_home_t:dir manage_dir_perms;
|
|
allow $1 spamd_home_t:file manage_file_perms;
|
|
allow $1 spamd_home_t:lnk_file manage_lnk_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Relabel spamd home content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`spamassassin_relabel_spamd_home_content',`
|
|
gen_require(`
|
|
type spamd_home_t;
|
|
')
|
|
|
|
userdom_search_user_home_dirs($1)
|
|
allow $1 spamd_home_t:dir relabel_dir_perms;
|
|
allow $1 spamd_home_t:file relabel_file_perms;
|
|
allow $1 spamd_home_t:lnk_file relabel_lnk_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create objects in user home
|
|
## directories with the spamd home type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="object_class">
|
|
## <summary>
|
|
## Class of the object being created.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="name" optional="true">
|
|
## <summary>
|
|
## The name of the object being created.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`spamassassin_home_filetrans_spamd_home',`
|
|
gen_require(`
|
|
type spamd_home_t;
|
|
')
|
|
|
|
userdom_user_home_dir_filetrans($1, spamd_home_t, $2, $3)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read spamd lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`spamassassin_read_lib_files',`
|
|
gen_require(`
|
|
type spamd_var_lib_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete
|
|
## spamd lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`spamassassin_manage_lib_files',`
|
|
gen_require(`
|
|
type spamd_var_lib_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
manage_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read spamd runtime files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`spamassassin_read_spamd_runtime_files',`
|
|
gen_require(`
|
|
type spamd_runtime_t;
|
|
')
|
|
|
|
files_search_runtime($1)
|
|
read_files_pattern($1, spamd_runtime_t, spamd_runtime_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read temporary spamd files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`spamassassin_read_spamd_tmp_files',`
|
|
gen_require(`
|
|
type spamd_tmp_t;
|
|
')
|
|
|
|
allow $1 spamd_tmp_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to get
|
|
## attributes of temporary spamd sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
|
|
gen_require(`
|
|
type spamd_tmp_t;
|
|
')
|
|
|
|
dontaudit $1 spamd_tmp_t:sock_file getattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Connect to spamd with a unix
|
|
## domain stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`spamassassin_stream_connect_spamd',`
|
|
gen_require(`
|
|
type spamd_t, spamd_runtime_t;
|
|
')
|
|
|
|
files_search_runtime($1)
|
|
stream_connect_pattern($1, spamd_runtime_t, spamd_runtime_t, spamd_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## All of the rules required to
|
|
## administrate an spamassassin environment.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`spamassassin_admin',`
|
|
gen_require(`
|
|
type spamd_t, spamd_tmp_t, spamd_log_t;
|
|
type spamd_spool_t, spamd_var_lib_t, spamd_runtime_t;
|
|
type spamd_initrc_exec_t, spamassassin_unit_t;
|
|
type spamd_update_t;
|
|
')
|
|
|
|
admin_process_pattern($1, { spamd_t spamd_update_t spamd_update_t })
|
|
|
|
init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t, spamassassin_unit_t)
|
|
|
|
files_list_tmp($1)
|
|
admin_pattern($1, spamd_tmp_t)
|
|
|
|
logging_list_logs($1)
|
|
admin_pattern($1, spamd_log_t)
|
|
|
|
files_list_spool($1)
|
|
admin_pattern($1, spamd_spool_t)
|
|
|
|
files_list_var_lib($1)
|
|
admin_pattern($1, spamd_var_lib_t)
|
|
|
|
files_list_runtime($1)
|
|
admin_pattern($1, spamd_runtime_t)
|
|
|
|
# This makes it impossible to apply _admin if _role has already been applied
|
|
#spamassassin_role($2, $1)
|
|
|
|
# sa-update
|
|
spamassassin_run_update($1, $2)
|
|
')
|