diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 3b73d58..732188f 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -12,6 +12,7 @@ networkmanager pegasus radius + spamassassin xdm * Wed Oct 19 2005 Chris PeBenito - 20051019 diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables index 3af5cad..933d75c 100644 --- a/refpolicy/policy/global_tunables +++ b/refpolicy/policy/global_tunables @@ -101,6 +101,9 @@ gen_tunable(read_untrusted_content,false) ## Allow ssh to run from inetd instead of as a daemon. gen_tunable(run_ssh_inetd,false) +## Allow user spamassassin clients to use the network. +gen_tunable(spamassassin_can_network,false) + ## Allow squid to connect to all ports, not just ## HTTP, FTP, and Gopher ports. gen_tunable(squid_connect_any,false) diff --git a/refpolicy/policy/modules/services/mta.fc b/refpolicy/policy/modules/services/mta.fc index 494c989..72c5818 100644 --- a/refpolicy/policy/modules/services/mta.fc +++ b/refpolicy/policy/modules/services/mta.fc @@ -1,12 +1,11 @@ /etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) /etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) +/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0) -ifdef(`sendmail.te',`',` /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/sbin/sendmail(.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) -') /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index fffbc96..c452cf0 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -331,6 +331,24 @@ interface(`mta_exec',` ######################################## ## +## Read mail server configuration. +## +## +## The type of the process performing this action. +## +# +interface(`mta_read_config',` + gen_require(` + type etc_mail_t; + ') + + files_search_etc($1) + allow spamd_t etc_mail_t:dir list_dir_perms; + allow spamd_t etc_mail_t:file r_file_perms; +') + +######################################## +## ## Read mail address aliases. ## ## diff --git a/refpolicy/policy/modules/services/sendmail.fc b/refpolicy/policy/modules/services/sendmail.fc index be5c537..a86ec50 100644 --- a/refpolicy/policy/modules/services/sendmail.fc +++ b/refpolicy/policy/modules/services/sendmail.fc @@ -1,5 +1,3 @@ -# sendmail file contexts -/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0) /var/log/sendmail\.st -- gen_context(system_u:object_r:sendmail_log_t,s0) /var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) diff --git a/refpolicy/policy/modules/services/spamassassin.fc b/refpolicy/policy/modules/services/spamassassin.fc new file mode 100644 index 0000000..cea35a5 --- /dev/null +++ b/refpolicy/policy/modules/services/spamassassin.fc @@ -0,0 +1,11 @@ + +/usr/bin/sa-learn -- gen_context(system_u:object_r:spamd_exec_t,s0) +/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0) +/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) + +/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) +/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0) + +ifdef(`targeted_policy',`',` +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0) +') diff --git a/refpolicy/policy/modules/services/spamassassin.if b/refpolicy/policy/modules/services/spamassassin.if new file mode 100644 index 0000000..ee9932a --- /dev/null +++ b/refpolicy/policy/modules/services/spamassassin.if @@ -0,0 +1,3 @@ +## Filter used for removing unsolicited email. + +# cjp: TODO: integrate old spamassassin_macros.te diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te new file mode 100644 index 0000000..dd8b86d --- /dev/null +++ b/refpolicy/policy/modules/services/spamassassin.te @@ -0,0 +1,158 @@ + +policy_module(spamassassin,0.9) + +######################################## +# +# Declarations +# + +# spamassassin client executable +type spamc_exec_t; +files_type(spamc_exec_t) + +type spamd_t; +type spamd_exec_t; +init_daemon_domain(spamd_t,spamd_exec_t) + +type spamd_tmp_t; +files_tmp_file(spamd_tmp_t) + +type spamd_var_run_t; +files_pid_file(spamd_var_run_t) + +type spamassassin_exec_t; +files_type(spamassassin_exec_t) + +######################################## +# +# Spamassassin daemon local policy +# + +# Spamassassin, when run as root and using per-user config files, +# setuids to the user running spamc. Comment this if you are not +# using this ability. + +allow spamd_t self:capability { setuid setgid dac_override sys_tty_config }; +dontaudit spamd_t self:capability sys_tty_config; +allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow spamd_t self:fd use; +allow spamd_t self:fifo_file rw_file_perms; +allow spamd_t self:shm create_shm_perms; +allow spamd_t self:sem create_sem_perms; +allow spamd_t self:msgq create_msgq_perms; +allow spamd_t self:msg { send receive }; +allow spamd_t self:unix_dgram_socket create_socket_perms; +allow spamd_t self:unix_stream_socket create_stream_socket_perms; +allow spamd_t self:unix_dgram_socket sendto; +allow spamd_t self:unix_stream_socket connectto; +allow spamd_t self:tcp_socket create_stream_socket_perms; +allow spamd_t self:udp_socket create_socket_perms; + +allow spamd_t spamd_tmp_t:dir create_dir_perms; +allow spamd_t spamd_tmp_t:file create_file_perms; +files_create_tmp_files(spamd_t, spamd_tmp_t, { file dir }) + +allow spamd_t spamd_var_run_t:file create_file_perms; +allow spamd_t spamd_var_run_t:dir rw_dir_perms; +files_create_pid(spamd_t,spamd_var_run_t) + +kernel_read_all_sysctl(spamd_t) +kernel_read_system_state(spamd_t) + +corenet_tcp_sendrecv_all_if(spamd_t) +corenet_udp_sendrecv_all_if(spamd_t) +corenet_raw_sendrecv_all_if(spamd_t) +corenet_tcp_sendrecv_all_nodes(spamd_t) +corenet_udp_sendrecv_all_nodes(spamd_t) +corenet_raw_sendrecv_all_nodes(spamd_t) +corenet_tcp_bind_all_nodes(spamd_t) +corenet_udp_bind_all_nodes(spamd_t) +corenet_tcp_sendrecv_all_ports(spamd_t) +corenet_tcp_bind_spamd_port(spamd_t) + +dev_read_sysfs(spamd_t) +dev_read_urand(spamd_t) + +fs_getattr_all_fs(spamd_t) +fs_search_auto_mountpoints(spamd_t) + +term_dontaudit_use_console(spamd_t) + +auth_dontaudit_read_shadow(spamd_t) + +corecmd_exec_bin(spamd_t) +corecmd_search_sbin(spamd_t) + +domain_use_wide_inherit_fd(spamd_t) + +files_read_usr_files(spamd_t) +files_read_etc_files(spamd_t) +files_read_etc_runtime_files(spamd_t) + +init_use_fd(spamd_t) +init_use_script_pty(spamd_t) +init_dontaudit_rw_script_pid(spamd_t) + +libs_use_ld_so(spamd_t) +libs_use_shared_libs(spamd_t) +# Various Perl bits +libs_use_lib(spamd_t) + +logging_send_syslog_msg(spamd_t) + +miscfiles_read_localization(spamd_t) + +sysnet_read_config(spamd_t) + +userdom_use_unpriv_users_fd(spamd_t) +userdom_search_unpriv_user_home_dirs(spamd_t) +userdom_dontaudit_search_sysadm_home_dir(spamd_t) + +ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_tty(spamd_t) + term_dontaudit_use_generic_pty(spamd_t) + files_dontaudit_read_root_file(spamd_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files(spamd_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_files(spamd_t) +') + +optional_policy(`cron.te',` + cron_system_entry(spamd_t,spamd_exec_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(spamd_t) +') + +optional_policy(`selinuxutil.te',` + seutil_sigchld_newrole(spamd_t) +') + +optional_policy(`sendmail.te',` + sendmail_stub(spamd_t) + mta_read_config(spamd_t) +') + +optional_policy(`udev.te', ` + udev_read_db(spamd_t) +') + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(spamd_t) +') + +optional_policy(`amavis.te', ` +# for bayes tokens +allow spamd_t var_lib_t:dir { getattr search }; +allow spamd_t amavisd_lib_t:dir rw_dir_perms; +allow spamd_t amavisd_lib_t:file create_file_perms; +allow spamd_t amavisd_lib_t:lnk_file create_lnk_perms; +') +') dnl end TODO diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if index a511e26..9b1da6a 100644 --- a/refpolicy/policy/modules/system/libraries.if +++ b/refpolicy/policy/modules/system/libraries.if @@ -197,6 +197,26 @@ interface(`libs_exec_lib_files',` ######################################## ## +## Load and execute functions from generic +## lib files as shared libraries. +## +## +## The type of the process performing this action. +## +# +interface(`libs_use_lib',` + gen_require(` + type lib_t; + ') + + files_list_usr($1) + allow $1 lib_t:dir r_dir_perms; + allow $1 lib_t:lnk_file r_file_perms; + allow $1 lib_t:file rx_file_perms; +') + +######################################## +## ## Relabel files to the type used in library directories. ## ## @@ -223,9 +243,6 @@ interface(`libs_relabelto_lib_files',` interface(`libs_use_shared_libs',` gen_require(` type lib_t, shlib_t, texrel_shlib_t; - class dir r_dir_perms; - class lnk_file r_file_perms; - class file { rx_file_perms execmod }; ') files_list_usr($1) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index a8c077d..541f199 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -1799,7 +1799,7 @@ interface(`userdom_dontaudit_search_sysadm_home_dir',` type sysadm_home_dir_t; ') - dontaudit $1 sysadm_home_dir_t:dir { getattr search }; + dontaudit $1 sysadm_home_dir_t:dir search_dir_perms; ') ######################################## @@ -2223,7 +2223,8 @@ interface(`userdom_search_unpriv_user_home_dirs',` attribute user_home_dir_type; ') - allow $1 user_home_dir_type:dir search; + files_search_home($1) + allow $1 user_home_dir_type:dir search_dir_perms; ') ########################################