Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
# DCC - Distributed Checksum Clearinghouse
Chris PeBenito 2705f9
# Author:  David Hampton <hampton@employees.org>
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
# NOTE: DCC has writeable files in /etc/dcc that should probably be in
Chris PeBenito 2705f9
# /var/lib/dcc.  For now this policy supports both directories being
Chris PeBenito 2705f9
# writable.
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Files common to all dcc programs
Chris PeBenito 2705f9
type dcc_client_map_t, file_type, sysadmfile;
Chris PeBenito 2705f9
type dcc_var_t, file_type, sysadmfile;
Chris PeBenito 2705f9
type dcc_var_run_t, file_type, sysadmfile;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
Chris PeBenito 2705f9
##########
Chris PeBenito 2705f9
##########
Chris PeBenito 2705f9
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
# common to all dcc variants
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
define(`dcc_common',`
Chris PeBenito 2705f9
# Access files in /var/dcc. The map file can be updated
Chris PeBenito 2705f9
r_dir_file($1_t, dcc_var_t)
Chris PeBenito 2705f9
allow $1_t dcc_client_map_t:file rw_file_perms;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Read mtab, nsswitch and locale
Chris PeBenito 2705f9
allow $1_t { etc_t etc_runtime_t }:file { getattr read };
Chris PeBenito 2705f9
read_locale($1_t)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
#Networking
Chris PeBenito 2705f9
can_resolve($1_t)
Chris PeBenito 2705f9
ifelse($2, `server', `
Chris PeBenito 2705f9
can_network_udp($1_t)
Chris PeBenito 2705f9
', `
Chris PeBenito 2705f9
can_network_udp($1_t, `dcc_port_t')
Chris PeBenito 2705f9
')
Chris PeBenito 2705f9
allow $1_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Create private temp files
Chris PeBenito 2705f9
tmp_domain($1)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Triggered by a call to gethostid(2) in dcc client libs
Chris PeBenito 2705f9
allow $1_t self:unix_stream_socket { connect create };
Chris PeBenito 2705f9
Chris PeBenito 2705f9
allow $1_t sysadm_su_t:process { sigchld };
Chris PeBenito 2705f9
allow $1_t dcc_script_t:fd use;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
dontaudit $1_t kernel_t:fd use;
Chris PeBenito 2705f9
dontaudit $1_t root_t:file read;
Chris PeBenito 2705f9
')
Chris PeBenito 2705f9
Chris PeBenito 2705f9
allow initrc_t dcc_var_run_t:dir rw_dir_perms;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
Chris PeBenito 2705f9
##########
Chris PeBenito 2705f9
##########
Chris PeBenito 2705f9
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
# dccd - Server daemon that can be accessed over the net
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
daemon_domain(dccd, `, privlog, nscd_client_domain')
Chris PeBenito 2705f9
dcc_common(dccd, server);
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Runs the dbclean program
Chris PeBenito 2705f9
allow dccd_t bin_t:dir search;
Chris PeBenito 2705f9
domain_auto_trans(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# The daemon needs to listen on the dcc ports
Chris PeBenito 2705f9
allow dccd_t dcc_port_t:udp_socket name_bind;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Updating dcc_db, flod, ...
Chris PeBenito 2705f9
create_dir_file(dccd_t, dcc_var_t);
Chris PeBenito 2705f9
Chris PeBenito 2705f9
allow dccd_t self:capability net_admin;
Chris PeBenito 2705f9
allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Reading /proc/meminfo
Chris PeBenito 2705f9
allow dccd_t proc_t:file { getattr read };
Chris PeBenito 2705f9
Chris PeBenito 2705f9
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
# cdcc - control dcc daemon
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
application_domain(cdcc, `, nscd_client_domain')
Chris PeBenito 2705f9
role system_r types cdcc_t;
Chris PeBenito 2705f9
dcc_common(cdcc)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# suid program
Chris PeBenito 2705f9
allow cdcc_t self:capability setuid;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Running from the command line
Chris PeBenito 2705f9
allow cdcc_t sshd_t:fd use;
Chris PeBenito 2705f9
allow cdcc_t sysadm_devpts_t:chr_file rw_file_perms;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
Chris PeBenito 2705f9
Chris PeBenito 2705f9
##########
Chris PeBenito 2705f9
##########
Chris PeBenito 2705f9
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
# DCC Clients
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
# dccifd  - Spamassassin and general MTA persistent client
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
daemon_domain(dccifd, `, privlog, nscd_client_domain')
Chris PeBenito 2705f9
dcc_common(dccifd);
Chris PeBenito 2705f9
file_type_auto_trans(dccifd_t, dcc_var_run_t, dccifd_var_run_t, file)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Allow the domain to communicate with other processes
Chris PeBenito 2705f9
allow dccifd_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Updating dcc_db, flod, ...
Chris PeBenito 2705f9
create_dir_notdevfile(dccifd_t, dcc_var_t);
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Updating map, ...
Chris PeBenito 2705f9
allow dccifd_t dcc_client_map_t:file rw_file_perms;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# dccifd communications socket
Chris PeBenito 2705f9
type dccifd_sock_t, file_type, sysadmfile;
Chris PeBenito 2705f9
file_type_auto_trans(dccifd_t, dcc_var_t, dccifd_sock_t, sock_file)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Reading /proc/meminfo
Chris PeBenito 2705f9
allow dccifd_t proc_t:file { getattr read };
Chris PeBenito 2705f9
Chris PeBenito 2705f9
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
# dccm  - sendmail milter client
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
daemon_domain(dccm, `, privlog, nscd_client_domain')
Chris PeBenito 2705f9
dcc_common(dccm);
Chris PeBenito 2705f9
file_type_auto_trans(dccm_t, dcc_var_run_t, dccm_var_run_t, file)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Allow the domain to communicate with other processes
Chris PeBenito 2705f9
allow dccm_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Updating map, ...
Chris PeBenito 2705f9
create_dir_notdevfile(dccm_t, dcc_var_t);
Chris PeBenito 2705f9
allow dccm_t dcc_client_map_t:file rw_file_perms;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# dccm communications socket
Chris PeBenito 2705f9
type dccm_sock_t, file_type, sysadmfile;
Chris PeBenito 2705f9
file_type_auto_trans(dccm_t, dcc_var_run_t, dccm_sock_t, sock_file)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
# dccproc - dcc procmail interface
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
application_domain(dcc_client, `, privlog, nscd_client_domain')
Chris PeBenito 2705f9
role system_r types dcc_client_t;
Chris PeBenito 2705f9
dcc_common(dcc_client)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# suid program
Chris PeBenito 2705f9
allow dcc_client_t self:capability setuid;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Running from the command line
Chris PeBenito 2705f9
allow dcc_client_t sshd_t:fd use;
Chris PeBenito 2705f9
allow dcc_client_t sysadm_devpts_t:chr_file rw_file_perms;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
Chris PeBenito 2705f9
##########
Chris PeBenito 2705f9
##########
Chris PeBenito 2705f9
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
# DCC Utilities
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
# dbclean - database cleanup tool
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
application_domain(dcc_dbclean, `, nscd_client_domain')
Chris PeBenito 2705f9
role system_r types dcc_dbclean_t;
Chris PeBenito 2705f9
dcc_common(dcc_dbclean)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Updating various files.
Chris PeBenito 2705f9
create_dir_file(dcc_dbclean_t, dcc_var_t);
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# wants to look at /proc/meminfo
Chris PeBenito 2705f9
allow dcc_dbclean_t proc_t:dir search;
Chris PeBenito 2705f9
allow dcc_dbclean_t proc_t:file { getattr read };
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Running from the command line
Chris PeBenito 2705f9
allow dcc_dbclean_t sshd_t:fd use;
Chris PeBenito 2705f9
allow dcc_dbclean_t sysadm_devpts_t:chr_file rw_file_perms;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
##########
Chris PeBenito 2705f9
##########
Chris PeBenito 2705f9
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
# DCC Startup scripts
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
# These are shell sccripts that start/stop/restart the various dcc
Chris PeBenito 2705f9
# programs.
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
init_service_domain(dcc_script, `, nscd_client_domain')
Chris PeBenito 2705f9
general_domain_access(dcc_script_t)
Chris PeBenito 2705f9
general_proc_read_access(dcc_script_t)
Chris PeBenito 2705f9
can_exec_any(dcc_script_t)
Chris PeBenito 2705f9
dcc_common(dcc_script)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Allow calling the script from an init script (initrt_t) or from
Chris PeBenito 2705f9
# rc.local (staff_t)
Chris PeBenito 2705f9
domain_auto_trans({ initrc_t staff_t }, dcc_script_exec_t, dcc_script_t)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Start up the daemon process.  These scripts run 'su' to change to
Chris PeBenito 2705f9
# the dcc user (even though the default dcc user is root).
Chris PeBenito 2705f9
allow dcc_script_t self:capability setuid;
Chris PeBenito 2705f9
su_restricted_domain(dcc_script, system)
Chris PeBenito 2705f9
role system_r types dcc_script_su_t;
Chris PeBenito 2705f9
domain_auto_trans(dcc_script_su_t, dccd_exec_t, dccd_t)
Chris PeBenito 2705f9
domain_auto_trans(dcc_script_su_t, dccm_exec_t, dccm_t)
Chris PeBenito 2705f9
domain_auto_trans(dcc_script_su_t, dccifd_exec_t, dccifd_t)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Stop the daemon process
Chris PeBenito 2705f9
allow dcc_script_t { dccifd_t dccm_t }:process { sigkill signal };
Chris PeBenito 2705f9
Chris PeBenito 2705f9
# Access various DCC files
Chris PeBenito 2705f9
allow dcc_script_t { var_t var_run_t dcc_var_run_t}:dir { getattr search };
Chris PeBenito 2705f9
allow dcc_script_t { dccifd_var_run_t dccm_var_run_t }:file { getattr read };
Chris PeBenito 2705f9
Chris PeBenito 2705f9
allow { dcc_script_t dcc_script_su_t } initrc_t:fd use;
Chris PeBenito 2705f9
allow { dcc_script_t dcc_script_su_t } devpts_t:dir search;
Chris PeBenito 2705f9
allow { dcc_script_t dcc_script_su_t } initrc_devpts_t:chr_file rw_file_perms;
Chris PeBenito 2705f9
allow dcc_script_t devtty_t:chr_file { read write };
Chris PeBenito 2705f9
allow dcc_script_su_t sysadm_home_dir_t:dir search;
Chris PeBenito 2705f9
allow dcc_script_su_t sysadm_t:process { noatsecure rlimitinh siginh transition };
Chris PeBenito 2705f9
allow dcc_script_su_t initrc_devpts_t:chr_file { relabelfrom relabelto };
Chris PeBenito 2705f9
Chris PeBenito 2705f9
dontaudit dcc_script_su_t kernel_t:fd use;
Chris PeBenito 2705f9
dontaudit dcc_script_su_t root_t:file read;
Chris PeBenito 2705f9
dontaudit dcc_script_t { home_root_t user_home_dir_t}:dir { getattr search };
Chris PeBenito 2705f9
Chris PeBenito 2705f9
allow sysadm_t dcc_script_t:fd use;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
##########
Chris PeBenito 2705f9
##########
Chris PeBenito 2705f9
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
# External spam checkers need to run and/or talk to DCC
Chris PeBenito 2705f9
#
Chris PeBenito 2705f9
define(`access_dcc',`
Chris PeBenito 2705f9
domain_auto_trans($1_t, dcc_client_exec_t, dcc_client_t);
Chris PeBenito 2705f9
allow $1_t dcc_var_t:dir search;
Chris PeBenito 2705f9
allow $1_t dccifd_sock_t:sock_file { getattr write };
Chris PeBenito 2705f9
allow $1_t dccifd_t:unix_stream_socket connectto;
Chris PeBenito 2705f9
allow $1_t dcc_script_t:unix_stream_socket connectto;
Chris PeBenito 2705f9
')
Chris PeBenito 2705f9
Chris PeBenito 2705f9
ifdef(`amavis.te',`access_dcc(amavisd)')
Chris PeBenito 2705f9
ifdef(`spamd.te',`access_dcc(spamd)')