From 6820a398caf970787281a46c7e513bbfd52593f6 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Dec 01 2005 18:01:21 +0000 Subject: add final bits of spamassassin --- diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables index d63d86a..b1535b4 100644 --- a/refpolicy/policy/global_tunables +++ b/refpolicy/policy/global_tunables @@ -109,6 +109,9 @@ gen_tunable(run_ssh_inetd,false) ## Allow samba to export user home directories. gen_tunable(samba_enable_home_dirs,false) +## Allow spamassassin to do DNS lookups +gen_tunable(spamassasin_can_network,false) + ## Allow squid to connect to all ports, not just ## HTTP, FTP, and Gopher ports. gen_tunable(squid_connect_any,false) diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if index c82f621..50e1b42 100644 --- a/refpolicy/policy/modules/apps/gpg.if +++ b/refpolicy/policy/modules/apps/gpg.if @@ -53,8 +53,8 @@ template(`gpg_per_userdomain_template',` type $1_gpg_agent_tmp_t; files_tmp_file($1_gpg_agent_tmp_t) - type $1_gpg_secret_t; #, $1_file_type; - files_type($1_gpg_secret_t) + type $1_gpg_secret_t; + userdom_home_file($1,$1_gpg_secret_t) type $1_gpg_helper_t; domain_type($1_gpg_helper_t) diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if index 8c7f04e..ea81708 100644 --- a/refpolicy/policy/modules/services/apache.if +++ b/refpolicy/policy/modules/services/apache.if @@ -264,7 +264,7 @@ template(`apache_per_userdomain_template', ` apache_content_template($1) typeattribute httpd_$1_content_t httpd_script_domains; -# typeattribute httpd_$1_content_t $1_file_type; + userdom_home_file($1,httpd_$1_content_t) role $3 types httpd_$1_script_t; diff --git a/refpolicy/policy/modules/services/spamassassin.fc b/refpolicy/policy/modules/services/spamassassin.fc index cea35a5..37093c0 100644 --- a/refpolicy/policy/modules/services/spamassassin.fc +++ b/refpolicy/policy/modules/services/spamassassin.fc @@ -6,6 +6,6 @@ /usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) /usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0) -ifdef(`targeted_policy',`',` +ifdef(`strict_policy',` HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0) ') diff --git a/refpolicy/policy/modules/services/spamassassin.if b/refpolicy/policy/modules/services/spamassassin.if index 1b56c32..4106ec9 100644 --- a/refpolicy/policy/modules/services/spamassassin.if +++ b/refpolicy/policy/modules/services/spamassassin.if @@ -1,6 +1,328 @@ ## Filter used for removing unsolicited email. -# cjp: TODO: integrate old spamassassin_macros.te +####################################### +## +## The per user domain template for the spamassassin module. +## +## +##

+## The per user domain template for the spamassassin module. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+##
+## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## The type of the user domain. +## +## +## The role associated with the user domain. +## +# +# cjp: when tunables are available, spamc stuff should be +# toggled on activation of spamc, and similarly for spamd. +template(`spamassassin_per_userdomain_template',` + gen_require(` + type spamd_t; + type spamc_exec_t, spamassassin_exec_t; + ') + + type $1_spamc_t; + domain_type($1_spamc_t) + domain_entry_file($1_spamc_t,spamc_exec_t) + role $3 types $1_spamc_t; + + type $1_spamc_tmp_t; + files_tmp_file($1_spamc_tmp_t) + + type $1_spamassassin_t; + domain_type($1_spamassassin_t) + domain_entry_file($1_spamassassin_t,spamassassin_exec_t) + role $3 types $1_spamassassin_t; + + type $1_spamassassin_home_t alias $1_spamassassin_rw_t; + userdom_home_file($1,$1_spamassassin_home_t) + files_poly_member($1_spamassassin_home_t) + + type $1_spamassassin_tmp_t; + files_tmp_file($1_spamassassin_tmp_t) + + ############################## + # + # $1_spamc_t local policy + # + + allow $1_spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow $1_spamc_t self:fd use; + allow $1_spamc_t self:fifo_file rw_file_perms; + allow $1_spamc_t self:sock_file r_file_perms; + allow $1_spamc_t self:shm create_shm_perms; + allow $1_spamc_t self:sem create_sem_perms; + allow $1_spamc_t self:msgq create_msgq_perms; + allow $1_spamc_t self:msg { send receive }; + allow $1_spamc_t self:unix_dgram_socket create_socket_perms; + allow $1_spamc_t self:unix_stream_socket create_stream_socket_perms; + allow $1_spamc_t self:unix_dgram_socket sendto; + allow $1_spamc_t self:unix_stream_socket connectto; + allow $1_spamc_t self:tcp_socket create_stream_socket_perms; + allow $1_spamc_t self:udp_socket create_socket_perms; + + allow $1_spamc_t $1_spamc_tmp_t:dir create_dir_perms; + allow $1_spamc_t $1_spamc_tmp_t:file create_file_perms; + files_create_tmp_files($1_spamc_t, $1_spamc_tmp_t, { file dir }) + + # Allow connecting to a local spamd + allow $1_spamc_t spamd_t:tcp_socket { connectto recvfrom }; + allow spamd_t $1_spamc_t:tcp_socket { acceptfrom recvfrom }; + allow $1_spamc_t spamd_t:unix_stream_socket connectto; + allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms; + + domain_auto_trans($2, spamc_exec_t, $1_spamc_t) + allow $2 $1_spamc_t:fd use; + allow $1_spamc_t $2:fd use; + allow $1_spamc_t $2:fifo_file rw_file_perms; + allow $1_spamc_t $2:process sigchld; + + kernel_read_kernel_sysctl($1_spamc_t) + kernel_tcp_recvfrom($1_spamc_t) + + corenet_tcp_sendrecv_generic_if($1_spamc_t) + corenet_udp_sendrecv_generic_if($1_spamc_t) + corenet_raw_sendrecv_generic_if($1_spamc_t) + corenet_tcp_sendrecv_all_nodes($1_spamc_t) + corenet_udp_sendrecv_all_nodes($1_spamc_t) + corenet_raw_sendrecv_all_nodes($1_spamc_t) + corenet_tcp_sendrecv_all_ports($1_spamc_t) + corenet_udp_sendrecv_all_ports($1_spamc_t) + corenet_tcp_bind_all_nodes($1_spamc_t) + corenet_udp_bind_all_nodes($1_spamc_t) + corenet_tcp_connect_all_ports($1_spamc_t) + + fs_search_auto_mountpoints($1_spamc_t) + + # cjp: these should probably be removed: + corecmd_list_bin($1_spamc_t) + corecmd_read_bin_symlink($1_spamc_t) + corecmd_read_bin_file($1_spamc_t) + corecmd_read_bin_pipe($1_spamc_t) + corecmd_read_bin_socket($1_spamc_t) + corecmd_list_sbin($1_spamc_t) + corecmd_read_sbin_symlink($1_spamc_t) + corecmd_read_sbin_file($1_spamc_t) + corecmd_read_sbin_pipe($1_spamc_t) + corecmd_read_sbin_socket($1_spamc_t) + + domain_use_wide_inherit_fd($1_spamc_t) + + files_read_etc_files($1_spamc_t) + files_read_etc_runtime_files($1_spamc_t) + files_read_usr_files($1_spamc_t) + files_dontaudit_search_var($1_spamc_t) + # cjp: this may be removable: + files_list_home($1_spamc_t) + + libs_use_ld_so($1_spamc_t) + libs_use_shared_libs($1_spamc_t) + + logging_send_syslog_msg($1_spamc_t) + + miscfiles_read_localization($1_spamc_t) + + # cjp: this should probably be removed: + seutil_read_config($1_spamc_t) + + sysnet_read_config($1_spamc_t) + + userdom_use_unpriv_users_fd($1_spamc_t) + # cjp: this really should just be the + # terminal specific to the role + userdom_use_unpriv_user_pty($1_spamc_t) + + # cjp: this should probably be removed: + tunable_policy(`read_default_t',` + files_list_default($1_spamc_t) + files_read_default_files($1_spamc_t) + files_read_default_symlinks($1_spamc_t) + files_read_default_sockets($1_spamc_t) + files_read_default_pipes($1_spamc_t) + ') + + optional_policy(`mount',` + mount_send_nfs_client_request($1_spamc_t) + ') + + optional_policy(`nis',` + nis_use_ypbind($1_spamc_t) + ') + + optional_policy(`nscd',` + nscd_use_socket($1_spamc_t) + ') + + optional_policy(`sendmail',` + mta_read_config($1_spamc_t) + sendmail_stub($1_spamc_t) + ') + + ############################## + # + # $1_spamassassin_t local policy + # + + allow $1_spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow $1_spamassassin_t self:fd use; + allow $1_spamassassin_t self:fifo_file rw_file_perms; + allow $1_spamassassin_t self:sock_file r_file_perms; + allow $1_spamassassin_t self:unix_dgram_socket create_socket_perms; + allow $1_spamassassin_t self:unix_stream_socket create_stream_socket_perms; + allow $1_spamassassin_t self:unix_dgram_socket sendto; + allow $1_spamassassin_t self:unix_stream_socket connectto; + allow $1_spamassassin_t self:shm create_shm_perms; + allow $1_spamassassin_t self:sem create_sem_perms; + allow $1_spamassassin_t self:msgq create_msgq_perms; + allow $1_spamassassin_t self:msg { send receive }; + + allow $1_spamassassin_t $1_spamassassin_home_t:dir create_dir_perms; + allow $1_spamassassin_t $1_spamassassin_home_t:file create_file_perms; + allow $1_spamassassin_t $1_spamassassin_home_t:lnk_file create_lnk_perms; + allow $1_spamassassin_t $1_spamassassin_home_t:sock_file create_file_perms; + allow $1_spamassassin_t $1_spamassassin_home_t:fifo_file create_file_perms; + userdom_create_user_home($1,$1_spamassassin_t,{ dir file lnk_file sock_file fifo_file },$1_spamassassin_home_t) + + allow $1_spamassassin_t $1_spamassassin_tmp_t:dir create_dir_perms; + allow $1_spamassassin_t $1_spamassassin_tmp_t:file create_file_perms; + files_create_tmp_files($1_spamassassin_t, $1_spamassassin_tmp_t, { file dir }) + + allow $2 $1_spamassassin_home_t:dir { create_dir_perms relabelfrom relabelto }; + allow $2 $1_spamassassin_home_t:file { create_file_perms relabelfrom relabelto }; + allow $2 $1_spamassassin_home_t:lnk_file { create_lnk_perms relabelfrom relabelto }; + + domain_auto_trans($2, spamassassin_exec_t, $1_spamassassin_t) + allow $2 $1_spamassassin_t:fd use; + allow $1_spamassassin_t $2:fd use; + allow $1_spamassassin_t $2:fifo_file rw_file_perms; + allow $1_spamassassin_t $2:process sigchld; + + allow spamd_t $1_spamassassin_home_t:dir create_dir_perms; + allow spamd_t $1_spamassassin_home_t:file create_file_perms; + allow spamd_t $1_spamassassin_home_t:lnk_file create_lnk_perms; + allow spamd_t $1_spamassassin_home_t:sock_file create_file_perms; + allow spamd_t $1_spamassassin_home_t:fifo_file create_file_perms; + userdom_create_user_home($1,spamd_t,{ dir file lnk_file sock_file fifo_file },$1_spamassassin_home_t) + + kernel_read_kernel_sysctl($1_spamassassin_t) + + dev_read_urand($1_spamassassin_t) + + fs_search_auto_mountpoints($1_spamassassin_t) + + # this should probably be removed + corecmd_list_bin($1_spamassassin_t) + corecmd_read_bin_symlink($1_spamassassin_t) + corecmd_read_bin_file($1_spamassassin_t) + corecmd_read_bin_pipe($1_spamassassin_t) + corecmd_read_bin_socket($1_spamassassin_t) + corecmd_list_sbin($1_spamassassin_t) + corecmd_read_sbin_symlink($1_spamassassin_t) + corecmd_read_sbin_file($1_spamassassin_t) + corecmd_read_sbin_pipe($1_spamassassin_t) + corecmd_read_sbin_socket($1_spamassassin_t) + + domain_use_wide_inherit_fd($1_spamassassin_t) + + files_read_etc_files($1_spamassassin_t) + files_read_etc_runtime_files($1_spamassassin_t) + files_list_home($1_spamassassin_t) + files_read_usr_files($1_spamassassin_t) + files_dontaudit_search_var($1_spamassassin_t) + + libs_use_ld_so($1_spamassassin_t) + libs_use_shared_libs($1_spamassassin_t) + + logging_send_syslog_msg($1_spamassassin_t) + + miscfiles_read_localization($1_spamassassin_t) + + # cjp: this could probably be removed + seutil_read_config($1_spamassassin_t) + + sysnet_dns_name_resolve($1_spamassassin_t) + + userdom_use_unpriv_users_fd($1_spamassassin_t) + userdom_search_user_home($1,$1_spamassassin_t) + # cjp: this really should just be the + # terminal specific to the role + userdom_use_unpriv_user_pty($1_spamassassin_t) + + # this should probably be removed: + tunable_policy(`read_default_t',` + files_list_default($1_spamassassin_t) + files_read_default_files($1_spamassassin_t) + files_read_default_symlinks($1_spamassassin_t) + files_read_default_sockets($1_spamassassin_t) + files_read_default_pipes($1_spamassassin_t) + ') + + # set tunable if you have spamassassin do DNS lookups + tunable_policy(`spamassasin_can_network',` + allow $1_spamassassin_t self:tcp_socket create_stream_socket_perms; + allow $1_spamassassin_t self:udp_socket create_socket_perms; + + corenet_tcp_sendrecv_generic_if($1_spamassassin_t) + corenet_udp_sendrecv_generic_if($1_spamassassin_t) + corenet_raw_sendrecv_generic_if($1_spamassassin_t) + corenet_tcp_sendrecv_all_nodes($1_spamassassin_t) + corenet_udp_sendrecv_all_nodes($1_spamassassin_t) + corenet_raw_sendrecv_all_nodes($1_spamassassin_t) + corenet_tcp_sendrecv_all_ports($1_spamassassin_t) + corenet_udp_sendrecv_all_ports($1_spamassassin_t) + corenet_tcp_bind_all_nodes($1_spamassassin_t) + corenet_udp_bind_all_nodes($1_spamassassin_t) + corenet_tcp_connect_all_ports($1_spamassassin_t) + + sysnet_read_config($1_spamassassin_t) + + optional_policy(`mount',` + mount_send_nfs_client_request($1_spamassassin_t) + ') + ') + + tunable_policy(`spamassasin_can_network && allow_ypbind',` + optional_policy(`nis',` + nis_use_ypbind_uncond($1_spamassassin_t) + ') + ') + + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs($1_spamassassin_t) + fs_manage_nfs_files($1_spamassassin_t) + fs_manage_nfs_symlinks($1_spamassassin_t) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs($1_spamassassin_t) + fs_manage_cifs_files($1_spamassassin_t) + fs_manage_cifs_symlinks($1_spamassassin_t) + ') + + optional_policy(`nis',` + nis_use_ypbind($1_spamassassin_t) + ') + + optional_policy(`sendmail',` + mta_read_config($1_spamassassin_t) + sendmail_stub($1_spamassassin_t) + ') + + # For perl libraries. + allow $1_spamassassin_t lib_t:file rx_file_perms; +') ######################################## ## diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te index 6ea4919..f58f940 100644 --- a/refpolicy/policy/modules/services/spamassassin.te +++ b/refpolicy/policy/modules/services/spamassassin.te @@ -1,5 +1,5 @@ -policy_module(spamassassin,0.9) +policy_module(spamassassin,1.0.0) ######################################## # @@ -59,6 +59,7 @@ files_create_pid(spamd_t,spamd_var_run_t) kernel_read_all_sysctl(spamd_t) kernel_read_system_state(spamd_t) +kernel_tcp_recvfrom(spamd_t) corenet_tcp_sendrecv_all_if(spamd_t) corenet_udp_sendrecv_all_if(spamd_t) diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index 283d9c7..5ca043f 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -40,8 +40,8 @@ template(`ssh_per_userdomain_template',` # Declarations # - type $1_home_ssh_t; #, $1_file_type; - files_type($1_home_ssh_t) + type $1_home_ssh_t; + userdom_home_file($1,$1_home_ssh_t) role $3 types $1_ssh_t; type $1_ssh_t; diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 6d775a8..893834a 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -69,7 +69,14 @@ template(`base_user_template',` ############################## # - # Local policy + # User home directory file rules + # + + allow $1_file_type $1_home_t:filesystem associate; + + ############################## + # + # User domain Local policy # allow $1_t self:capability { setgid chown fowner }; @@ -965,6 +972,39 @@ template(`admin_user_template',` ######################################## ## +## Make the specified type usable in a +## user home directory. +## +## +##

+## Make the specified type usable in a +## user home directory. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## Type to be used as a file in the +## user home directory. +## +# +template(`userdom_home_file',` + gen_require(` + type $1_file_type; + ') + + typeattribute $2 $1_file_type; + files_type($2) +') + +######################################## +## ## Search user home directories. ## ## @@ -1251,6 +1291,11 @@ template(`userdom_manage_user_home_subdir_sockets',` ## The class of the object to be created. If not ## specified, file is used. ## +## +## The type of the object to create. If this is +## not specified, the regular home directory +## type is used. +## # template(`userdom_create_user_home',` gen_require(` @@ -1261,10 +1306,18 @@ template(`userdom_create_user_home',` allow $2 $1_home_dir_t:dir rw_dir_perms; - ifelse(`$3',`',` - type_transition $2 $1_home_dir_t:file $1_home_t; + ifelse(`$4',`',` + ifelse(`$3',`',` + type_transition $2 $1_home_dir_t:file $1_home_t; + ',` + type_transition $2 $1_home_dir_t:$3 $1_home_t; + ') ',` - type_transition $2 $1_home_dir_t:$3 $1_home_t; + ifelse(`$3',`',` + type_transition $2 $1_home_dir_t:file $4; + ',` + type_transition $2 $1_home_dir_t:$3 $4; + ') ') ') @@ -2370,11 +2423,32 @@ interface(`userdom_setattr_unpriv_user_pty',` ######################################## ## +## Read and write unprivileged user ptys. +## +## +## Domain allowed access. +## +# +interface(`userdom_use_unpriv_user_pty',` + ifdef(`targeted_policy',` + term_use_generic_pty($1) + ',` + gen_require(` + attribute user_ptynode; + ') + + term_search_ptys($1) + allow $1 user_ptynode:chr_file rw_file_perms; + ') +') + +######################################## +## ## Do not audit attempts to use unprivileged ## user ptys. ## ## -## Domain allowed access. +## Domain to not audit. ## # interface(`userdom_dontaudit_use_unpriv_user_pty',`