diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 62c0971..91054ea 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,4 +1,6 @@ - Added modules: + amavis (Erich Schubert) + clamav (Erich Schubert) tor (Erich Schubert) * Tue Mar 07 2006 Chris PeBenito - 20060307 diff --git a/refpolicy/policy/modules/services/amavis.fc b/refpolicy/policy/modules/services/amavis.fc new file mode 100644 index 0000000..b9b789d --- /dev/null +++ b/refpolicy/policy/modules/services/amavis.fc @@ -0,0 +1,11 @@ + +/etc/amavis\.conf -- gen_context(system_u:object_r:amavis_etc_t,s0) +/etc/amavisd(/.*)? -- gen_context(system_u:object_r:amavis_etc_t,s0) + +/usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0) + +/var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) +/var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) +/var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0) +/var/run/amavis(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0) +/var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0) diff --git a/refpolicy/policy/modules/services/amavis.if b/refpolicy/policy/modules/services/amavis.if new file mode 100644 index 0000000..65ca6a7 --- /dev/null +++ b/refpolicy/policy/modules/services/amavis.if @@ -0,0 +1,106 @@ +## +## Daemon that interfaces mail transfer agents and content +## checkers, such as virus scanners. +## + +######################################## +## +## Execute a domain transition to run amavis. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`amavis_domtrans',` + gen_require(` + type amavis_t, amavis_exec_t; + ') + + domain_auto_trans($1,amavis_exec_t,amavis_t) + + allow $1 amavis_t:fd use; + allow amavis_t $1:fd use; + allow amavis_t $1:fifo_file rw_file_perms; + allow amavis_t $1:process sigchld; +') + +######################################## +## +## Search amavis lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`amavis_search_lib',` + gen_require(` + type amavis_var_lib_t; + ') + + allow $1 amavis_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Read amavis lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`amavis_read_lib_files',` + gen_require(` + type amavis_var_lib_t; + ') + + allow $1 amavis_var_lib_t:file r_file_perms; + allow $1 amavis_var_lib_t:dir list_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Create, read, write, and delete +## amavis lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`amavis_manage_lib_files',` + gen_require(` + type amavis_var_lib_t; + ') + + allow $1 amavis_var_lib_t:file manage_file_perms; + allow $1 amavis_var_lib_t:dir rw_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Set the attributes of amavis pid files. +## +## +## +## Domain allowed access. +## +## +# +interface(`amavis_setattr_pid_files',` + gen_require(` + type amavis_var_run_t; + ') + + allow $1 amavis_var_run_t:file setattr; + files_search_pids($1) +') diff --git a/refpolicy/policy/modules/services/amavis.te b/refpolicy/policy/modules/services/amavis.te new file mode 100644 index 0000000..6455fd6 --- /dev/null +++ b/refpolicy/policy/modules/services/amavis.te @@ -0,0 +1,148 @@ + +policy_module(amavis,1.0.0) + +######################################## +# +# Declarations +# + +type amavis_t; +type amavis_exec_t; +domain_type(amavis_t) +init_daemon_domain(amavis_t, amavis_exec_t) + +# configuration files +type amavis_etc_t; +files_type(amavis_etc_t) + +# pid files +type amavis_var_run_t; +files_pid_file(amavis_var_run_t) + +# var/lib files +type amavis_var_lib_t; +files_type(amavis_var_lib_t) + +# log files +type amavis_var_log_t; +logging_log_file(amavis_var_log_t) + +# tmp files +type amavis_tmp_t; +files_tmp_file(amavis_tmp_t) + +# virus quarantine +type amavis_quarantine_t; +files_type(amavis_quarantine_t) + +######################################## +# +# amavis local policy +# + +allow amavis_t self:capability { chown dac_override setgid setuid }; +dontaudit amavis_t self:capability sys_tty_config; +allow amavis_t self:process { signal sigchld signull }; +allow amavis_t self:fifo_file rw_file_perms; +allow amavis_t self:unix_stream_socket create_stream_socket_perms; +allow amavis_t self:unix_dgram_socket create_socket_perms; +allow amavis_t self:tcp_socket { listen accept }; + +# configuration files +allow amavis_t amavis_etc_t:dir r_dir_perms; +allow amavis_t amavis_etc_t:file r_file_perms; +allow amavis_t amavis_etc_t:lnk_file { getattr read }; + +# mail quarantine +allow amavis_t amavis_quarantine_t:file create_file_perms; +allow amavis_t amavis_quarantine_t:sock_file create_file_perms; +allow amavis_t amavis_quarantine_t:dir create_dir_perms; + +# tmp files +allow amavis_t amavis_tmp_t:file create_file_perms; +allow amavis_t amavis_tmp_t:dir { rw_dir_perms setattr }; +files_tmp_filetrans(amavis_t,amavis_tmp_t,file) + +# var/lib files for amavis +allow amavis_t amavis_var_lib_t:file create_file_perms; +allow amavis_t amavis_var_lib_t:sock_file create_file_perms; +allow amavis_t amavis_var_lib_t:dir create_dir_perms; +files_var_filetrans(amavis_t,amavis_var_lib_t,{ file dir sock_file }) +files_var_lib_filetrans(amavis_t,amavis_var_lib_t,file) + +# log files +allow amavis_t amavis_var_log_t:file create_file_perms; +allow amavis_t amavis_var_log_t:sock_file create_file_perms; +allow amavis_t amavis_var_log_t:dir { rw_dir_perms setattr }; +logging_log_filetrans(amavis_t,amavis_var_log_t,{ sock_file file dir }) + +# pid file +allow amavis_t amavis_var_run_t:file manage_file_perms; +allow amavis_t amavis_var_run_t:sock_file manage_file_perms; +allow amavis_t amavis_var_run_t:dir rw_dir_perms; +files_pid_filetrans(amavis_t,amavis_var_run_t, { file sock_file }) + +# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl... +kernel_dontaudit_list_proc(amavis_t) + +# find perl +corecmd_exec_bin(amavis_t) +corecmd_search_sbin(amavis_t) + +corenet_non_ipsec_sendrecv(amavis_t) +corenet_tcp_sendrecv_all_if(amavis_t) +corenet_tcp_sendrecv_all_nodes(amavis_t) +# amavis uses well-defined ports +corenet_tcp_sendrecv_amavisd_recv_port(amavis_t) +corenet_tcp_sendrecv_amavisd_send_port(amavis_t) +# just the other side not. ;-) +corenet_tcp_sendrecv_all_ports(amavis_t) +# connect to backchannel port +corenet_tcp_connect_amavisd_send_port(amavis_t) +# bind to incoming port +corenet_tcp_bind_amavisd_recv_port(amavis_t) + +dev_read_rand(amavis_t) +dev_read_urand(amavis_t) + +domain_use_interactive_fds(amavis_t) + +files_read_etc_files(amavis_t) +files_read_etc_runtime_files(amavis_t) +files_read_usr_files(amavis_t) + +auth_dontaudit_read_shadow(amavis_t) + +init_use_fds(amavis_t) +init_use_script_ptys(amavis_t) + +libs_use_ld_so(amavis_t) +libs_use_shared_libs(amavis_t) + +logging_send_syslog_msg(amavis_t) + +miscfiles_read_localization(amavis_t) + +sysnet_dns_name_resolve(amavis_t) + +userdom_dontaudit_search_sysadm_home_dirs(amavis_t) + +# Cron handling +cron_use_fds(amavis_t) +cron_use_system_job_fds(amavis_t) +cron_rw_pipes(amavis_t) + +mta_read_config(amavis_t) + +optional_policy(`clamav',` + clamav_stream_connect(amavis_t) +') + +optional_policy(`ldap',` + ldap_use(amavis_t) +') + +optional_policy(`spamassassin',` + spamassassin_exec(amavis_t) + spamassassin_exec_client(amavis_t) +') diff --git a/refpolicy/policy/modules/services/clamav.fc b/refpolicy/policy/modules/services/clamav.fc new file mode 100644 index 0000000..c4ec71e --- /dev/null +++ b/refpolicy/policy/modules/services/clamav.fc @@ -0,0 +1,12 @@ +/etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0) + +/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) + +/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) + +/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) +/var/run/clamav/clamd.ctl -s gen_context(system_u:object_r:clamd_sock_t,s0) +/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) +/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0) +/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0) +/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) diff --git a/refpolicy/policy/modules/services/clamav.if b/refpolicy/policy/modules/services/clamav.if new file mode 100644 index 0000000..aef1c03 --- /dev/null +++ b/refpolicy/policy/modules/services/clamav.if @@ -0,0 +1,63 @@ +## ClamAV Virus Scanner + +######################################## +## +## Execute a domain transition to run clamd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`clamav_domtrans',` + gen_require(` + type clamd_t, clamd_exec_t; + ') + + domain_auto_trans($1,clamd_exec_t,clamd_t) + + allow $1 clamd_t:fd use; + allow clamd_t $1:fd use; + allow clamd_t $1:fifo_file rw_file_perms; + allow clamd_t $1:process sigchld; +') + +######################################## +## +## Connect to run clamd. +## +## +## +## Domain allowed to connect. +## +## +# +interface(`clamav_stream_connect',` + gen_require(` + type clamd_t, clamd_sock_t, clamd_var_run_t; + ') + + allow $1 clamd_var_run_t:dir search; + allow $1 clamd_sock_t:sock_file write; + allow $1 clamd_t:unix_stream_socket connectto; +') + +######################################## +## +## Read clamav configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`clamav_read_config',` + gen_require(` + type clamd_etc_t; + ') + + files_search_etc($1) + allow $1 clamd_etc_t:file r_file_perms; +') diff --git a/refpolicy/policy/modules/services/clamav.te b/refpolicy/policy/modules/services/clamav.te new file mode 100644 index 0000000..b02af07 --- /dev/null +++ b/refpolicy/policy/modules/services/clamav.te @@ -0,0 +1,195 @@ + +policy_module(clamav,1.0.0) + +######################################## +# +# Declarations +# + +# Main clamd domain +type clamd_t; +type clamd_exec_t; +init_daemon_domain(clamd_t, clamd_exec_t) + +# configuration files +type clamd_etc_t; +files_type(clamd_etc_t) + +# named socket type +type clamd_sock_t; +files_type(clamd_sock_t) + +# tmp files +type clamd_tmp_t; +files_tmp_file(clamd_tmp_t) + +# log files +type clamd_var_log_t; +logging_log_file(clamd_var_log_t) + +# var/lib files +type clamd_var_lib_t; +files_type(clamd_var_lib_t) + +# pid files +type clamd_var_run_t; +files_pid_file(clamd_var_run_t) + +type freshclam_t; +type freshclam_exec_t; +init_daemon_domain(freshclam_t, freshclam_exec_t) + +# log files +type freshclam_var_log_t; +logging_log_file(freshclam_var_log_t) + +######################################## +# +# clamd local policy +# + +allow clamd_t self:capability { kill setgid setuid dac_override }; +allow clamd_t self:fifo_file rw_file_perms; +allow clamd_t self:unix_stream_socket create_stream_socket_perms; +allow clamd_t self:unix_dgram_socket create_socket_perms; +allow clamd_t self:tcp_socket { listen accept }; + +# configuration files +allow clamd_t clamd_etc_t:dir r_dir_perms; +allow clamd_t clamd_etc_t:file r_file_perms; +allow clamd_t clamd_etc_t:lnk_file { getattr read }; + +# socket file +allow clamd_t clamd_sock_t:file manage_file_perms; +allow clamd_t clamd_sock_t:sock_file manage_file_perms; +allow clamd_t clamd_sock_t:dir rw_dir_perms; +files_pid_filetrans(clamd_t,clamd_sock_t,sock_file) + +# tmp files +allow clamd_t clamd_tmp_t:file create_file_perms; +allow clamd_t clamd_tmp_t:dir create_dir_perms; +files_tmp_filetrans(clamd_t,clamd_tmp_t,{ file dir }) + +# var/lib files for clamd +allow clamd_t clamd_var_lib_t:file create_file_perms; +allow clamd_t clamd_var_lib_t:sock_file create_file_perms; +allow clamd_t clamd_var_lib_t:dir create_dir_perms; +files_var_filetrans(clamd_t,clamd_var_lib_t,{ file dir sock_file }) +files_var_lib_filetrans(clamd_t,clamd_var_lib_t,file) + +# log files +allow clamd_t clamd_var_log_t:file create_file_perms; +allow clamd_t clamd_var_log_t:sock_file create_file_perms; +allow clamd_t clamd_var_log_t:dir { rw_dir_perms setattr }; +logging_log_filetrans(clamd_t,clamd_var_log_t,file) + +# pid file +allow clamd_t clamd_var_run_t:file manage_file_perms; +allow clamd_t clamd_var_run_t:sock_file manage_file_perms; +allow clamd_t clamd_var_run_t:dir rw_dir_perms; +files_pid_filetrans(clamd_t,clamd_var_run_t,file) + +kernel_dontaudit_list_proc(clamd_t) + +corenet_tcp_sendrecv_all_if(clamd_t) +corenet_tcp_sendrecv_all_nodes(clamd_t) +corenet_tcp_sendrecv_all_ports(clamd_t) +corenet_tcp_sendrecv_clamd_port(clamd_t) +corenet_non_ipsec_sendrecv(clamd_t) +corenet_tcp_bind_clamd_port(clamd_t) +corenet_tcp_bind_all_nodes(clamd_t) + +dev_read_rand(clamd_t) +dev_read_urand(clamd_t) + +domain_use_interactive_fds(clamd_t) + +files_read_etc_files(clamd_t) +files_read_etc_runtime_files(clamd_t) + +init_use_fds(clamd_t) +init_use_script_ptys(clamd_t) + +libs_use_ld_so(clamd_t) +libs_use_shared_libs(clamd_t) + +miscfiles_read_localization(clamd_t) + +sysnet_dns_name_resolve(clamd_t) + +cron_use_fds(clamd_t) +cron_use_system_job_fds(clamd_t) +cron_rw_pipes(clamd_t) + +optional_policy(`amavis',` + amavis_read_lib_files(clamd_t) +') + +######################################## +# +# Freshclam local policy +# + +allow freshclam_t self:capability { setgid setuid dac_override }; +allow freshclam_t self:fifo_file rw_file_perms; +allow freshclam_t self:unix_stream_socket create_stream_socket_perms; +allow freshclam_t self:unix_dgram_socket create_socket_perms; +allow freshclam_t self:tcp_socket { listen accept }; + +# configuration files +allow freshclam_t clamd_etc_t:dir r_dir_perms; +allow freshclam_t clamd_etc_t:file r_file_perms; +allow freshclam_t clamd_etc_t:lnk_file { getattr read }; + +# var/lib files together with clamd +allow freshclam_t clamd_var_lib_t:file create_file_perms; +allow freshclam_t clamd_var_lib_t:sock_file create_file_perms; +allow freshclam_t clamd_var_lib_t:dir create_dir_perms; +files_var_filetrans(freshclam_t,clamd_var_lib_t,{ file dir sock_file }) +files_var_lib_filetrans(freshclam_t,clamd_var_lib_t,file) + +# pidfiles- var/run together with clamd +allow freshclam_t clamd_var_run_t:file manage_file_perms; +allow freshclam_t clamd_var_run_t:sock_file manage_file_perms; +allow freshclam_t clamd_var_run_t:dir rw_dir_perms; +files_pid_filetrans(freshclam_t,clamd_var_run_t,file) + +# log files (own logfiles only) +allow freshclam_t freshclam_var_log_t:file create_file_perms; +allow freshclam_t freshclam_var_log_t:sock_file create_file_perms; +allow freshclam_t freshclam_var_log_t:dir { rw_dir_perms setattr }; +allow freshclam_t clamd_var_log_t:dir search; +logging_log_filetrans(freshclam_t,freshclam_var_log_t,file) + +corenet_tcp_sendrecv_all_if(freshclam_t) +corenet_tcp_sendrecv_all_nodes(freshclam_t) +corenet_tcp_sendrecv_all_ports(freshclam_t) +corenet_tcp_sendrecv_clamd_port(freshclam_t) +corenet_non_ipsec_sendrecv(freshclam_t) +corenet_tcp_connect_http_port(freshclam_t) +corenet_tcp_bind_all_ports(freshclam_t) +corenet_tcp_bind_all_nodes(freshclam_t) + +dev_read_rand(freshclam_t) +dev_read_urand(freshclam_t) + +domain_use_interactive_fds(freshclam_t) + +files_read_etc_files(freshclam_t) +files_read_etc_runtime_files(freshclam_t) + +init_use_fds(freshclam_t) +init_use_script_ptys(freshclam_t) + +libs_use_ld_so(freshclam_t) +libs_use_shared_libs(freshclam_t) + +miscfiles_read_localization(freshclam_t) + +sysnet_dns_name_resolve(freshclam_t) + +clamav_stream_connect(freshclam_t) + +cron_use_fds(freshclam_t) +cron_use_system_job_fds(freshclam_t) +cron_rw_pipes(freshclam_t) diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 973c0ad..42f4006 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -1,5 +1,5 @@ -policy_module(cron,1.3.0) +policy_module(cron,1.3.1) gen_require(` class passwd rootok; @@ -178,6 +178,10 @@ tunable_policy(`fcron_crond', ` allow crond_t system_cron_spool_t:file create_file_perms; ') +optional_policy(`amavis',` + amavis_search_lib(crond_t) +') + optional_policy(`hal',` hal_dbus_send(crond_t) ') diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te index 3a0028c..35f1513 100644 --- a/refpolicy/policy/modules/services/spamassassin.te +++ b/refpolicy/policy/modules/services/spamassassin.te @@ -1,5 +1,5 @@ -policy_module(spamassassin,1.3.0) +policy_module(spamassassin,1.3.1) ######################################## # @@ -142,6 +142,10 @@ optional_policy(`cron',` cron_system_entry(spamd_t,spamd_exec_t) ') +optional_policy(`amavis',` + amavis_manage_lib_files(spamd_t) +') + optional_policy(`daemontools',` daemontools_service_domain(spamd_t,spamd_exec_t) ') diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index dfa4881..ea78ffd 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -1,5 +1,5 @@ -policy_module(init,1.3.0) +policy_module(init,1.3.1) gen_require(` class passwd rootok; @@ -491,6 +491,11 @@ ifdef(`targeted_policy',` # ') ') +optional_policy(`amavis',` + amavis_search_lib(initrc_t) + amavis_setattr_pid_files(initrc_t) +') + optional_policy(`apm',` dev_rw_apm_bios(initrc_t) ') @@ -516,6 +521,10 @@ optional_policy(`bluetooth',` bluetooth_read_config(initrc_t) ') +optional_policy(`clamav',` + clamav_read_config(initrc_t) +') + optional_policy(`cpucontrol',` cpucontrol_stub(initrc_t) dev_getattr_cpu_dev(initrc_t)