1 |
commit: 232701f0d9090cd34c22f350a7dfbda7c58a0ea0 |
2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
3 |
AuthorDate: Fri Feb 24 01:58:41 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Feb 25 14:50:54 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=232701f0 |
7 |
|
8 |
mailman: Fixes from Russell Coker. |
9 |
|
10 |
policy/modules/contrib/cron.if | 18 +++++++ |
11 |
policy/modules/contrib/cron.te | 2 +- |
12 |
policy/modules/contrib/mailman.fc | 24 ++++----- |
13 |
policy/modules/contrib/mailman.te | 100 +++++++++++++++++++++++++++++++++++--- |
14 |
policy/modules/contrib/mta.if | 18 +++++++ |
15 |
policy/modules/contrib/mta.te | 2 +- |
16 |
6 files changed, 143 insertions(+), 21 deletions(-) |
17 |
|
18 |
diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if |
19 |
index 6737f53c..5739d4f0 100644 |
20 |
--- a/policy/modules/contrib/cron.if |
21 |
+++ b/policy/modules/contrib/cron.if |
22 |
@@ -705,6 +705,24 @@ interface(`cron_manage_system_spool',` |
23 |
|
24 |
######################################## |
25 |
## <summary> |
26 |
+## Read and write crond temporary files. |
27 |
+## </summary> |
28 |
+## <param name="domain"> |
29 |
+## <summary> |
30 |
+## Domain allowed access. |
31 |
+## </summary> |
32 |
+## </param> |
33 |
+# |
34 |
+interface(`cron_rw_tmp_files',` |
35 |
+ gen_require(` |
36 |
+ type crond_tmp_t; |
37 |
+ ') |
38 |
+ |
39 |
+ allow $1 crond_tmp_t:file rw_file_perms; |
40 |
+') |
41 |
+ |
42 |
+######################################## |
43 |
+## <summary> |
44 |
## Read system cron job lib files. |
45 |
## </summary> |
46 |
## <param name="domain"> |
47 |
|
48 |
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te |
49 |
index 3513e1f2..b51524a4 100644 |
50 |
--- a/policy/modules/contrib/cron.te |
51 |
+++ b/policy/modules/contrib/cron.te |
52 |
@@ -1,4 +1,4 @@ |
53 |
-policy_module(cron, 2.11.1) |
54 |
+policy_module(cron, 2.11.2) |
55 |
|
56 |
gen_require(` |
57 |
class passwd rootok; |
58 |
|
59 |
diff --git a/policy/modules/contrib/mailman.fc b/policy/modules/contrib/mailman.fc |
60 |
index 1a226daf..d5734fc9 100644 |
61 |
--- a/policy/modules/contrib/mailman.fc |
62 |
+++ b/policy/modules/contrib/mailman.fc |
63 |
@@ -2,11 +2,11 @@ |
64 |
|
65 |
/etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) |
66 |
|
67 |
-/usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) |
68 |
-/usr/lib/mailman.*/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) |
69 |
-/usr/lib/mailman.*/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) |
70 |
+/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) |
71 |
+/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) |
72 |
+/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) |
73 |
/var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) |
74 |
-/var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) |
75 |
+/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) |
76 |
|
77 |
/var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0) |
78 |
/var/lock/subsys/mailman.* -- gen_context(system_u:object_r:mailman_lock_t,s0) |
79 |
@@ -17,16 +17,16 @@ |
80 |
|
81 |
/var/spool/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) |
82 |
|
83 |
-/usr/lib/cgi-bin/mailman.*/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) |
84 |
-/usr/lib/mailman.*/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) |
85 |
-/usr/lib/mailman.*/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) |
86 |
-/usr/lib/mailman.*/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) |
87 |
-/usr/lib/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) |
88 |
-/usr/lib/mailman.*/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) |
89 |
+/usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) |
90 |
+/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) |
91 |
+/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) |
92 |
+/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) |
93 |
+/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) |
94 |
+/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) |
95 |
|
96 |
-/usr/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) |
97 |
+/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) |
98 |
|
99 |
-/usr/share/doc/mailman.*/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) |
100 |
+/usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) |
101 |
|
102 |
ifdef(`distro_gentoo',` |
103 |
# Bug 536666 |
104 |
|
105 |
diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te |
106 |
index 7421ce3a..3de43d20 100644 |
107 |
--- a/policy/modules/contrib/mailman.te |
108 |
+++ b/policy/modules/contrib/mailman.te |
109 |
@@ -1,4 +1,4 @@ |
110 |
-policy_module(mailman, 1.12.0) |
111 |
+policy_module(mailman, 1.12.1) |
112 |
|
113 |
######################################## |
114 |
# |
115 |
@@ -91,12 +91,39 @@ miscfiles_read_localization(mailman_domain) |
116 |
# CGI local policy |
117 |
# |
118 |
|
119 |
+allow mailman_cgi_t self:unix_dgram_socket { create connect }; |
120 |
+ |
121 |
+allow mailman_cgi_t mailman_archive_t:dir search_dir_perms; |
122 |
+allow mailman_cgi_t mailman_archive_t:file read_file_perms; |
123 |
+ |
124 |
+allow mailman_cgi_t mailman_data_t:dir rw_dir_perms; |
125 |
+allow mailman_cgi_t mailman_data_t:file manage_file_perms; |
126 |
+allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms; |
127 |
+ |
128 |
+allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms; |
129 |
+allow mailman_cgi_t mailman_lock_t:file manage_file_perms; |
130 |
+ |
131 |
+allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms }; |
132 |
+allow mailman_cgi_t mailman_log_t:dir search_dir_perms; |
133 |
+ |
134 |
+kernel_read_crypto_sysctls(mailman_cgi_t) |
135 |
+kernel_read_system_state(mailman_cgi_t) |
136 |
+ |
137 |
+corecmd_exec_bin(mailman_cgi_t) |
138 |
+ |
139 |
dev_read_urand(mailman_cgi_t) |
140 |
|
141 |
+files_search_locks(mailman_cgi_t) |
142 |
+ |
143 |
term_use_controlling_term(mailman_cgi_t) |
144 |
|
145 |
libs_dontaudit_write_lib_dirs(mailman_cgi_t) |
146 |
|
147 |
+logging_search_logs(mailman_cgi_t) |
148 |
+ |
149 |
+miscfiles_read_localization(mailman_cgi_t) |
150 |
+ |
151 |
+ |
152 |
optional_policy(` |
153 |
apache_sigchld(mailman_cgi_t) |
154 |
apache_use_fds(mailman_cgi_t) |
155 |
@@ -116,24 +143,61 @@ optional_policy(` |
156 |
# |
157 |
|
158 |
allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config }; |
159 |
-allow mailman_mail_t self:process { signal signull }; |
160 |
+allow mailman_mail_t self:process { signal signull setsched }; |
161 |
+ |
162 |
+allow mailman_mail_t mailman_archive_t:dir manage_dir_perms; |
163 |
+allow mailman_mail_t mailman_archive_t:file manage_file_perms; |
164 |
+allow mailman_mail_t mailman_archive_t:lnk_file manage_lnk_file_perms; |
165 |
+ |
166 |
+allow mailman_mail_t mailman_data_t:dir rw_dir_perms; |
167 |
+allow mailman_mail_t mailman_data_t:file manage_file_perms; |
168 |
+allow mailman_mail_t mailman_data_t:lnk_file read_lnk_file_perms; |
169 |
+ |
170 |
+allow mailman_mail_t mailman_lock_t:dir rw_dir_perms; |
171 |
+allow mailman_mail_t mailman_lock_t:file manage_file_perms; |
172 |
+ |
173 |
+allow mailman_mail_t mailman_log_t:dir search; |
174 |
+allow mailman_mail_t mailman_log_t:file read_file_perms; |
175 |
+ |
176 |
+domtrans_pattern(mailman_mail_t, mailman_queue_exec_t, mailman_queue_t) |
177 |
+allow mailman_mail_t mailman_queue_exec_t:file ioctl; |
178 |
+ |
179 |
+can_exec(mailman_mail_t, mailman_mail_exec_t) |
180 |
|
181 |
manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) |
182 |
manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) |
183 |
files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir }) |
184 |
|
185 |
-corenet_sendrecv_innd_client_packets(mailman_mail_t) |
186 |
-corenet_tcp_connect_innd_port(mailman_mail_t) |
187 |
-corenet_tcp_sendrecv_innd_port(mailman_mail_t) |
188 |
+kernel_read_system_state(mailman_mail_t) |
189 |
|
190 |
+corenet_tcp_connect_smtp_port(mailman_mail_t) |
191 |
corenet_sendrecv_spamd_client_packets(mailman_mail_t) |
192 |
+corenet_sendrecv_innd_client_packets(mailman_mail_t) |
193 |
+corenet_tcp_connect_innd_port(mailman_mail_t) |
194 |
corenet_tcp_connect_spamd_port(mailman_mail_t) |
195 |
+corenet_tcp_sendrecv_innd_port(mailman_mail_t) |
196 |
corenet_tcp_sendrecv_spamd_port(mailman_mail_t) |
197 |
|
198 |
dev_read_urand(mailman_mail_t) |
199 |
|
200 |
+corecmd_exec_bin(mailman_mail_t) |
201 |
+ |
202 |
+files_search_locks(mailman_mail_t) |
203 |
+ |
204 |
fs_rw_anon_inodefs_files(mailman_mail_t) |
205 |
|
206 |
+# this is far from ideal, but systemd reduces the importance of initrc_t |
207 |
+init_signal_script(mailman_mail_t) |
208 |
+init_signull_script(mailman_mail_t) |
209 |
+ |
210 |
+# for python .path file |
211 |
+libs_read_lib_files(mailman_mail_t) |
212 |
+ |
213 |
+logging_search_logs(mailman_mail_t) |
214 |
+ |
215 |
+miscfiles_read_localization(mailman_mail_t) |
216 |
+ |
217 |
+mta_use_mailserver_fds(mailman_mail_t) |
218 |
mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) |
219 |
mta_dontaudit_rw_queue(mailman_mail_t) |
220 |
|
221 |
@@ -159,18 +223,40 @@ allow mailman_queue_t self:capability { setgid setuid }; |
222 |
allow mailman_queue_t self:process { setsched signal_perms }; |
223 |
allow mailman_queue_t self:fifo_file rw_fifo_file_perms; |
224 |
|
225 |
+allow mailman_queue_t mailman_archive_t:dir manage_dir_perms; |
226 |
+allow mailman_queue_t mailman_archive_t:file manage_file_perms; |
227 |
+ |
228 |
+allow mailman_queue_t mailman_data_t:dir rw_dir_perms; |
229 |
+allow mailman_queue_t mailman_data_t:file manage_file_perms; |
230 |
+allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms; |
231 |
+ |
232 |
+allow mailman_queue_t mailman_lock_t:dir rw_dir_perms; |
233 |
+allow mailman_queue_t mailman_lock_t:file manage_file_perms; |
234 |
+ |
235 |
+allow mailman_queue_t mailman_log_t:dir list_dir_perms; |
236 |
+allow mailman_queue_t mailman_log_t:file manage_file_perms; |
237 |
+ |
238 |
+kernel_read_system_state(mailman_queue_t) |
239 |
+ |
240 |
+auth_domtrans_chk_passwd(mailman_queue_t) |
241 |
+ |
242 |
+corecmd_read_bin_files(mailman_queue_t) |
243 |
+corecmd_read_bin_symlinks(mailman_queue_t) |
244 |
corenet_sendrecv_innd_client_packets(mailman_queue_t) |
245 |
corenet_tcp_connect_innd_port(mailman_queue_t) |
246 |
corenet_tcp_sendrecv_innd_port(mailman_queue_t) |
247 |
|
248 |
-auth_domtrans_chk_passwd(mailman_queue_t) |
249 |
- |
250 |
files_dontaudit_search_pids(mailman_queue_t) |
251 |
+files_search_locks(mailman_queue_t) |
252 |
+ |
253 |
+miscfiles_read_localization(mailman_queue_t) |
254 |
|
255 |
seutil_dontaudit_search_config(mailman_queue_t) |
256 |
|
257 |
userdom_search_user_home_dirs(mailman_queue_t) |
258 |
|
259 |
+cron_rw_tmp_files(mailman_queue_t) |
260 |
+ |
261 |
optional_policy(` |
262 |
apache_read_config(mailman_queue_t) |
263 |
') |
264 |
|
265 |
diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if |
266 |
index a5034276..7e268b80 100644 |
267 |
--- a/policy/modules/contrib/mta.if |
268 |
+++ b/policy/modules/contrib/mta.if |
269 |
@@ -338,6 +338,24 @@ interface(`mta_sendmail_mailserver',` |
270 |
typeattribute $1 mailserver_domain; |
271 |
') |
272 |
|
273 |
+######################################## |
274 |
+## <summary> |
275 |
+## Inherit FDs from mailserver_domain domains |
276 |
+## </summary> |
277 |
+## <param name="type"> |
278 |
+## <summary> |
279 |
+## Type for a list server or delivery agent that inherits fds |
280 |
+## </summary> |
281 |
+## </param> |
282 |
+# |
283 |
+interface(`mta_use_mailserver_fds',` |
284 |
+ gen_require(` |
285 |
+ attribute mailserver_domain; |
286 |
+ ') |
287 |
+ |
288 |
+ allow $1 mailserver_domain:fd use; |
289 |
+') |
290 |
+ |
291 |
####################################### |
292 |
## <summary> |
293 |
## Make a type a mailserver type used |
294 |
|
295 |
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te |
296 |
index 9a3ee20e..f7280b11 100644 |
297 |
--- a/policy/modules/contrib/mta.te |
298 |
+++ b/policy/modules/contrib/mta.te |
299 |
@@ -1,4 +1,4 @@ |
300 |
-policy_module(mta, 2.8.1) |
301 |
+policy_module(mta, 2.8.2) |
302 |
|
303 |
######################################## |
304 |
# |