On Friday 23 December 2005 22:47, Russell Coker <russell@xxxxxxxxxxxx> wrote:
> On Thursday 22 December 2005 03:53, "Nicolas Mailhot"
>
> <nicolas.mailhot@xxxxxxxxxxx> wrote:
> > On Mer 21 décembre 2005 17:18, Russell Coker wrote:
> > > The problem here is that there is no policy for greylist-milter (or any
> > > other
> > > milter for that matter).
> >
> > amavis+postfix has been included in default selinux policy for quite a
> > long time. I'm pretty sure the policy applies to sendmail+amavis too.
>
> I should have thought of Amavis, I wrote a good chunk of the Amavis policy.
> You are correct that it SHOULD work with Sendmail, I designed it such that
> it would work with Sendmail and Qmail but I've never tested it with
> anything other than Postfix.
>
> I'll use the mta_filter_t domain that Alexey suggests and make Amavis such
> a filter as well.
I've attached a first cut at the policy for the mta_filter_t, I still have
other things to do but I believe that the policy in this patch is only an
improvement over the current situation and is therefore worth merging. This
replaces the postgrey.te and postgrey.fc files as postgrey will run in the
same domain (but my patch doesn't remove those files). Note that the
ifdef(`distro_mandriva' does not imply that you would run SE Linux on
Mandriva (much more work would need to be done for that), merely that if you
want to force Mandriva packages to work on Fedora then you need to have the
policy support the directories that they choose. Mandriva seems to be the
only distribution with Postgrey RPMs.
I haven't yet got Amavis working on my test machine so the Amavis policy isn't
merged. Amavis requires some extra work because it has the daemon to get new
virus definitions (freshclam). My plan is that the daemon to get new virus
definitions will run in a separate domain and write to files that are
read-only for the mta_filter_t domain. Of course if freshclam is cracked
then you could end up with a virus definition that marks every message as
being a virus (which would be really bad), but gives it a little extra
isolation from the mail server domains. Among other things I plan to have a
boolean to determine whether the mta_filter_t domain can do TCP/UDP
networking, preventing the filter from making connections to the outside
world could be very useful.
Incidentally if someone wants to package Postgrey and Amavis for Fedora Extras
then that would be really good.
PS Alexy, I'm not sure if you want to get involved in SE Linux policy
development to the level of testing this patch out. If not then just wait a
week or so and this will become a standard policy feature.
PPS Happy holidays everyone!
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
diff -ruN policy.orig/attrib.te policy/attrib.te
--- policy.orig/attrib.te 2005-12-23 23:48:20.000000000 +1100
+++ policy/attrib.te 2005-12-23 23:50:24.000000000 +1100
@@ -488,6 +488,9 @@
# For a mail server process that takes TCP connections on port 25
attribute mail_server_domain;
+# For the mail server processes that access filters
+attribute mta_filter_client;
+
# For web clients such as netscape and squid
attribute web_client_domain;
diff -ruN policy.orig/domains/program/mta-filter.te policy/domains/program/mta-filter.te
--- policy.orig/domains/program/mta-filter.te 1970-01-01 10:00:00.000000000 +1000
+++ policy/domains/program/mta-filter.te 2005-12-25 10:07:48.000000000 +1100
@@ -0,0 +1,50 @@
+#DESC mta-filter - for milters and other MTA helper programs
+#
+# Author: Russell Coker <russell@xxxxxxxxxxxx>
+# X-Debian-Packages: postgrey
+
+daemon_domain(mta_filter)
+
+file_type_auto_trans(mta_filter_t, { var_run_t mta_filter_var_lib_t }, mta_filter_var_run_t, sock_file)
+
+allow mta_filter_client { var_lib_t mta_filter_var_lib_t }:dir { getattr search };
+allow mta_filter_client mta_filter_var_run_t:sock_file { getattr write };
+allow mta_filter_client mta_filter_t:unix_stream_socket connectto;
+dontaudit sysadm_mail_t var_lib_t:dir { getattr search };
+
+allow mta_filter_t urandom_device_t:chr_file { getattr read };
+
+# for perl
+allow mta_filter_t { bin_t sbin_t }:dir { getattr search };
+allow mta_filter_t usr_t:{ file lnk_file } { getattr read };
+dontaudit mta_filter_t usr_t:file ioctl;
+
+ifdef(`distro_mandriva', `
+ifdef(`postfix.te', `
+# for postgrey mandriva package
+allow mta_filter_t { var_spool_t postfix_spool_t postfix_etc_t }:dir search;
+dontaudit postfix_master_t mta_filter_var_lib_t:dir getattr;
+allow postfix_master_t mta_filter_etc_t:file getattr;
+')dnl end postfix.te
+')dnl end mandriva
+
+ifdef(`sendmail.te', `
+r_dir_file(mta_filter_t, etc_mail_t)
+')
+
+allow mta_filter_t { etc_t etc_runtime_t }:file { getattr read };
+etcdir_domain(mta_filter)
+
+can_network_server_tcp(mta_filter_t)
+can_ypbind(mta_filter_t)
+allow mta_filter_t mta_filter_port_t:tcp_socket name_bind;
+allow mta_filter_t self:unix_dgram_socket create_socket_perms;
+allow mta_filter_t self:unix_stream_socket create_stream_socket_perms;
+allow mta_filter_t proc_t:file { getattr read };
+
+allow mta_filter_t self:capability { chown dac_override setgid setuid };
+dontaudit mta_filter_t self:capability sys_tty_config;
+
+var_lib_domain(mta_filter)
+
+allow mta_filter_t tmp_t:dir getattr;
diff -ruN policy.orig/domains/program/postfix.te policy/domains/program/postfix.te
--- policy.orig/domains/program/postfix.te 2005-12-23 23:49:34.000000000 +1100
+++ policy/domains/program/postfix.te 2005-12-23 23:49:48.000000000 +1100
@@ -182,7 +182,7 @@
# misconfiguration)
can_tcp_connect(postfix_smtp_t, mail_server_domain)
-postfix_server_domain(smtpd)
+postfix_server_domain(smtpd, `, mta_filter_client')
allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search;
allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms;
diff -ruN policy.orig/domains/program/sendmail.te policy/domains/program/sendmail.te
--- policy.orig/domains/program/sendmail.te 2005-12-23 23:25:19.000000000 +1100
+++ policy/domains/program/sendmail.te 2005-12-23 23:49:21.000000000 +1100
@@ -39,7 +39,7 @@
file_type_auto_trans(sendmail_launch_t, var_run_t, sendmail_var_run_t, file)
-daemon_core_rules(sendmail, `, nscd_client_domain, mta_delivery_agent, mail_server_domain, mail_server_sender')
+daemon_core_rules(sendmail, `, nscd_client_domain, mta_delivery_agent, mail_server_domain, mail_server_sender, mta_filter_client')
# stuff from daemon_domain and daemon_base_domain because we can not have an
# automatic transition from initrc_t
@@ -59,7 +59,7 @@
logdir_domain(sendmail)
# Use capabilities
-allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
+allow sendmail_t self:capability { chown dac_override setgid setuid net_bind_service sys_nice sys_tty_config };
# Use the network.
can_network(sendmail_t)
diff -ruN policy.orig/file_contexts/program/mta-filter.fc policy/file_contexts/program/mta-filter.fc
--- policy.orig/file_contexts/program/mta-filter.fc 1970-01-01 10:00:00.000000000 +1000
+++ policy/file_contexts/program/mta-filter.fc 2005-12-25 10:08:08.000000000 +1100
@@ -0,0 +1,12 @@
+# postgrey - postfix grey-listing server
+/usr/sbin/postgrey -- system_u:object_r:mta_filter_exec_t:s0
+/usr/sbin/milter-greylist -- system_u:object_r:mta_filter_exec_t:s0
+/var/run/postgrey\.pid -- system_u:object_r:mta_filter_var_run_t:s0
+/etc/postgrey(/.*)? system_u:object_r:mta_filter_etc_t:s0
+/var/lib/postgrey(/.*)? system_u:object_r:mta_filter_var_lib_t:s0
+/var/lib/milter-greylist(/.*)? system_u:object_r:mta_filter_var_lib_t:s0
+/var/lib/milter-greylist/run/milter-greylist.sock -s system_u:object_r:mta_filter_var_run_t:s0
+ifdef(`distro_mandriva', `
+# for Mandriva postgrey socket
+/var/spool/postfix/extern/postgrey/socket -s system_u:object_r:mta_filter_var_run_t:s0
+')
diff -ruN policy.orig/file_contexts/program/postfix.fc policy/file_contexts/program/postfix.fc
--- policy.orig/file_contexts/program/postfix.fc 2005-12-25 09:52:57.000000000 +1100
+++ policy/file_contexts/program/postfix.fc 2005-12-25 10:07:24.000000000 +1100
@@ -57,3 +57,10 @@
/var/spool/postfix/lib(64)?/lib.*\.so.* -- system_u:object_r:shlib_t:s0
/var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- system_u:object_r:shlib_t:s0
/var/spool/postfix/lib(64)?/devfsd/.*\.so.* -- system_u:object_r:shlib_t:s0
+ifdef(`distro_mandriva', `
+ifdef(`mta-filter.te', `
+# for Mandriva postgrey package
+/var/spool/postfix/extern(/.*)? -d system_u:object_r:mta_filter_var_lib_t:s0
+/etc/postfix/postgrey_.* system_u:object_r:mta_filter_etc_t:s0
+')dnl end mta-filter.te
+')dnl end mandriva
Binary files policy.orig/policy.20 and policy/policy.20 differ
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
