Re: postfix, procmail and SELinux - No Go

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Marc Schwartz (via MN) wrote:

On Wed, 2006-06-21 at 16:53 +0100, Paul Howarth wrote:

Marc Schwartz (via MN) wrote:


<snip>


The current modules then are:

# semodule -l
amavis  1.0.4
clamav  1.0.1
myclamscan      0.2.0
mydcc   0.1.3
mypyzor 0.2.1
procmail        0.5.3
pyzor   1.0.1


No msgs are being reported by avclist subsequent to the above changes.
Specifically nothing wrt the postfix manpage weirdness.

All else appears to be OK so far.
Can you try restarting postfix? I think the manpage thing happened at that point. 

Interesting. Recalling that, I had re-booted before my reply above and
had no msgs. However doing a service restart post-boot using
system-config-services, I get:

type=AVC msg=audit(1150906621.693:641): avc:  denied  { read } for  pid=12784 comm="postfix" name=".fonts.cache-2" dev=hdc7 ino=427877 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1150906621.693:641): arch=40000003 syscall=11 success=yes exit=0 a0=9e14f80 a1=9dfb478 a2=9e14f98 a3=9e14e68 items=2 pid=12784 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="postfix" exe="/usr/sbin/postfix"
type=AVC_PATH msg=audit(1150906621.693:641):  path="/root/.rh-fontconfig/.fonts.cache-2"
type=CWD msg=audit(1150906621.693:641):  cwd="/"
type=PATH msg=audit(1150906621.693:641): item=0 name="/usr/sbin/postfix" flags=101  inode=3132499 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1150906621.693:641): item=1 flags=101  inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1150906621.829:642): avc:  denied  { read } for  pid=12796 comm="postfix" name=".fonts.cache-2" dev=hdc7 ino=427877 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1150906621.829:642): arch=40000003 syscall=11 success=yes exit=0 a0=9e15318 a1=9e00e50 a2=9e14f98 a3=9e14d00 items=2 pid=12796 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="postfix" exe="/usr/sbin/postfix"
type=AVC_PATH msg=audit(1150906621.829:642):  path="/root/.rh-fontconfig/.fonts.cache-2"
type=CWD msg=audit(1150906621.829:642):  cwd="/"
type=PATH msg=audit(1150906621.829:642): item=0 name="/usr/sbin/postfix" flags=101  inode=3132499 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1150906621.829:642): item=1 flags=101  inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00

Which seems to not involve the man pages, but font caches for some
reason.
That's just completely weird. I wonder if it's a filehandle left open from somewhere. I wonder how to diagnose this further? Since the types aren't consistent, they can't even be dontaudit-ed. I trust nothing has broken anyway?
Once that's done I'd like to try out the dcc and razor modules that are now in rawhide. That will involve going back to permissive mode for a while though.
OK, I've attached the dcc and razor policy files from the current FC5 selinux-policy package. Try installing those, put selinux in permissive mode, do a restorecon on all of your dcc and razor files/directories and see what happens. 

Paul.

/etc/dcc(/.*)?				gen_context(system_u:object_r:dcc_var_t,s0)
/etc/dcc/dccifd			-s	gen_context(system_u:object_r:dccifd_var_run_t,s0)
/etc/dcc/map			--	gen_context(system_u:object_r:dcc_client_map_t,s0)

/usr/bin/cdcc			--	gen_context(system_u:object_r:cdcc_exec_t,s0)
/usr/bin/dccproc		--	gen_context(system_u:object_r:dcc_client_exec_t,s0)

/usr/libexec/dcc/dbclean	--	gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
/usr/libexec/dcc/dccd		--	gen_context(system_u:object_r:dccd_exec_t,s0)
/usr/libexec/dcc/dccifd		--	gen_context(system_u:object_r:dccifd_exec_t,s0)
/usr/libexec/dcc/dccm		--	gen_context(system_u:object_r:dccm_exec_t,s0)

/var/dcc(/.*)?				gen_context(system_u:object_r:dcc_var_t,s0)
/var/dcc/map			--	gen_context(system_u:object_r:dcc_client_map_t,s0)

/var/run/dcc(/.*)?			gen_context(system_u:object_r:dcc_var_run_t,s0)
/var/run/dcc/map		--	gen_context(system_u:object_r:dcc_client_map_t,s0)
/var/run/dcc/dccifd		-s	gen_context(system_u:object_r:dccifd_var_run_t,s0)

## <summary>Distributed checksum clearinghouse spam filtering</summary>

########################################
## <summary>
##	Execute cdcc in the cdcc domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`dcc_domtrans_cdcc',`
	gen_require(`
		type cdcc_t, cdcc_exec_t;
	')

	corecmd_search_sbin($1)
	domain_auto_trans($1,cdcc_exec_t,cdcc_t)
	allow cdcc_t $1:fd use;
	allow cdcc_t $1:fifo_file rw_file_perms;
	allow cdcc_t $1:process sigchld;
')

########################################
## <summary>
##	Execute cdcc in the cdcc domain, and
##	allow the specified role the cdcc domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed the cdcc domain.
##	</summary>
## </param>
## <param name="terminal">
##	<summary>
##	The type of the terminal allow the cdcc domain to use.
##	</summary>
## </param>
#
interface(`dcc_run_cdcc',`
	gen_require(`
		type cdcc_t;
	')

	dcc_domtrans_cdcc($1)
	role $2 types cdcc_t;
	allow cdcc_t $3:chr_file rw_term_perms;
')

########################################
## <summary>
##	Execute dcc_client in the dcc_client domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`dcc_domtrans_client',`
	gen_require(`
		type dcc_client_t, dcc_client_exec_t;
	')

	corecmd_search_sbin($1)
	domain_auto_trans($1,dcc_client_exec_t,dcc_client_t)
	allow dcc_client_t $1:fd use;
	allow dcc_client_t $1:fifo_file rw_file_perms;
	allow dcc_client_t $1:process sigchld;
')

########################################
## <summary>
##	Execute dcc_client in the dcc_client domain, and
##	allow the specified role the dcc_client domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed the dcc_client domain.
##	</summary>
## </param>
## <param name="terminal">
##	<summary>
##	The type of the terminal allow the dcc_client domain to use.
##	</summary>
## </param>
#
interface(`dcc_run_client',`
	gen_require(`
		type dcc_client_t;
	')

	dcc_domtrans_client($1)
	role $2 types dcc_client_t;
	allow dcc_client_t $3:chr_file rw_term_perms;
')

########################################
## <summary>
##	Execute dbclean in the dcc_dbclean domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`dcc_domtrans_dbclean',`
	gen_require(`
		type dcc_dbclean_t, dcc_dbclean_exec_t;
	')

	corecmd_search_sbin($1)
	domain_auto_trans($1,dcc_dbclean_exec_t,dcc_dbclean_t)
	allow dcc_dbclean_t $1:fd use;
	allow dcc_dbclean_t $1:fifo_file rw_file_perms;
	allow dcc_dbclean_t $1:process sigchld;
')

########################################
## <summary>
##	Execute dbclean in the dcc_dbclean domain, and
##	allow the specified role the dcc_dbclean domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed the dcc_dbclean domain.
##	</summary>
## </param>
## <param name="terminal">
##	<summary>
##	The type of the terminal allow the dcc_dbclean domain to use.
##	</summary>
## </param>
#
interface(`dcc_run_dbclean',`
	gen_require(`
		type dcc_dbclean_t;
	')

	dcc_domtrans_dbclean($1)
	role $2 types dcc_dbclean_t;
	allow dcc_dbclean_t $3:chr_file rw_term_perms;
')

########################################
## <summary>
##	Connect to dccifd over a unix domain stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`dcc_stream_connect_dccifd',`
	gen_require(`
		type dcc_var_t, dccifd_var_run_t, dccifd_t;
	')

	files_search_var($1)
	allow $1 dcc_var_t:dir search;
	allow $1 dccifd_var_run_t:sock_file { getattr write };
	allow $1 dccifd_t:unix_stream_socket connectto;
')

policy_module(dcc,1.0.0)

########################################
#
# Declarations
#

type cdcc_t;
type cdcc_exec_t;
domain_type(cdcc_t)
domain_entry_file(cdcc_t,cdcc_exec_t)
role system_r types cdcc_t;

type cdcc_tmp_t;
files_tmp_file(cdcc_tmp_t)

type dcc_client_t;
type dcc_client_exec_t;
domain_type(dcc_client_t)
domain_entry_file(dcc_client_t,dcc_client_exec_t)
role system_r types dcc_client_t;

type dcc_client_map_t;
files_type(dcc_client_map_t)

type dcc_client_tmp_t;
files_tmp_file(dcc_client_tmp_t)

type dcc_dbclean_t;
type dcc_dbclean_exec_t;
domain_type(dcc_dbclean_t)
domain_entry_file(dcc_dbclean_t,dcc_dbclean_exec_t)
role system_r types dcc_dbclean_t;

type dcc_dbclean_tmp_t;
files_tmp_file(dcc_dbclean_tmp_t)

type dcc_var_t;
files_type(dcc_var_t)

type dcc_var_run_t;
files_type(dcc_var_run_t)

type dccd_t;
type dccd_exec_t;
init_daemon_domain(dccd_t,dccd_exec_t)

type dccd_tmp_t;
files_tmp_file(dccd_tmp_t)

type dccd_var_run_t;
files_pid_file(dccd_var_run_t)

type dccifd_t;
type dccifd_exec_t;
init_daemon_domain(dccifd_t,dccifd_exec_t)

type dccifd_tmp_t;
files_tmp_file(dccifd_tmp_t)

type dccifd_var_run_t;
files_pid_file(dccifd_var_run_t)

type dccm_t;
type dccm_exec_t;
init_daemon_domain(dccm_t,dccm_exec_t)

type dccm_tmp_t;
files_tmp_file(dccm_tmp_t)

type dccm_var_run_t;
files_pid_file(dccm_var_run_t)

# NOTE: DCC has writeable files in /etc/dcc that should probably be in
# /var/lib/dcc.  For now this policy supports both directories being
# writable.

# cjp: dccifd and dccm should be merged, as
# they have the same rules.

########################################
#
# dcc daemon controller local policy
#

allow cdcc_t self:capability setuid;
allow cdcc_t self:unix_dgram_socket create_socket_perms;
allow cdcc_t self:udp_socket create_socket_perms;

allow cdcc_t cdcc_tmp_t:dir manage_dir_perms;
allow cdcc_t cdcc_tmp_t:file create_file_perms;
files_tmp_filetrans(cdcc_t, cdcc_tmp_t, { file dir })

allow cdcc_t dcc_client_map_t:file rw_file_perms;

# Access files in /var/dcc. The map file can be updated
allow cdcc_t dcc_var_t:dir r_dir_perms;
allow cdcc_t dcc_var_t:file r_file_perms;
allow cdcc_t dcc_var_t:lnk_file { getattr read };

corenet_non_ipsec_sendrecv(cdcc_t)
corenet_udp_sendrecv_generic_if(cdcc_t)
corenet_udp_sendrecv_all_nodes(cdcc_t)
corenet_udp_sendrecv_all_ports(cdcc_t)

files_read_etc_files(cdcc_t)
files_read_etc_runtime_files(cdcc_t)

libs_use_ld_so(cdcc_t)
libs_use_shared_libs(cdcc_t)

logging_send_syslog_msg(cdcc_t)

miscfiles_read_localization(cdcc_t)

sysnet_read_config(cdcc_t)
sysnet_dns_name_resolve(cdcc_t)

optional_policy(`
	nscd_socket_use(cdcc_t)
')

########################################
#
# dcc procmail interface local policy
#

allow dcc_client_t self:capability setuid;
allow dcc_client_t self:unix_dgram_socket create_socket_perms;
allow dcc_client_t self:udp_socket create_socket_perms;

allow dcc_client_t dcc_client_map_t:file rw_file_perms;

allow dcc_client_t dcc_client_tmp_t:dir manage_dir_perms;
allow dcc_client_t dcc_client_tmp_t:file create_file_perms;
files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })

# Access files in /var/dcc. The map file can be updated
allow dcc_client_t dcc_var_t:dir r_dir_perms;
allow dcc_client_t dcc_var_t:file r_file_perms;
allow dcc_client_t dcc_var_t:lnk_file { getattr read };

corenet_non_ipsec_sendrecv(dcc_client_t)
corenet_udp_sendrecv_generic_if(dcc_client_t)
corenet_udp_sendrecv_all_nodes(dcc_client_t)
corenet_udp_sendrecv_all_ports(dcc_client_t)

files_read_etc_files(dcc_client_t)
files_read_etc_runtime_files(dcc_client_t)

libs_use_ld_so(dcc_client_t)
libs_use_shared_libs(dcc_client_t)

logging_send_syslog_msg(dcc_client_t)

miscfiles_read_localization(dcc_client_t)

sysnet_read_config(dcc_client_t)
sysnet_dns_name_resolve(dcc_client_t)

optional_policy(`
	nscd_socket_use(dcc_client_t)
')

########################################
#
# Database cleanup tool local policy
#

allow dcc_dbclean_t self:unix_dgram_socket create_socket_perms;
allow dcc_dbclean_t self:udp_socket create_socket_perms;

allow dcc_dbclean_t dcc_client_map_t:file rw_file_perms;

allow dcc_dbclean_t dcc_dbclean_tmp_t:dir manage_dir_perms;
allow dcc_dbclean_t dcc_dbclean_tmp_t:file create_file_perms;
files_tmp_filetrans(dcc_dbclean_t, dcc_dbclean_tmp_t, { file dir })

allow dcc_dbclean_t dcc_var_t:dir manage_dir_perms;
allow dcc_dbclean_t dcc_var_t:file manage_file_perms;
allow dcc_dbclean_t dcc_var_t:lnk_file create_lnk_perms;

kernel_read_system_state(dcc_dbclean_t)

corenet_non_ipsec_sendrecv(dcc_dbclean_t)
corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
corenet_udp_sendrecv_all_nodes(dcc_dbclean_t)
corenet_udp_sendrecv_all_ports(dcc_dbclean_t)

files_read_etc_files(dcc_dbclean_t)
files_read_etc_runtime_files(dcc_dbclean_t)

libs_use_ld_so(dcc_dbclean_t)
libs_use_shared_libs(dcc_dbclean_t)

logging_send_syslog_msg(dcc_dbclean_t)

miscfiles_read_localization(dcc_dbclean_t)

sysnet_read_config(dcc_dbclean_t)
sysnet_dns_name_resolve(dcc_dbclean_t)

optional_policy(`
	nscd_socket_use(dcc_dbclean_t)
')

########################################
#
# Server daemon local policy
#

allow dccd_t self:capability net_admin;
dontaudit dccd_t self:capability sys_tty_config;
allow dccd_t self:process signal_perms;
allow dccd_t self:unix_stream_socket create_socket_perms;
allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow dccd_t self:udp_socket create_socket_perms;

allow dccd_t dcc_client_map_t:file rw_file_perms;

# Access files in /var/dcc. The map file can be updated
allow dccd_t dcc_var_t:dir r_dir_perms;
allow dccd_t dcc_var_t:file r_file_perms;
allow dccd_t dcc_var_t:lnk_file { getattr read };

# Runs the dbclean program
domain_auto_trans(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t)
corecmd_search_bin(dccd_t)
allow dcc_dbclean_t dccd_t:fd use;
allow dcc_dbclean_t dccd_t:fifo_file rw_file_perms;
allow dcc_dbclean_t dccd_t:process sigchld;

# Updating dcc_db, flod, ...
allow dccd_t dcc_var_t:dir manage_dir_perms;
allow dccd_t dcc_var_t:file manage_file_perms;
allow dccd_t dcc_var_t:lnk_file create_lnk_perms;

allow dccd_t dccd_tmp_t:dir manage_dir_perms;
allow dccd_t dccd_tmp_t:file create_file_perms;
files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir })

allow dccd_t dccd_var_run_t:file create_file_perms;
allow dccd_t dccd_var_run_t:dir rw_dir_perms;
files_pid_filetrans(dccd_t,dccd_var_run_t,file)

kernel_read_system_state(dccd_t)
kernel_read_kernel_sysctls(dccd_t)

corenet_non_ipsec_sendrecv(dccd_t)
corenet_udp_sendrecv_generic_if(dccd_t)
corenet_udp_sendrecv_all_nodes(dccd_t)
corenet_udp_sendrecv_all_ports(dccd_t)
corenet_udp_bind_all_nodes(dccd_t)
corenet_udp_bind_dcc_port(dccd_t)

dev_read_sysfs(dccd_t)

domain_use_interactive_fds(dccd_t)

files_read_etc_files(dccd_t)
files_read_etc_runtime_files(dccd_t)

fs_getattr_all_fs(dccd_t)
fs_search_auto_mountpoints(dccd_t)

term_dontaudit_use_console(dccd_t)

init_use_fds(dccd_t)
init_use_script_ptys(dccd_t)

libs_use_ld_so(dccd_t)
libs_use_shared_libs(dccd_t)

logging_send_syslog_msg(dccd_t)

miscfiles_read_localization(dccd_t)

sysnet_read_config(dccd_t)
sysnet_dns_name_resolve(dccd_t)

userdom_dontaudit_use_unpriv_user_fds(dccd_t)
userdom_dontaudit_search_sysadm_home_dirs(dccd_t)

ifdef(`targeted_policy',`
	term_dontaudit_use_unallocated_ttys(dccd_t)
	term_dontaudit_use_generic_ptys(dccd_t)
	files_dontaudit_read_root_files(dccd_t)
')

optional_policy(`
	nscd_socket_use(dccd_t)
')

optional_policy(`
	seutil_sigchld_newrole(dccd_t)
')

optional_policy(`
	udev_read_db(dccd_t)
')

########################################
#
# Spamassassin and general MTA persistent client local policy
#

dontaudit dccifd_t self:capability sys_tty_config;
allow dccifd_t self:process signal_perms;
allow dccifd_t self:unix_stream_socket create_stream_socket_perms;
allow dccifd_t self:unix_dgram_socket create_socket_perms;
allow dccifd_t self:udp_socket create_socket_perms;

allow dccifd_t dcc_client_map_t:file rw_file_perms;

# Updating dcc_db, flod, ...
allow dccifd_t dcc_var_t:dir manage_dir_perms;
allow dccifd_t dcc_var_t:{ file sock_file fifo_file } manage_file_perms;
allow dccifd_t dcc_var_t:lnk_file create_lnk_perms;

allow dccifd_t dccifd_tmp_t:dir manage_dir_perms;
allow dccifd_t dccifd_tmp_t:file manage_file_perms;
files_tmp_filetrans(dccifd_t, dccifd_tmp_t, { file dir })

allow dccifd_t dccifd_var_run_t:file manage_file_perms;
allow dccifd_t dccifd_var_run_t:sock_file manage_file_perms;
allow dccifd_t dcc_var_t:dir rw_dir_perms;
type_transition dccifd_t dcc_var_t:{ file sock_file } dccifd_var_run_t;

allow dccifd_t dccifd_var_run_t:file manage_file_perms;
allow dccifd_t dccifd_var_run_t:dir rw_dir_perms;
files_pid_filetrans(dccifd_t,dccifd_var_run_t,file)

kernel_read_system_state(dccifd_t)
kernel_read_kernel_sysctls(dccifd_t)

corenet_non_ipsec_sendrecv(dccifd_t)
corenet_udp_sendrecv_generic_if(dccifd_t)
corenet_udp_sendrecv_all_nodes(dccifd_t)
corenet_udp_sendrecv_all_ports(dccifd_t)
corenet_udp_bind_all_nodes(dccifd_t)

dev_read_sysfs(dccifd_t)

domain_use_interactive_fds(dccifd_t)

files_read_etc_files(dccifd_t)
files_read_etc_runtime_files(dccifd_t)

fs_getattr_all_fs(dccifd_t)
fs_search_auto_mountpoints(dccifd_t)

term_dontaudit_use_console(dccifd_t)

init_use_fds(dccifd_t)
init_use_script_ptys(dccifd_t)

libs_use_ld_so(dccifd_t)
libs_use_shared_libs(dccifd_t)

logging_send_syslog_msg(dccifd_t)

miscfiles_read_localization(dccifd_t)

sysnet_read_config(dccifd_t)
sysnet_dns_name_resolve(dccifd_t)

userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
userdom_dontaudit_search_sysadm_home_dirs(dccifd_t)

ifdef(`targeted_policy',`
	term_dontaudit_use_unallocated_ttys(dccifd_t)
	term_dontaudit_use_generic_ptys(dccifd_t)
	files_dontaudit_read_root_files(dccifd_t)
')

optional_policy(`
	nscd_socket_use(dccifd_t)
')

optional_policy(`
	seutil_sigchld_newrole(dccifd_t)
')

optional_policy(`
	udev_read_db(dccifd_t)
')

########################################
#
# sendmail milter client local policy
#

dontaudit dccm_t self:capability sys_tty_config;
allow dccm_t self:process signal_perms;
allow dccm_t self:unix_stream_socket create_stream_socket_perms;
allow dccm_t self:unix_dgram_socket create_socket_perms;
allow dccm_t self:udp_socket create_socket_perms;

allow dccm_t dcc_client_map_t:file rw_file_perms;

allow dccm_t dcc_var_t:dir manage_dir_perms;
allow dccm_t dcc_var_t:{ file sock_file fifo_file } create_file_perms;
allow dccm_t dcc_var_t:lnk_file create_lnk_perms;

allow dccm_t dccm_tmp_t:dir manage_dir_perms;
allow dccm_t dccm_tmp_t:file manage_file_perms;
files_tmp_filetrans(dccm_t, dccm_tmp_t, { file dir })

allow dccm_t dccm_var_run_t:file manage_file_perms;
allow dccm_t dccm_var_run_t:sock_file manage_file_perms;
allow dccm_t dcc_var_run_t:dir rw_dir_perms;
type_transition dccm_t dcc_var_run_t:{ file sock_file } dccm_var_run_t;

allow dccm_t dccm_var_run_t:file manage_file_perms;
allow dccm_t dccm_var_run_t:dir rw_dir_perms;
files_pid_filetrans(dccm_t,dccm_var_run_t,file)

kernel_read_system_state(dccm_t)
kernel_read_kernel_sysctls(dccm_t)

corenet_non_ipsec_sendrecv(dccm_t)
corenet_udp_sendrecv_generic_if(dccm_t)
corenet_udp_sendrecv_all_nodes(dccm_t)
corenet_udp_sendrecv_all_ports(dccm_t)

dev_read_sysfs(dccm_t)

domain_use_interactive_fds(dccm_t)

files_read_etc_files(dccm_t)
files_read_etc_runtime_files(dccm_t)

fs_getattr_all_fs(dccm_t)
fs_search_auto_mountpoints(dccm_t)

term_dontaudit_use_console(dccm_t)

init_use_fds(dccm_t)
init_use_script_ptys(dccm_t)

libs_use_ld_so(dccm_t)
libs_use_shared_libs(dccm_t)

logging_send_syslog_msg(dccm_t)

miscfiles_read_localization(dccm_t)

sysnet_read_config(dccm_t)
sysnet_dns_name_resolve(dccm_t)

userdom_dontaudit_use_unpriv_user_fds(dccm_t)
userdom_dontaudit_search_sysadm_home_dirs(dccm_t)

ifdef(`targeted_policy',`
	term_dontaudit_use_unallocated_ttys(dccm_t)
	term_dontaudit_use_generic_ptys(dccm_t)
	files_dontaudit_read_root_files(dccm_t)
')

optional_policy(`
	nscd_socket_use(dccm_t)
')

optional_policy(`
	seutil_sigchld_newrole(dccm_t)
')

optional_policy(`
	udev_read_db(dccm_t)
')

ifdef(`strict_policy',`
HOME_DIR/\.razor(/.*)?		gen_context(system_u:object_r:ROLE_razor_home_t,s0)
')

/etc/razor(/.*)?		gen_context(system_u:object_r:razor_etc_t,s0)

/usr/bin/razor.*	--	gen_context(system_u:object_r:razor_exec_t,s0)

/var/lib/razor(/.*)?		gen_context(system_u:object_r:razor_var_lib_t,s0)
/var/log/razor-agent.log --	gen_context(system_u:object_r:razor_log_t,s0)

## <summary>A distributed, collaborative, spam detection and filtering network.</summary>
## <desc>
##	<p>
##	A distributed, collaborative, spam detection and filtering network.
##	</p>
##	<p>
##	This policy will work with either the ATrpms provided config
##	file in /etc/razor, or with the default of dumping everything into
##	$HOME/.razor.
##	</p>
## </desc>

#######################################
## <summary>
##	Template to create types and rules common to
##	all razor domains.
## </summary>
## <param name="prefix">
##	<summary>
##	The prefix of the domain (e.g., user
##	is the prefix for user_t).
##	</summary>
## </param>
#
template(`razor_common_domain_template',`

	allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
	allow $1_t self:fd use;
	allow $1_t self:fifo_file rw_file_perms;
	allow $1_t self:unix_dgram_socket create_socket_perms;
	allow $1_t self:unix_stream_socket create_stream_socket_perms;
	allow $1_t self:unix_dgram_socket sendto;
	allow $1_t self:unix_stream_socket connectto;
	allow $1_t self:shm create_shm_perms;
	allow $1_t self:sem create_sem_perms;
	allow $1_t self:msgq create_msgq_perms;
	allow $1_t self:msg { send receive };
	allow $1_t self:tcp_socket create_socket_perms;

	# Read system config file
	allow $1_t razor_etc_t:dir list_dir_perms;
	allow $1_t razor_etc_t:file read_file_perms;
	allow $1_t razor_etc_t:lnk_file { getattr read };

	allow $1_t razor_log_t:dir manage_dir_perms;
	allow $1_t razor_log_t:file manage_file_perms;
	allow $1_t razor_log_t:lnk_file create_lnk_perms;
	logging_log_filetrans($1_t,razor_log_t,file)

	allow $1_t razor_var_lib_t:dir manage_dir_perms;
	allow $1_t razor_var_lib_t:file manage_file_perms;
	allow $1_t razor_var_lib_t:lnk_file create_lnk_perms;
	files_search_var_lib($1_t)

	# Razor is one executable and several symlinks
	allow $1_t razor_exec_t:{ file lnk_file } { getattr read };

	kernel_read_system_state($1_t)
	kernel_read_network_state($1_t)
	kernel_read_software_raid_state($1_t)
	kernel_getattr_core_if($1_t)
	kernel_getattr_message_if($1_t)
	kernel_read_kernel_sysctls($1_t)

	corecmd_exec_bin($1_t)

	corenet_tcp_sendrecv_generic_if($1_t)
	corenet_raw_sendrecv_generic_if($1_t)
	corenet_tcp_sendrecv_all_nodes($1_t)
	corenet_raw_sendrecv_all_nodes($1_t)
	corenet_tcp_sendrecv_razor_port($1_t)
	corenet_non_ipsec_sendrecv($1_t)
	corenet_tcp_bind_all_nodes($1_t)

	# mktemp and other randoms
	dev_read_rand($1_t)
	dev_read_urand($1_t)

	files_search_pids($1_t)
	# Allow access to various files in the /etc/directory including mtab
	# and nsswitch
	files_read_etc_files($1_t)
	files_read_etc_runtime_files($1_t)

	fs_search_auto_mountpoints($1_t)

	libs_use_ld_so($1_t)
	libs_use_shared_libs($1_t)
	libs_read_lib_files($1_t)

	miscfiles_read_localization($1_t)

	sysnet_read_config($1_t)
	sysnet_dns_name_resolve($1_t)

	userdom_use_unpriv_users_fds($1_t)

	optional_policy(`
		nis_use_ypbind($1_t)
	')
')

#######################################
## <summary>
##	The per user domain template for the razor module.
## </summary>
## <desc>
##	<p>
##	The per user domain template for the razor module.
##	</p>
##	<p>
##	This template is invoked automatically for each user, and
##	generally does not need to be invoked directly
##	by policy writers.
##	</p>
## </desc>
## <param name="userdomain_prefix">
##	<summary>
##	The prefix of the user domain (e.g., user
##	is the prefix for user_t).
##	</summary>
## </param>
## <param name="user_domain">
##	<summary>
##	The type of the user domain.
##	</summary>
## </param>
## <param name="user_role">
##	<summary>
##	The role associated with the user domain.
##	</summary>
## </param>
#
template(`razor_per_userdomain_template',`

	type $1_razor_t;
	domain_type($1_razor_t)
	domain_entry_file($1_razor_t,razor_exec_t)
	razor_common_domain_template($1_razor)
	role $3 types $1_razor_t;

	type $1_razor_home_t alias $1_razor_rw_t;
	files_poly_member($1_razor_home_t)
	userdom_user_home_content($1,$1_razor_home_t)

	type $1_razor_tmp_t;
	files_tmp_file($1_razor_tmp_t)

	##############################
	#
	# Local policy
	#

	allow $1_razor_t self:unix_stream_socket create_stream_socket_perms;

	allow $1_razor_t $1_razor_home_t:dir manage_dir_perms;
	allow $1_razor_t $1_razor_home_t:file manage_file_perms;
	allow $1_razor_t $1_razor_home_t:lnk_file create_lnk_perms;
	userdom_user_home_dir_filetrans($1,$1_razor_t,$1_razor_home_t,dir)

	allow $1_razor_t $1_razor_tmp_t:dir create_dir_perms;
	allow $1_razor_t $1_razor_tmp_t:file create_file_perms;
	files_tmp_filetrans($1_razor_t, $1_razor_tmp_t, { file dir })

	domain_auto_trans($2, razor_exec_t, $1_razor_t)
	allow $1_razor_t $2:fd use;
	allow $1_razor_t $2:fifo_file rw_file_perms;
	allow $1_razor_t $2:process sigchld;	

	allow $2 $1_razor_home_t:dir manage_dir_perms;
	allow $2 $1_razor_home_t:file manage_file_perms;
	allow $2 $1_razor_home_t:lnk_file create_lnk_perms;
	allow $2 $1_razor_home_t:{ dir file lnk_file } { relabelfrom relabelto };

	logging_send_syslog_msg($1_razor_t)

	userdom_search_user_home_dirs($1,$1_razor_t)
	# Allow razor to be run by hand.  Needed by any action other than
	# invocation from a spam filter.
	userdom_use_user_terminals($1,$1_razor_t)

	tunable_policy(`use_nfs_home_dirs',`
		fs_manage_nfs_dirs($1_razor_t)
		fs_manage_nfs_files($1_razor_t)
		fs_manage_nfs_symlinks($1_razor_t)
	')

	tunable_policy(`use_samba_home_dirs',`
		fs_manage_cifs_dirs($1_razor_t)
		fs_manage_cifs_files($1_razor_t)
		fs_manage_cifs_symlinks($1_razor_t)
	')

	optional_policy(`
		nscd_socket_use($1_razor_t)
	')
')

########################################
## <summary>
##	Execute razor in the system razor domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`razor_domtrans',`
	gen_require(`
		type razor_t, razor_exec_t;
	')

	domain_auto_trans($1, razor_exec_t, razor_t)
	allow razor_t $1:fd use;
	allow razor_t $1:fifo_file rw_file_perms;
	allow razor_t $1:process sigchld;	
')

policy_module(razor,1.0.0)

########################################
#
# Declarations
#

type razor_t;
type razor_exec_t;
domain_type(razor_t)
domain_entry_file(razor_t,razor_exec_t)
razor_common_domain_template(razor)
role system_r types razor_t;

type razor_etc_t;
files_config_file(razor_etc_t)

type razor_log_t;
logging_log_file(razor_log_t)

type razor_var_lib_t;
files_type(razor_var_lib_t)

########################################
#
# Local policy
#

allow razor_t self:tcp_socket create_socket_perms;

allow razor_t razor_etc_t:dir create_dir_perms;
allow razor_t razor_etc_t:file create_file_perms;
allow razor_t razor_etc_t:lnk_file create_lnk_perms;
files_search_etc(razor_t)

allow razor_t razor_log_t:file create_file_perms;
logging_log_filetrans(razor_t,razor_log_t,file)

allow razor_t razor_var_lib_t:file create_file_perms;
allow razor_t razor_var_lib_t:dir rw_dir_perms;
files_var_lib_filetrans(razor_t,razor_var_lib_t,file)

corenet_non_ipsec_sendrecv(razor_t)
corenet_tcp_sendrecv_generic_if(razor_t)
corenet_raw_sendrecv_generic_if(razor_t)
corenet_tcp_sendrecv_all_nodes(razor_t)
corenet_raw_sendrecv_all_nodes(razor_t)
corenet_tcp_sendrecv_razor_port(razor_t)
corenet_tcp_bind_all_nodes(razor_t)
corenet_tcp_connect_razor_port(razor_t)

sysnet_read_config(razor_t)

optional_policy(`
	logging_send_syslog_msg(razor_t)
')

optional_policy(`
	nscd_socket_use(razor_t)
')

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux