Here I have a couple of changes to the milter policy that reduce what
milters (well, spamass-milter in particular) are able to do.
Firstly, I noticed a while back that I was getting AVCs from
milter-regex and milter-greylist trying to read /proc/cpuinfo at program
start-up. I couldn't figure out what was causing that to happen
(probably part of some system call or maybe in libmilter) but this
access being denied didn't seem to cause any problems. I also saw that
the spamass-milter policy allowed this access. A few weeks ago I updated
my local policy to dontaudit this instead of allowing it and don't
appear to be suffering any problems as a result, so I propose to
dontaudit it in the milter template.
Secondly, the fix for CVE-2010-1132 in spamass-milter was just pushed to
stable for all supported Fedora and EPEL releases. This was unsanitized
input being passed in an argument to popen() and hence a shell. Upstream
proposed a patch for this several weeks ago that replaced the popen()
call with execve() via a wrapper called popenv(), which avoids the use
of a shell for this functionality. This fix hasn't been committed to
upstream CVS yet but I have tested it extensively myself and this fix
has been incorporated into the Fedora and Debian spamass-milter
packages. So for Fedora and Debian, the following policy rules are no
longer needed:
corecmd_exec_shell(spamass_milter_t)
corecmd_search_bin(spamass_milter_t)
These changes are all included in the attached patch against Rawhide policy.
Paul.
diff -up serefpolicy-3.7.15/policy/modules/services/milter.fc.orig serefpolicy-3.7.15/policy/modules/services/milter.fc
diff -up serefpolicy-3.7.15/policy/modules/services/milter.if.orig serefpolicy-3.7.15/policy/modules/services/milter.if
--- serefpolicy-3.7.15/policy/modules/services/milter.if.orig 2010-03-18 14:36:14.000000000 +0000
+++ serefpolicy-3.7.15/policy/modules/services/milter.if 2010-04-09 12:57:16.620833633 +0100
@@ -37,6 +37,8 @@ template(`milter_template',`
files_read_etc_files($1_milter_t)
+ kernel_dontaudit_read_system_state($1_milter_t)
+
miscfiles_read_localization($1_milter_t)
logging_send_syslog_msg($1_milter_t)
diff -up serefpolicy-3.7.15/policy/modules/services/milter.te.orig serefpolicy-3.7.15/policy/modules/services/milter.te
--- serefpolicy-3.7.15/policy/modules/services/milter.te.orig 2010-03-18 14:36:14.000000000 +0000
+++ serefpolicy-3.7.15/policy/modules/services/milter.te 2010-04-09 12:59:44.613983720 +0100
@@ -81,13 +81,11 @@ mta_read_config(regex_milter_t)
allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
files_search_var_lib(spamass_milter_t)
-kernel_read_system_state(spamass_milter_t)
-
# When used with -b or -B options, the milter invokes sendmail to send mail
-# to a spamtrap address, using popen()
-corecmd_exec_shell(spamass_milter_t)
+# to a spamtrap address, and with the -x option, it invokes sendmail to do
+# alias expansion. Since the sendmail binary is managed using alternatives,
+# it's a symlink that we need to be able to read.
corecmd_read_bin_symlinks(spamass_milter_t)
-corecmd_search_bin(spamass_milter_t)
mta_send_mail(spamass_milter_t)
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
