This patch against git refpolicy has a bunch of trivial patches related to mail servers. I think it's ready for merging. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
Index: refpolicy-2.20200209/policy/modules/services/mailman.fc =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/mailman.fc +++ refpolicy-2.20200209/policy/modules/services/mailman.fc @@ -23,6 +23,7 @@ /usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) /usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) /usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/etc/mailman/postfix-to-mailman.py -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) /usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) Index: refpolicy-2.20200209/policy/modules/services/mailman.if =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/mailman.if +++ refpolicy-2.20200209/policy/modules/services/mailman.if @@ -319,6 +319,7 @@ interface(`mailman_read_archive',` files_search_var_lib($1) allow $1 mailman_archive_t:dir list_dir_perms; read_files_pattern($1, mailman_archive_t, mailman_archive_t) + allow $1 mailman_archive_t:file map; read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t) ') Index: refpolicy-2.20200209/policy/modules/services/mailman.te =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/mailman.te +++ refpolicy-2.20200209/policy/modules/services/mailman.te @@ -182,6 +182,7 @@ corecmd_exec_bin(mailman_mail_t) files_search_locks(mailman_mail_t) fs_rw_anon_inodefs_files(mailman_mail_t) +fs_search_tmpfs(mailman_mail_t) # this is far from ideal, but systemd reduces the importance of initrc_t init_signal_script(mailman_mail_t) Index: refpolicy-2.20200209/policy/modules/services/mta.if =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/mta.if +++ refpolicy-2.20200209/policy/modules/services/mta.if @@ -251,6 +251,7 @@ interface(`mta_manage_mail_home_rw_conte userdom_search_user_home_dirs($1) manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t) manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t) + allow $1 mail_home_rw_t:file map; manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t) ') @@ -867,6 +868,7 @@ interface(`mta_read_spool_files',` files_search_spool($1) read_files_pattern($1, mail_spool_t, mail_spool_t) + allow $1 mail_spool_t:file map; ') ######################################## @@ -949,6 +951,7 @@ interface(`mta_manage_spool',` files_search_spool($1) manage_dirs_pattern($1, mail_spool_t, mail_spool_t) manage_files_pattern($1, mail_spool_t, mail_spool_t) + allow $1 mail_spool_t:file map; manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') Index: refpolicy-2.20200209/policy/modules/services/spamassassin.if =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/spamassassin.if +++ refpolicy-2.20200209/policy/modules/services/spamassassin.if @@ -433,3 +433,22 @@ interface(`spamassassin_admin',` # sa-update spamassassin_run_update($1, $2) ') + +######################################## +## <summary> +## Get SA service status +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`spamassassin_service_reload',` + gen_require(` + type spamassassin_unit_t; + ') + + allow $1 spamassassin_unit_t:service { status reload }; +') Index: refpolicy-2.20200209/policy/modules/services/spamassassin.te =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/spamassassin.te +++ refpolicy-2.20200209/policy/modules/services/spamassassin.te @@ -22,6 +22,7 @@ gen_tunable(spamassassin_can_network, fa gen_tunable(spamd_enable_home_dirs, false) type spamd_update_t; +typealias spamd_update_t alias { spamd_gpg_t }; type spamd_update_exec_t; init_system_domain(spamd_update_t, spamd_update_exec_t) @@ -62,9 +63,6 @@ files_type(spamd_compiled_t) type spamd_etc_t; files_config_file(spamd_etc_t) -type spamd_gpg_t; -domain_type(spamd_gpg_t) - type spamd_home_t; userdom_user_home_content(spamd_home_t) @@ -351,6 +349,7 @@ corenet_udp_bind_imaze_port(spamd_t) corenet_dontaudit_udp_bind_all_ports(spamd_t) +corecmd_exec_shell(spamd_t) corecmd_exec_bin(spamd_t) dev_read_sysfs(spamd_t) @@ -358,6 +357,7 @@ dev_read_urand(spamd_t) domain_use_interactive_fds(spamd_t) +files_map_etc_files(spamd_t) files_read_usr_files(spamd_t) files_read_etc_runtime_files(spamd_t) @@ -372,6 +372,7 @@ libs_use_shared_libs(spamd_t) logging_send_syslog_msg(spamd_t) +miscfiles_read_generic_certs(spamd_t) miscfiles_read_localization(spamd_t) sysnet_use_ldap(spamd_t) @@ -487,6 +488,8 @@ manage_dirs_pattern(spamd_update_t, spam manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) +kernel_read_crypto_sysctls(spamd_update_t) +kernel_search_fs_sysctls(spamd_update_t) kernel_read_system_state(spamd_update_t) corecmd_exec_bin(spamd_update_t) @@ -512,6 +515,7 @@ fs_getattr_xattr_fs(spamd_update_t) auth_use_nsswitch(spamd_update_t) auth_dontaudit_read_shadow(spamd_update_t) +miscfiles_read_generic_certs(spamd_update_t) miscfiles_read_localization(spamd_update_t) userdom_use_inherited_user_terminals(spamd_update_t) @@ -523,35 +527,5 @@ optional_policy(` ') optional_policy(` - gpg_spec_domtrans(spamd_update_t, spamd_gpg_t) - gpg_entry_type(spamd_gpg_t) - role system_r types spamd_gpg_t; - - allow spamd_gpg_t self:capability { dac_override dac_read_search }; - allow spamd_gpg_t self:unix_stream_socket { connect create }; - - allow spamd_gpg_t spamd_update_t:fd use; - allow spamd_gpg_t spamd_update_t:process sigchld; - allow spamd_gpg_t spamd_update_t:fifo_file { getattr write }; - allow spamd_gpg_t spamd_var_lib_t:dir rw_dir_perms; - allow spamd_gpg_t spamd_var_lib_t:file manage_file_perms; - allow spamd_gpg_t spamd_update_tmp_t:file read_file_perms; - - # fips - kernel_read_crypto_sysctls(spamd_gpg_t) - - domain_use_interactive_fds(spamd_gpg_t) - - files_read_etc_files(spamd_gpg_t) - files_read_usr_files(spamd_gpg_t) - files_search_var_lib(spamd_gpg_t) - files_search_pids(spamd_gpg_t) - files_search_tmp(spamd_gpg_t) - - init_use_fds(spamd_gpg_t) - init_rw_inherited_stream_socket(spamd_gpg_t) - - miscfiles_read_localization(spamd_gpg_t) - - userdom_use_inherited_user_terminals(spamd_gpg_t) + gpg_exec(spamd_update_t) ') Index: refpolicy-2.20200209/policy/modules/services/clamav.te =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/clamav.te +++ refpolicy-2.20200209/policy/modules/services/clamav.te @@ -146,6 +146,7 @@ auth_use_nsswitch(clamd_t) logging_send_syslog_msg(clamd_t) +miscfiles_read_generic_certs(clamd_t) miscfiles_read_localization(clamd_t) tunable_policy(`clamd_use_jit',` @@ -235,6 +236,7 @@ auth_use_nsswitch(freshclam_t) logging_send_syslog_msg(freshclam_t) +miscfiles_read_generic_certs(freshclam_t) miscfiles_read_localization(freshclam_t) tunable_policy(`clamd_use_jit',` Index: refpolicy-2.20200209/policy/modules/services/dkim.te =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/dkim.te +++ refpolicy-2.20200209/policy/modules/services/dkim.te @@ -44,6 +44,8 @@ files_pid_filetrans(dkim_milter_t, dkim_ files_read_usr_files(dkim_milter_t) files_search_spool(dkim_milter_t) +miscfiles_read_generic_certs(dkim_milter_t) + optional_policy(` mta_read_config(dkim_milter_t) ') Index: refpolicy-2.20200209/policy/modules/services/dovecot.te =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/dovecot.te +++ refpolicy-2.20200209/policy/modules/services/dovecot.te @@ -173,6 +173,7 @@ files_read_usr_files(dovecot_t) fs_getattr_all_fs(dovecot_t) fs_getattr_all_dirs(dovecot_t) +fs_read_tmpfs_symlinks(dovecot_t) fs_search_auto_mountpoints(dovecot_t) fs_list_inotifyfs(dovecot_t) @@ -269,7 +270,12 @@ selinux_get_fs_mount(dovecot_auth_t) auth_domtrans_chk_passwd(dovecot_auth_t) auth_use_nsswitch(dovecot_auth_t) +fs_search_tmpfs(dovecot_auth_t) +fs_read_tmpfs_symlinks(dovecot_auth_t) + init_rw_utmp(dovecot_auth_t) +init_rw_inherited_stream_socket(dovecot_auth_t) +init_use_fds(dovecot_auth_t) logging_send_audit_msgs(dovecot_auth_t) Index: refpolicy-2.20200209/policy/modules/services/postfix.te =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/postfix.te +++ refpolicy-2.20200209/policy/modules/services/postfix.te @@ -336,6 +336,7 @@ optional_policy(` ') optional_policy(` + mysql_read_config(postfix_master_t) mysql_stream_connect(postfix_master_t) ') @@ -427,6 +428,10 @@ optional_policy(` ') optional_policy(` + mysql_read_config(postfix_cleanup_t) +') + +optional_policy(` dbus_send_system_bus(postfix_cleanup_t) dbus_system_bus_client(postfix_cleanup_t) init_dbus_chat(postfix_cleanup_t) @@ -648,6 +653,7 @@ mta_rw_user_mail_stream_sockets(postfix_ optional_policy(` apache_dontaudit_rw_fifo_file(postfix_postdrop_t) + apache_use_fds(postfix_postdrop_t) ') optional_policy(` @@ -826,6 +832,10 @@ optional_policy(` ') optional_policy(` + mysql_read_config(postfix_smtpd_t) +') + +optional_policy(` postgrey_stream_connect(postfix_smtpd_t) ')