Russell Coker <russell@xxxxxxxxxxxx> writes:
> Patches needed for mailman3.
>
> Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx>
>
> Index: refpolicy-2.20210203/policy/modules/services/mailman.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/mailman.if
> +++ refpolicy-2.20210203/policy/modules/services/mailman.if
> @@ -109,6 +109,64 @@ interface(`mailman_domtrans_cgi',`
>
> #######################################
> ## <summary>
> +## Talk to mailman_cgi_t via Unix domain socket
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain talking to mailman
> +## </summary>
> +## </param>
> +#
> +interface(`mailman_connect_cgi',`
probably: mailman_stream_connect_cgi
> + gen_require(`
> + type mailman_cgi_t, mailman_runtime_t;
> + ')
> +
> + allow $1 mailman_runtime_t:dir search;
> + allow $1 mailman_runtime_t:sock_file write;
> + allow $1 mailman_cgi_t:unix_stream_socket connectto;
files_search_runtime($1)
stream_connect_pattern($1, mailman_runtime_t, mailman_runtime_t, mailman_cgi_t)
> +')
> +
> +#######################################
> +## <summary>
> +## Manage mailman runtime files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to manage the files
> +## </summary>
> +## </param>
> +#
> +interface(`mailman_manage_runtime',`
probably mailman_manage_runtime_files
> + gen_require(`
> + type mailman_runtime_t;
> + ')
> +
> + allow $1 mailman_runtime_t:dir rw_dir_perms;
> + allow $1 mailman_runtime_t:file manage_file_perms;
files_search_runtime($1)
manage_files_pattern($1, mailman_runtime_t, mailman_runtime_t)
> +')
> +
> +#######################################
> +## <summary>
> +## read mailman runtime files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to read the files
> +## </summary>
> +## </param>
> +#
> +interface(`mailman_read_runtime',`
probably mailman_read_runtime_files
> + gen_require(`
> + type mailman_runtime_t;
> + ')
> +
> + allow $1 mailman_runtime_t:dir search_dir_perms;
> + allow $1 mailman_runtime_t:file read_file_perms;
files_search_runtime($1)
read_files_pattern($1, mailman_runtime_t, mailman_runtime_t))
> +')
> +
> +#######################################
> +## <summary>
> ## Execute mailman in the caller domain.
> ## </summary>
> ## <param name="domain">
> @@ -181,6 +239,7 @@ interface(`mailman_read_data_files',`
> files_search_spool($1)
> list_dirs_pattern($1, mailman_data_t, mailman_data_t)
> read_files_pattern($1, mailman_data_t, mailman_data_t)
> + allow $1 mailman_data_t:file map;
maybe a seperate mailman_map_data_files
> read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
> ')
>
> @@ -342,3 +401,21 @@ interface(`mailman_domtrans_queue',`
> libs_search_lib($1)
> domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
> ')
> +
> +#######################################
> +## <summary>
> +## Manage mailman lock dir
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to manage it.
> +## </summary>
> +## </param>
> +#
> +interface(`mailman_manage_lockdir',`
> + gen_require(`
> + type mailman_lock_t;
> + ')
> +
> + allow $1 mailman_lock_t:dir manage_dir_perms;
> +')
> Index: refpolicy-2.20210203/policy/modules/services/mailman.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/mailman.te
> +++ refpolicy-2.20210203/policy/modules/services/mailman.te
> @@ -26,6 +26,9 @@ files_lock_file(mailman_lock_t)
> type mailman_runtime_t alias mailman_var_run_t;
> files_runtime_file(mailman_runtime_t)
>
> +type mailman_cgi_tmpfs_t;
> +files_tmpfs_file(mailman_cgi_tmpfs_t)
> +
> mailman_domain_template(mail)
> init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)
> role mailman_roles types mailman_mail_t;
> @@ -89,13 +92,16 @@ miscfiles_read_localization(mailman_doma
> # CGI local policy
> #
>
> -allow mailman_cgi_t self:unix_dgram_socket { create connect };
> +allow mailman_cgi_t self:process { signal signull sigkill };
> +allow mailman_cgi_t self:fifo_file rw_file_perms;
rw_fifo_file_perms
> +allow mailman_cgi_t self:capability { dac_override setgid setuid };
> +allow mailman_cgi_t self:unix_dgram_socket create_socket_perms;
>
> allow mailman_cgi_t mailman_archive_t:dir search_dir_perms;
> allow mailman_cgi_t mailman_archive_t:file read_file_perms;
>
> allow mailman_cgi_t mailman_data_t:dir rw_dir_perms;
> -allow mailman_cgi_t mailman_data_t:file manage_file_perms;
> +allow mailman_cgi_t mailman_data_t:file { map manage_file_perms };
> allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms;
>
> allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms;
> @@ -104,25 +110,40 @@ allow mailman_cgi_t mailman_lock_t:file
> allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms };
> allow mailman_cgi_t mailman_log_t:dir search_dir_perms;
>
> +allow mailman_cgi_t mailman_runtime_t:dir rw_dir_perms;
> +allow mailman_cgi_t mailman_runtime_t:file read_file_perms;
> +allow mailman_cgi_t mailman_runtime_t:sock_file manage_file_perms;
> +
> +fs_tmpfs_filetrans(mailman_cgi_t, mailman_cgi_tmpfs_t, file)
> +allow mailman_cgi_t mailman_cgi_tmpfs_t:file { map manage_file_perms };
> +
> kernel_read_crypto_sysctls(mailman_cgi_t)
> +kernel_read_net_sysctls(mailman_cgi_t)
> kernel_read_system_state(mailman_cgi_t)
> +kernel_search_vm_sysctl(mailman_cgi_t)
>
> +corecmd_bin_entry_type(mailman_cgi_t)
why is this needed?
> corecmd_exec_bin(mailman_cgi_t)
>
> +corenet_tcp_bind_generic_node(mailman_cgi_t)
> +corenet_tcp_connect_all_unreserved_ports(mailman_cgi_t)
> +
> dev_read_urand(mailman_cgi_t)
>
> files_search_locks(mailman_cgi_t)
> files_read_usr_files(mailman_cgi_t)
>
> +init_daemon_domain(mailman_cgi_t, mailman_cgi_exec_t)
style issue, needs to go up
> +
> term_use_controlling_term(mailman_cgi_t)
>
> libs_dontaudit_write_lib_dirs(mailman_cgi_t)
>
> logging_search_logs(mailman_cgi_t)
>
> +miscfiles_read_generic_certs(mailman_cgi_t)
> miscfiles_read_localization(mailman_cgi_t)
>
> -
> optional_policy(`
> apache_sigchld(mailman_cgi_t)
> apache_use_fds(mailman_cgi_t)
> @@ -133,6 +154,15 @@ optional_policy(`
> ')
>
> optional_policy(`
> + cron_rw_inherited_tmp_files(mailman_cgi_t)
> + cron_system_entry(mailman_cgi_t, mailman_cgi_exec_t)
> +')
> +
> +optional_policy(`
> + mysql_stream_connect(mailman_cgi_t)
> +')
> +
> +optional_policy(`
> postfix_read_config(mailman_cgi_t)
> ')
>
> @@ -142,7 +172,9 @@ optional_policy(`
> #
>
> allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config };
> -allow mailman_mail_t self:process { signal signull setsched };
> +allow mailman_mail_t self:process { execmem signal signull setsched };
> +allow mailman_mail_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
> +allow mailman_mail_t self:fifo_file rw_file_perms;
>
> allow mailman_mail_t mailman_archive_t:dir manage_dir_perms;
> allow mailman_mail_t mailman_archive_t:file manage_file_perms;
> @@ -167,8 +199,12 @@ manage_files_pattern(mailman_mail_t, mai
> manage_dirs_pattern(mailman_mail_t, mailman_runtime_t, mailman_runtime_t)
> files_runtime_filetrans(mailman_mail_t, mailman_runtime_t, { file dir })
>
> +kernel_read_network_state(mailman_mail_t)
> kernel_read_system_state(mailman_mail_t)
>
> +corenet_tcp_bind_all_unreserved_ports(mailman_mail_t)
> +corenet_tcp_bind_generic_node(mailman_mail_t)
> +corenet_tcp_connect_http_port(mailman_mail_t)
> corenet_tcp_connect_smtp_port(mailman_mail_t)
> corenet_sendrecv_spamd_client_packets(mailman_mail_t)
> corenet_sendrecv_innd_client_packets(mailman_mail_t)
> @@ -193,6 +229,7 @@ libs_read_lib_files(mailman_mail_t)
>
> logging_search_logs(mailman_mail_t)
>
> +miscfiles_read_generic_certs(mailman_mail_t)
> miscfiles_read_localization(mailman_mail_t)
>
> mta_use_mailserver_fds(mailman_mail_t)
> @@ -200,14 +237,26 @@ mta_dontaudit_rw_delivery_tcp_sockets(ma
> mta_dontaudit_rw_queue(mailman_mail_t)
>
> optional_policy(`
> + apache_search_config(mailman_mail_t)
> +')
> +
> +optional_policy(`
> courier_read_spool(mailman_mail_t)
> ')
>
> optional_policy(`
> cron_read_pipes(mailman_mail_t)
> + cron_rw_inherited_tmp_files(mailman_mail_t)
> + cron_search_spool(mailman_mail_t)
> + cron_system_entry(mailman_mail_t, mailman_mail_exec_t)
> ')
>
> optional_policy(`
> + corenet_tcp_connect_mysqld_port(mailman_mail_t)
> +')
> +
> +optional_policy(`
> + postfix_read_config(mailman_mail_t)
> postfix_search_spool(mailman_mail_t)
> postfix_rw_inherited_master_pipes(mailman_mail_t)
> ')
> @@ -217,8 +266,8 @@ optional_policy(`
> # Queue local policy
> #
>
> -allow mailman_queue_t self:capability { setgid setuid };
> -allow mailman_queue_t self:process { setsched signal_perms };
> +allow mailman_queue_t self:capability { dac_override setgid setuid };
> +allow mailman_queue_t self:process { setsched signal_perms sigkill };
is sigkill not implied with signal_perms?
> allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
>
> allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;
> @@ -251,14 +300,14 @@ seutil_dontaudit_search_config(mailman_q
>
> userdom_search_user_home_dirs(mailman_queue_t)
>
> -cron_rw_tmp_files(mailman_queue_t)
> -
> optional_policy(`
> apache_read_config(mailman_queue_t)
> ')
>
> optional_policy(`
> + cron_rw_tmp_files(mailman_queue_t)
> cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
> + cron_use_fds(mailman_queue_t)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20210203/policy/modules/services/apache.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/apache.te
> +++ refpolicy-2.20210203/policy/modules/services/apache.te
> @@ -815,6 +815,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> + mailman_connect_cgi(httpd_t)
> mailman_signal_cgi(httpd_t)
> mailman_domtrans_cgi(httpd_t)
> mailman_read_data_files(httpd_t)
> Index: refpolicy-2.20210203/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20210203/policy/modules/services/cron.te
> @@ -607,6 +607,12 @@ optional_policy(`
> ')
>
> optional_policy(`
> + mailman_domtrans_queue(system_cronjob_t)
> + # for flock
> + mailman_manage_runtime(system_cronjob_t)
> +')
> +
> +optional_policy(`
> mrtg_append_create_logs(system_cronjob_t)
> mrtg_read_config(system_cronjob_t)
> ')
> Index: refpolicy-2.20210203/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20210203/policy/modules/system/systemd.te
> @@ -1523,6 +1523,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + mailman_manage_lockdir(systemd_tmpfiles_t)
> +')
> +
> +optional_policy(`
> xfs_create_tmp_dirs(systemd_tmpfiles_t)
> ')
>
>
--
gpg --locate-keys dominick.grift@xxxxxxxxxxx
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
