commit: 232701f0d9090cd34c22f350a7dfbda7c58a0ea0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Feb 24 01:58:41 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:50:54 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=232701f0
mailman: Fixes from Russell Coker.
policy/modules/contrib/cron.if | 18 +++++++
policy/modules/contrib/cron.te | 2 +-
policy/modules/contrib/mailman.fc | 24 ++++-----
policy/modules/contrib/mailman.te | 100 +++++++++++++++++++++++++++++++++++---
policy/modules/contrib/mta.if | 18 +++++++
policy/modules/contrib/mta.te | 2 +-
6 files changed, 143 insertions(+), 21 deletions(-)
diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index 6737f53c..5739d4f0 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -705,6 +705,24 @@ interface(`cron_manage_system_spool',`
########################################
## <summary>
+## Read and write crond temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_tmp_files',`
+ gen_require(`
+ type crond_tmp_t;
+ ')
+
+ allow $1 crond_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
## Read system cron job lib files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 3513e1f2..b51524a4 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.11.1)
+policy_module(cron, 2.11.2)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/contrib/mailman.fc
b/policy/modules/contrib/mailman.fc
index 1a226daf..d5734fc9 100644
--- a/policy/modules/contrib/mailman.fc
+++ b/policy/modules/contrib/mailman.fc
@@ -2,11 +2,11 @@
/etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
-/usr/lib/mailman.*/bin/mailmanctl --
gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/bin/mm-handler.* --
gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/cron/.* --
gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman/bin/mailmanctl --
gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/bin/mm-handler.* --
gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/cron/.* --
gen_context(system_u:object_r:mailman_queue_exec_t,s0)
/var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
-/var/lib/mailman.*/archives(/.*)?
gen_context(system_u:object_r:mailman_archive_t,s0)
+/var/lib/mailman/archives(/.*)?
gen_context(system_u:object_r:mailman_archive_t,s0)
/var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0)
/var/lock/subsys/mailman.* --
gen_context(system_u:object_r:mailman_lock_t,s0)
@@ -17,16 +17,16 @@
/var/spool/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
-/usr/lib/cgi-bin/mailman.*/.* --
gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-/usr/lib/mailman.*/bin/qrunner --
gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-/usr/lib/mailman.*/cgi-bin/.* --
gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-/usr/lib/mailman.*/mail/mailman --
gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/mail/wrapper --
gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/scripts/mailman --
gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/cgi-bin/mailman/.* --
gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/bin/qrunner --
gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman/cgi-bin/.* --
gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/mail/mailman --
gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/mail/wrapper --
gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/scripts/mailman --
gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/mailman.*/mail/wrapper --
gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/mailman/mail/wrapper --
gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/share/doc/mailman.*/mm-handler.* --
gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/share/doc/mailman/mm-handler.* --
gen_context(system_u:object_r:mailman_mail_exec_t,s0)
ifdef(`distro_gentoo',`
# Bug 536666
diff --git a/policy/modules/contrib/mailman.te
b/policy/modules/contrib/mailman.te
index 7421ce3a..3de43d20 100644
--- a/policy/modules/contrib/mailman.te
+++ b/policy/modules/contrib/mailman.te
@@ -1,4 +1,4 @@
-policy_module(mailman, 1.12.0)
+policy_module(mailman, 1.12.1)
########################################
#
@@ -91,12 +91,39 @@ miscfiles_read_localization(mailman_domain)
# CGI local policy
#
+allow mailman_cgi_t self:unix_dgram_socket { create connect };
+
+allow mailman_cgi_t mailman_archive_t:dir search_dir_perms;
+allow mailman_cgi_t mailman_archive_t:file read_file_perms;
+
+allow mailman_cgi_t mailman_data_t:dir rw_dir_perms;
+allow mailman_cgi_t mailman_data_t:file manage_file_perms;
+allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms;
+
+allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms;
+allow mailman_cgi_t mailman_lock_t:file manage_file_perms;
+
+allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms };
+allow mailman_cgi_t mailman_log_t:dir search_dir_perms;
+
+kernel_read_crypto_sysctls(mailman_cgi_t)
+kernel_read_system_state(mailman_cgi_t)
+
+corecmd_exec_bin(mailman_cgi_t)
+
dev_read_urand(mailman_cgi_t)
+files_search_locks(mailman_cgi_t)
+
term_use_controlling_term(mailman_cgi_t)
libs_dontaudit_write_lib_dirs(mailman_cgi_t)
+logging_search_logs(mailman_cgi_t)
+
+miscfiles_read_localization(mailman_cgi_t)
+
+
optional_policy(`
apache_sigchld(mailman_cgi_t)
apache_use_fds(mailman_cgi_t)
@@ -116,24 +143,61 @@ optional_policy(`
#
allow mailman_mail_t self:capability { dac_override kill setgid setuid
sys_tty_config };
-allow mailman_mail_t self:process { signal signull };
+allow mailman_mail_t self:process { signal signull setsched };
+
+allow mailman_mail_t mailman_archive_t:dir manage_dir_perms;
+allow mailman_mail_t mailman_archive_t:file manage_file_perms;
+allow mailman_mail_t mailman_archive_t:lnk_file manage_lnk_file_perms;
+
+allow mailman_mail_t mailman_data_t:dir rw_dir_perms;
+allow mailman_mail_t mailman_data_t:file manage_file_perms;
+allow mailman_mail_t mailman_data_t:lnk_file read_lnk_file_perms;
+
+allow mailman_mail_t mailman_lock_t:dir rw_dir_perms;
+allow mailman_mail_t mailman_lock_t:file manage_file_perms;
+
+allow mailman_mail_t mailman_log_t:dir search;
+allow mailman_mail_t mailman_log_t:file read_file_perms;
+
+domtrans_pattern(mailman_mail_t, mailman_queue_exec_t, mailman_queue_t)
+allow mailman_mail_t mailman_queue_exec_t:file ioctl;
+
+can_exec(mailman_mail_t, mailman_mail_exec_t)
manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
-corenet_sendrecv_innd_client_packets(mailman_mail_t)
-corenet_tcp_connect_innd_port(mailman_mail_t)
-corenet_tcp_sendrecv_innd_port(mailman_mail_t)
+kernel_read_system_state(mailman_mail_t)
+corenet_tcp_connect_smtp_port(mailman_mail_t)
corenet_sendrecv_spamd_client_packets(mailman_mail_t)
+corenet_sendrecv_innd_client_packets(mailman_mail_t)
+corenet_tcp_connect_innd_port(mailman_mail_t)
corenet_tcp_connect_spamd_port(mailman_mail_t)
+corenet_tcp_sendrecv_innd_port(mailman_mail_t)
corenet_tcp_sendrecv_spamd_port(mailman_mail_t)
dev_read_urand(mailman_mail_t)
+corecmd_exec_bin(mailman_mail_t)
+
+files_search_locks(mailman_mail_t)
+
fs_rw_anon_inodefs_files(mailman_mail_t)
+# this is far from ideal, but systemd reduces the importance of initrc_t
+init_signal_script(mailman_mail_t)
+init_signull_script(mailman_mail_t)
+
+# for python .path file
+libs_read_lib_files(mailman_mail_t)
+
+logging_search_logs(mailman_mail_t)
+
+miscfiles_read_localization(mailman_mail_t)
+
+mta_use_mailserver_fds(mailman_mail_t)
mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
mta_dontaudit_rw_queue(mailman_mail_t)
@@ -159,18 +223,40 @@ allow mailman_queue_t self:capability { setgid setuid };
allow mailman_queue_t self:process { setsched signal_perms };
allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
+allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;
+allow mailman_queue_t mailman_archive_t:file manage_file_perms;
+
+allow mailman_queue_t mailman_data_t:dir rw_dir_perms;
+allow mailman_queue_t mailman_data_t:file manage_file_perms;
+allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms;
+
+allow mailman_queue_t mailman_lock_t:dir rw_dir_perms;
+allow mailman_queue_t mailman_lock_t:file manage_file_perms;
+
+allow mailman_queue_t mailman_log_t:dir list_dir_perms;
+allow mailman_queue_t mailman_log_t:file manage_file_perms;
+
+kernel_read_system_state(mailman_queue_t)
+
+auth_domtrans_chk_passwd(mailman_queue_t)
+
+corecmd_read_bin_files(mailman_queue_t)
+corecmd_read_bin_symlinks(mailman_queue_t)
corenet_sendrecv_innd_client_packets(mailman_queue_t)
corenet_tcp_connect_innd_port(mailman_queue_t)
corenet_tcp_sendrecv_innd_port(mailman_queue_t)
-auth_domtrans_chk_passwd(mailman_queue_t)
-
files_dontaudit_search_pids(mailman_queue_t)
+files_search_locks(mailman_queue_t)
+
+miscfiles_read_localization(mailman_queue_t)
seutil_dontaudit_search_config(mailman_queue_t)
userdom_search_user_home_dirs(mailman_queue_t)
+cron_rw_tmp_files(mailman_queue_t)
+
optional_policy(`
apache_read_config(mailman_queue_t)
')
diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if
index a5034276..7e268b80 100644
--- a/policy/modules/contrib/mta.if
+++ b/policy/modules/contrib/mta.if
@@ -338,6 +338,24 @@ interface(`mta_sendmail_mailserver',`
typeattribute $1 mailserver_domain;
')
+########################################
+## <summary>
+## Inherit FDs from mailserver_domain domains
+## </summary>
+## <param name="type">
+## <summary>
+## Type for a list server or delivery agent that inherits fds
+## </summary>
+## </param>
+#
+interface(`mta_use_mailserver_fds',`
+ gen_require(`
+ attribute mailserver_domain;
+ ')
+
+ allow $1 mailserver_domain:fd use;
+')
+
#######################################
## <summary>
## Make a type a mailserver type used
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 9a3ee20e..f7280b11 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.1)
+policy_module(mta, 2.8.2)
########################################
#
