commit: 98ebbf0f2916e7541905c03eef89330b51c9ff97
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Thu Sep 21 16:01:24 2023 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct 6 15:27:06 2023 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=98ebbf0f
policy patches for anti-spam daemons (#698)
* Patches for anti-spam related policy
* Added a seperate tunable for execmem, can be enabled for people who need it
which means Debian rspam users and some of the less common SpamAssassin
configurations
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/services/clamav.te | 5 ++--
policy/modules/services/dkim.fc | 1 +
policy/modules/services/dkim.te | 2 +-
policy/modules/services/milter.fc | 2 ++
policy/modules/services/milter.te | 41 +++++++++++++++++++++++++++++++++
policy/modules/services/spamassassin.te | 16 ++++++++++++-
6 files changed, 63 insertions(+), 4 deletions(-)
diff --git a/policy/modules/services/clamav.te
b/policy/modules/services/clamav.te
index c171fd7dc..a9476a561 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -75,7 +75,7 @@ logging_log_file(freshclam_var_log_t)
allow clamd_t self:capability { chown fowner fsetid kill setgid setuid
dac_override };
dontaudit clamd_t self:capability sys_tty_config;
-allow clamd_t self:process signal;
+allow clamd_t self:process { signal getsched };
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket { accept connectto listen };
allow clamd_t self:tcp_socket { listen accept };
@@ -174,7 +174,7 @@ optional_policy(`
# Freshclam local policy
#
-allow freshclam_t self:capability { dac_override setgid setuid };
+allow freshclam_t self:capability { chown dac_override setgid setuid };
allow freshclam_t self:fifo_file rw_fifo_file_perms;
allow freshclam_t self:unix_stream_socket { accept listen };
allow freshclam_t self:tcp_socket { accept listen };
@@ -225,6 +225,7 @@ dev_read_urand(freshclam_t)
domain_use_interactive_fds(freshclam_t)
files_read_etc_runtime_files(freshclam_t)
+files_read_usr_files(freshclam_t)
files_search_var_lib(freshclam_t)
auth_use_nsswitch(freshclam_t)
diff --git a/policy/modules/services/dkim.fc b/policy/modules/services/dkim.fc
index 08b652630..0b269c0af 100644
--- a/policy/modules/services/dkim.fc
+++ b/policy/modules/services/dkim.fc
@@ -1,4 +1,5 @@
/etc/opendkim/keys(/.*)?
gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+/etc/dkimkeys(/.*)?
gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
/etc/rc\.d/init\.d/((opendkim)|(dkim-milter)) --
gen_context(system_u:object_r:dkim_milter_initrc_exec_t,s0)
diff --git a/policy/modules/services/dkim.te b/policy/modules/services/dkim.te
index 32468194b..e960818da 100644
--- a/policy/modules/services/dkim.te
+++ b/policy/modules/services/dkim.te
@@ -24,7 +24,7 @@ init_daemon_runtime_file(dkim_milter_data_t, dir, "opendkim")
#
allow dkim_milter_t self:capability { dac_read_search dac_override setgid
setuid };
-allow dkim_milter_t self:process { signal signull };
+allow dkim_milter_t self:process { signal signull getsched };
allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
read_files_pattern(dkim_milter_t, dkim_milter_private_key_t,
dkim_milter_private_key_t)
diff --git a/policy/modules/services/milter.fc
b/policy/modules/services/milter.fc
index 42fe5e941..71b168061 100644
--- a/policy/modules/services/milter.fc
+++ b/policy/modules/services/milter.fc
@@ -8,6 +8,7 @@
/usr/sbin/milter-greylist --
gen_context(system_u:object_r:greylist_milter_exec_t,s0)
/usr/sbin/sqlgrey --
gen_context(system_u:object_r:greylist_milter_exec_t,s0)
/usr/sbin/milter-regex --
gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/usr/sbin/postfwd.* --
gen_context(system_u:object_r:postfwd_milter_exec_t,s0)
/usr/sbin/spamass-milter --
gen_context(system_u:object_r:spamass_milter_exec_t,s0)
/var/lib/milter-greylist(/.*)?
gen_context(system_u:object_r:greylist_milter_data_t,s0)
@@ -16,6 +17,7 @@
/run/milter-greylist(/.*)?
gen_context(system_u:object_r:greylist_milter_data_t,s0)
/run/milter-greylist\.pid --
gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/run/postfwd\.pid --
gen_context(system_u:object_r:postfwd_milter_runtime_t,s0)
/run/spamass(/.*)?
gen_context(system_u:object_r:spamass_milter_data_t,s0)
/run/sqlgrey\.pid --
gen_context(system_u:object_r:greylist_milter_data_t,s0)
/run/spamass-milter(/.*)?
gen_context(system_u:object_r:spamass_milter_data_t,s0)
diff --git a/policy/modules/services/milter.te
b/policy/modules/services/milter.te
index a8a7c1f29..01e45842c 100644
--- a/policy/modules/services/milter.te
+++ b/policy/modules/services/milter.te
@@ -9,9 +9,16 @@ attribute milter_domains;
attribute milter_data_type;
milter_template(greylist)
+milter_template(postfwd)
milter_template(regex)
milter_template(spamass)
+type postfwd_milter_runtime_t;
+files_runtime_file(postfwd_milter_runtime_t)
+
+type postfwd_milter_tmp_t;
+files_tmp_file(postfwd_milter_tmp_t)
+
type spamass_milter_initrc_exec_t;
init_script_file(spamass_milter_initrc_exec_t)
@@ -74,6 +81,40 @@ optional_policy(`
mysql_stream_connect(greylist_milter_t)
')
+########################################
+#
+# postfwd local policy
+#
+
+allow postfwd_milter_t self:process { signal signull };
+allow postfwd_milter_t self:capability { chown dac_override dac_read_search
kill setgid setuid };
+allow postfwd_milter_t self:unix_stream_socket connectto;
+
+files_runtime_filetrans(postfwd_milter_t, postfwd_milter_runtime_t, file,
"postfwd.pid")
+allow postfwd_milter_t postfwd_milter_runtime_t:file manage_file_perms;
+
+allow postfwd_milter_t postfwd_milter_tmp_t:sock_file manage_sock_file_perms;
+allow postfwd_milter_t postfwd_milter_tmp_t:file manage_file_perms;
+files_tmp_filetrans(postfwd_milter_t, postfwd_milter_tmp_t, { file sock_file })
+
+kernel_read_kernel_sysctls(postfwd_milter_t)
+
+corecmd_exec_bin(postfwd_milter_t)
+corecmd_exec_shell(postfwd_milter_t)
+corecmd_mmap_bin_files(postfwd_milter_t)
+corenet_tcp_bind_all_unreserved_ports(postfwd_milter_t)
+corenet_tcp_connect_all_unreserved_ports(postfwd_milter_t)
+
+dev_read_urand(postfwd_milter_t)
+
+files_read_usr_files(postfwd_milter_t)
+files_read_usr_symlinks(postfwd_milter_t)
+files_search_tmp(postfwd_milter_t)
+
+optional_policy(`
+ postfix_read_config(postfwd_milter_t)
+')
+
########################################
#
# regex local policy
diff --git a/policy/modules/services/spamassassin.te
b/policy/modules/services/spamassassin.te
index ac3c340f6..1d28b3069 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -39,6 +39,14 @@ gen_tunable(spamassassin_network_update, true)
## </desc>
gen_tunable(rspamd_spamd, false)
+## <desc>
+## <p>
+## Determine whether execmem should be allowed
+## Needed if LUA JIT is enabled for rspamd
+## </p>
+## </desc>
+gen_tunable(spamd_execmem, false)
+
attribute_role spamd_update_roles;
type spamassassin_t;
@@ -415,10 +423,16 @@ tunable_policy(`spamd_enable_home_dirs',`
userdom_manage_user_home_content_symlinks(spamd_t)
')
+tunable_policy(`spamd_execmem',`
+ allow spamd_t self:process execmem;
+')
+
tunable_policy(`rspamd_spamd',`
allow spamd_t self:process setrlimit;
allow spamc_t self:process setrlimit;
+ kernel_read_network_state(spamd_t)
+
list_dirs_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
mmap_read_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
allow spamd_t spamd_etc_t:dir watch;
@@ -427,7 +441,7 @@ tunable_policy(`rspamd_spamd',`
allow spamd_t spamd_var_lib_t:dir watch;
filetrans_pattern(spamd_t, spamd_var_lib_t, spamd_runtime_t, sock_file)
- search_dirs_pattern(spamd_t, spamd_log_t, spamd_log_t)
+ allow spamd_t spamd_log_t:dir rw_dir_perms;
fs_search_tmpfs(spamd_t)
manage_dirs_pattern(spamd_t, spamd_tmpfs_t, spamd_tmpfs_t)
