From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id DDA2D1381F3 for ; Wed, 25 Sep 2013 09:49:45 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AD009E0D64; Wed, 25 Sep 2013 09:49:41 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D44F8E0D5C for ; Wed, 25 Sep 2013 09:49:40 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 2D80633EC0E for ; Wed, 25 Sep 2013 09:49:39 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id E2ED1E5465 for ; Wed, 25 Sep 2013 09:49:36 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1380102149.dcc4d7193a9af4feb3502c5c8c49abccb880e20a.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/exim.fc policy/modules/contrib/exim.if policy/modules/contrib/exim.te policy/modules/contrib/mta.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: dcc4d7193a9af4feb3502c5c8c49abccb880e20a X-VCS-Branch: master Date: Wed, 25 Sep 2013 09:49:36 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 15490901-f38c-4b78-979e-17472011ad39 X-Archives-Hash: 89ae696b4dca72132665466f585e4ee0 commit: dcc4d7193a9af4feb3502c5c8c49abccb880e20a Author: Dominick Grift gmail com> AuthorDate: Mon Sep 23 09:33:10 2013 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Wed Sep 25 09:42:29 2013 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dcc4d719 exim: exim owns directory /var/lib/exim4 mta: this is strange, although there is a domtrans from system_mail_t to exim_t, at some point exim running in the system_mail_t domain wants to read /var/lib/exim4/config.autogenerated.tmp, a second later exim in the exim_t domain does the same mta: the kernel_read_crypto_sysctls is also exim running in the system_mail_t domain exim: exim_t (exim4) reads kernel crypto sysctls (/proc/sys/crypto/fips_enabled) in Debian Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/exim.fc | 2 ++ policy/modules/contrib/exim.if | 19 +++++++++++++++++++ policy/modules/contrib/exim.te | 6 ++++++ policy/modules/contrib/mta.te | 2 ++ 4 files changed, 29 insertions(+) diff --git a/policy/modules/contrib/exim.fc b/policy/modules/contrib/exim.fc index dc0254b..9df498d 100644 --- a/policy/modules/contrib/exim.fc +++ b/policy/modules/contrib/exim.fc @@ -3,6 +3,8 @@ /usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0) /usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0) +/var/lib/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_lib_t,s0) + /var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0) /var/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0) diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if index 94a8269..7e78b7b 100644 --- a/policy/modules/contrib/exim.if +++ b/policy/modules/contrib/exim.if @@ -225,6 +225,25 @@ interface(`exim_manage_spool_files',` ######################################## ## +## Read exim var lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`exim_read_var_lib_files',` + gen_require(` + type exim_var_lib_t; + ') + + read_files_pattern($1, exim_var_lib_t, exim_var_lib_t) + files_search_var_lib($1) +') + +######################################## +## ## All of the rules required to ## administrate an exim environment. ## diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te index 7e8cf42..88896fd 100644 --- a/policy/modules/contrib/exim.te +++ b/policy/modules/contrib/exim.te @@ -48,6 +48,9 @@ init_script_file(exim_initrc_exec_t) type exim_keytab_t; files_type(exim_keytab_t) +type exim_var_lib_t; +files_type(exim_var_lib_t) + type exim_log_t; logging_log_file(exim_log_t) @@ -73,6 +76,8 @@ allow exim_t self:tcp_socket { accept listen }; allow exim_t exim_keytab_t:file read_file_perms; +manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t) + append_files_pattern(exim_t, exim_log_t, exim_log_t) create_files_pattern(exim_t, exim_log_t, exim_log_t) setattr_files_pattern(exim_t, exim_log_t, exim_log_t) @@ -93,6 +98,7 @@ files_pid_filetrans(exim_t, exim_var_run_t, { dir file }) can_exec(exim_t, exim_exec_t) +kernel_read_crypto_sysctls(exim_t) kernel_read_kernel_sysctls(exim_t) kernel_read_network_state(exim_t) kernel_dontaudit_read_system_state(exim_t) diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te index 75635b3..2ac5012 100644 --- a/policy/modules/contrib/mta.te +++ b/policy/modules/contrib/mta.te @@ -245,8 +245,10 @@ optional_policy(` ') optional_policy(` + kernel_read_crypto_sysctls(system_mail_t) exim_domtrans(system_mail_t) exim_manage_log(system_mail_t) + exim_read_var_lib_files(system_mail_t) ') optional_policy(`