[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

["Jason Zaman" <perfinion@gentoo.org>]

commit:     232701f0d9090cd34c22f350a7dfbda7c58a0ea0
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Feb 24 01:58:41 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:50:54 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=232701f0

mailman: Fixes from Russell Coker.

 policy/modules/contrib/cron.if    |  18 +++++++
 policy/modules/contrib/cron.te    |   2 +-
 policy/modules/contrib/mailman.fc |  24 ++++-----
 policy/modules/contrib/mailman.te | 100 +++++++++++++++++++++++++++++++++++---
 policy/modules/contrib/mta.if     |  18 +++++++
 policy/modules/contrib/mta.te     |   2 +-
 6 files changed, 143 insertions(+), 21 deletions(-)

diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index 6737f53c..5739d4f0 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -705,6 +705,24 @@ interface(`cron_manage_system_spool',`
 
 ########################################
 ## <summary>
+##      Read and write crond temporary files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`cron_rw_tmp_files',`
+	gen_require(`
+		type crond_tmp_t;
+	')
+
+	allow $1 crond_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read system cron job lib files.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index 3513e1f2..b51524a4 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.11.1)
+policy_module(cron, 2.11.2)
 
 gen_require(`
 	class passwd rootok;

diff --git a/policy/modules/contrib/mailman.fc b/policy/modules/contrib/mailman.fc
index 1a226daf..d5734fc9 100644
--- a/policy/modules/contrib/mailman.fc
+++ b/policy/modules/contrib/mailman.fc
@@ -2,11 +2,11 @@
 
 /etc/mailman.*	gen_context(system_u:object_r:mailman_data_t,s0)
 
-/usr/lib/mailman.*/bin/mailmanctl	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/bin/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/cron/.*	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman/bin/mailmanctl	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/bin/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/cron/.*	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
 /var/lib/mailman.*	gen_context(system_u:object_r:mailman_data_t,s0)
-/var/lib/mailman.*/archives(/.*)?	gen_context(system_u:object_r:mailman_archive_t,s0)
+/var/lib/mailman/archives(/.*)?	gen_context(system_u:object_r:mailman_archive_t,s0)
 
 /var/lock/mailman.*	gen_context(system_u:object_r:mailman_lock_t,s0)
 /var/lock/subsys/mailman.*	--	gen_context(system_u:object_r:mailman_lock_t,s0)
@@ -17,16 +17,16 @@
 
 /var/spool/mailman.*	gen_context(system_u:object_r:mailman_data_t,s0)
 
-/usr/lib/cgi-bin/mailman.*/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-/usr/lib/mailman.*/bin/qrunner	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-/usr/lib/mailman.*/cgi-bin/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-/usr/lib/mailman.*/mail/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/usr/lib/mailman.*/scripts/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/cgi-bin/mailman/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/bin/qrunner	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib/mailman/cgi-bin/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/mail/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/scripts/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 
-/usr/mailman.*/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/mailman/mail/wrapper	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 
-/usr/share/doc/mailman.*/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/share/doc/mailman/mm-handler.*	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
 
 ifdef(`distro_gentoo',`
 # Bug 536666

diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te
index 7421ce3a..3de43d20 100644
--- a/policy/modules/contrib/mailman.te
+++ b/policy/modules/contrib/mailman.te
@@ -1,4 +1,4 @@
-policy_module(mailman, 1.12.0)
+policy_module(mailman, 1.12.1)
 
 ########################################
 #
@@ -91,12 +91,39 @@ miscfiles_read_localization(mailman_domain)
 # CGI local policy
 #
 
+allow mailman_cgi_t self:unix_dgram_socket { create connect };
+
+allow mailman_cgi_t mailman_archive_t:dir search_dir_perms;
+allow mailman_cgi_t mailman_archive_t:file read_file_perms;
+
+allow mailman_cgi_t mailman_data_t:dir rw_dir_perms;
+allow mailman_cgi_t mailman_data_t:file manage_file_perms;
+allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms;
+
+allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms;
+allow mailman_cgi_t mailman_lock_t:file manage_file_perms;
+
+allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms };
+allow mailman_cgi_t mailman_log_t:dir search_dir_perms;
+
+kernel_read_crypto_sysctls(mailman_cgi_t)
+kernel_read_system_state(mailman_cgi_t)
+
+corecmd_exec_bin(mailman_cgi_t)
+
 dev_read_urand(mailman_cgi_t)
 
+files_search_locks(mailman_cgi_t)
+
 term_use_controlling_term(mailman_cgi_t)
 
 libs_dontaudit_write_lib_dirs(mailman_cgi_t)
 
+logging_search_logs(mailman_cgi_t)
+
+miscfiles_read_localization(mailman_cgi_t)
+
+
 optional_policy(`
 	apache_sigchld(mailman_cgi_t)
 	apache_use_fds(mailman_cgi_t)
@@ -116,24 +143,61 @@ optional_policy(`
 #
 
 allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config };
-allow mailman_mail_t self:process { signal signull };
+allow mailman_mail_t self:process { signal signull setsched };
+
+allow mailman_mail_t mailman_archive_t:dir manage_dir_perms;
+allow mailman_mail_t mailman_archive_t:file manage_file_perms;
+allow mailman_mail_t mailman_archive_t:lnk_file manage_lnk_file_perms;
+
+allow mailman_mail_t mailman_data_t:dir rw_dir_perms;
+allow mailman_mail_t mailman_data_t:file manage_file_perms;
+allow mailman_mail_t mailman_data_t:lnk_file read_lnk_file_perms;
+
+allow mailman_mail_t mailman_lock_t:dir rw_dir_perms;
+allow mailman_mail_t mailman_lock_t:file manage_file_perms;
+
+allow mailman_mail_t mailman_log_t:dir search;
+allow mailman_mail_t mailman_log_t:file read_file_perms;
+
+domtrans_pattern(mailman_mail_t, mailman_queue_exec_t, mailman_queue_t)
+allow mailman_mail_t mailman_queue_exec_t:file ioctl;
+
+can_exec(mailman_mail_t, mailman_mail_exec_t)
 
 manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
 manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
 files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
 
-corenet_sendrecv_innd_client_packets(mailman_mail_t)
-corenet_tcp_connect_innd_port(mailman_mail_t)
-corenet_tcp_sendrecv_innd_port(mailman_mail_t)
+kernel_read_system_state(mailman_mail_t)
 
+corenet_tcp_connect_smtp_port(mailman_mail_t)
 corenet_sendrecv_spamd_client_packets(mailman_mail_t)
+corenet_sendrecv_innd_client_packets(mailman_mail_t)
+corenet_tcp_connect_innd_port(mailman_mail_t)
 corenet_tcp_connect_spamd_port(mailman_mail_t)
+corenet_tcp_sendrecv_innd_port(mailman_mail_t)
 corenet_tcp_sendrecv_spamd_port(mailman_mail_t)
 
 dev_read_urand(mailman_mail_t)
 
+corecmd_exec_bin(mailman_mail_t)
+
+files_search_locks(mailman_mail_t)
+
 fs_rw_anon_inodefs_files(mailman_mail_t)
 
+# this is far from ideal, but systemd reduces the importance of initrc_t
+init_signal_script(mailman_mail_t)
+init_signull_script(mailman_mail_t)
+
+# for python .path file
+libs_read_lib_files(mailman_mail_t)
+
+logging_search_logs(mailman_mail_t)
+
+miscfiles_read_localization(mailman_mail_t)
+
+mta_use_mailserver_fds(mailman_mail_t)
 mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
 mta_dontaudit_rw_queue(mailman_mail_t)
 
@@ -159,18 +223,40 @@ allow mailman_queue_t self:capability { setgid setuid };
 allow mailman_queue_t self:process { setsched signal_perms };
 allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
 
+allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;
+allow mailman_queue_t mailman_archive_t:file manage_file_perms;
+
+allow mailman_queue_t mailman_data_t:dir rw_dir_perms;
+allow mailman_queue_t mailman_data_t:file manage_file_perms;
+allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms;
+
+allow mailman_queue_t mailman_lock_t:dir rw_dir_perms;
+allow mailman_queue_t mailman_lock_t:file manage_file_perms;
+
+allow mailman_queue_t mailman_log_t:dir list_dir_perms;
+allow mailman_queue_t mailman_log_t:file manage_file_perms;
+
+kernel_read_system_state(mailman_queue_t)
+
+auth_domtrans_chk_passwd(mailman_queue_t)
+
+corecmd_read_bin_files(mailman_queue_t)
+corecmd_read_bin_symlinks(mailman_queue_t)
 corenet_sendrecv_innd_client_packets(mailman_queue_t)
 corenet_tcp_connect_innd_port(mailman_queue_t)
 corenet_tcp_sendrecv_innd_port(mailman_queue_t)
 
-auth_domtrans_chk_passwd(mailman_queue_t)
-
 files_dontaudit_search_pids(mailman_queue_t)
+files_search_locks(mailman_queue_t)
+
+miscfiles_read_localization(mailman_queue_t)
 
 seutil_dontaudit_search_config(mailman_queue_t)
 
 userdom_search_user_home_dirs(mailman_queue_t)
 
+cron_rw_tmp_files(mailman_queue_t)
+
 optional_policy(`
 	apache_read_config(mailman_queue_t)
 ')

diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if
index a5034276..7e268b80 100644
--- a/policy/modules/contrib/mta.if
+++ b/policy/modules/contrib/mta.if
@@ -338,6 +338,24 @@ interface(`mta_sendmail_mailserver',`
 	typeattribute $1 mailserver_domain;
 ')
 
+########################################
+## <summary>
+##	Inherit FDs from mailserver_domain domains
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type for a list server or delivery agent that inherits fds
+##	</summary>
+## </param>
+#
+interface(`mta_use_mailserver_fds',`
+	gen_require(`
+		attribute mailserver_domain;
+	')
+
+	allow $1 mailserver_domain:fd use;
+')
+
 #######################################
 ## <summary>
 ##	Make a type a mailserver type used

diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 9a3ee20e..f7280b11 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.1)
+policy_module(mta, 2.8.2)
 
 ########################################
 #