From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 8446A139083 for ; Sat, 25 Feb 2017 15:00:08 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id CD95BE0D1A; Sat, 25 Feb 2017 14:59:48 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 9B459E0D1A for ; Sat, 25 Feb 2017 14:59:48 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 04B1B3414C1 for ; Sat, 25 Feb 2017 14:59:42 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 9B768543E for ; Sat, 25 Feb 2017 14:59:39 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1488034254.232701f0d9090cd34c22f350a7dfbda7c58a0ea0.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/cron.if policy/modules/contrib/cron.te policy/modules/contrib/mailman.fc policy/modules/contrib/mailman.te policy/modules/contrib/mta.if policy/modules/contrib/mta.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 232701f0d9090cd34c22f350a7dfbda7c58a0ea0 X-VCS-Branch: next Date: Sat, 25 Feb 2017 14:59:39 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: bee63fb6-8e5a-49d5-8f19-17f9977eb417 X-Archives-Hash: e89acffa501240d29889ca982c799d25 commit: 232701f0d9090cd34c22f350a7dfbda7c58a0ea0 Author: Chris PeBenito ieee org> AuthorDate: Fri Feb 24 01:58:41 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 25 14:50:54 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=232701f0 mailman: Fixes from Russell Coker. policy/modules/contrib/cron.if | 18 +++++++ policy/modules/contrib/cron.te | 2 +- policy/modules/contrib/mailman.fc | 24 ++++----- policy/modules/contrib/mailman.te | 100 +++++++++++++++++++++++++++++++++++--- policy/modules/contrib/mta.if | 18 +++++++ policy/modules/contrib/mta.te | 2 +- 6 files changed, 143 insertions(+), 21 deletions(-) diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if index 6737f53c..5739d4f0 100644 --- a/policy/modules/contrib/cron.if +++ b/policy/modules/contrib/cron.if @@ -705,6 +705,24 @@ interface(`cron_manage_system_spool',` ######################################## ## +## Read and write crond temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_rw_tmp_files',` + gen_require(` + type crond_tmp_t; + ') + + allow $1 crond_tmp_t:file rw_file_perms; +') + +######################################## +## ## Read system cron job lib files. ## ## diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te index 3513e1f2..b51524a4 100644 --- a/policy/modules/contrib/cron.te +++ b/policy/modules/contrib/cron.te @@ -1,4 +1,4 @@ -policy_module(cron, 2.11.1) +policy_module(cron, 2.11.2) gen_require(` class passwd rootok; diff --git a/policy/modules/contrib/mailman.fc b/policy/modules/contrib/mailman.fc index 1a226daf..d5734fc9 100644 --- a/policy/modules/contrib/mailman.fc +++ b/policy/modules/contrib/mailman.fc @@ -2,11 +2,11 @@ /etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) -/usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/lib/mailman.*/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/lib/mailman.*/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) +/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) /var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) -/var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) +/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) /var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0) /var/lock/subsys/mailman.* -- gen_context(system_u:object_r:mailman_lock_t,s0) @@ -17,16 +17,16 @@ /var/spool/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) -/usr/lib/cgi-bin/mailman.*/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) -/usr/lib/mailman.*/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) -/usr/lib/mailman.*/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) -/usr/lib/mailman.*/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/lib/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/lib/mailman.*/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) +/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) +/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) +/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/share/doc/mailman.*/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) ifdef(`distro_gentoo',` # Bug 536666 diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te index 7421ce3a..3de43d20 100644 --- a/policy/modules/contrib/mailman.te +++ b/policy/modules/contrib/mailman.te @@ -1,4 +1,4 @@ -policy_module(mailman, 1.12.0) +policy_module(mailman, 1.12.1) ######################################## # @@ -91,12 +91,39 @@ miscfiles_read_localization(mailman_domain) # CGI local policy # +allow mailman_cgi_t self:unix_dgram_socket { create connect }; + +allow mailman_cgi_t mailman_archive_t:dir search_dir_perms; +allow mailman_cgi_t mailman_archive_t:file read_file_perms; + +allow mailman_cgi_t mailman_data_t:dir rw_dir_perms; +allow mailman_cgi_t mailman_data_t:file manage_file_perms; +allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms; + +allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms; +allow mailman_cgi_t mailman_lock_t:file manage_file_perms; + +allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms }; +allow mailman_cgi_t mailman_log_t:dir search_dir_perms; + +kernel_read_crypto_sysctls(mailman_cgi_t) +kernel_read_system_state(mailman_cgi_t) + +corecmd_exec_bin(mailman_cgi_t) + dev_read_urand(mailman_cgi_t) +files_search_locks(mailman_cgi_t) + term_use_controlling_term(mailman_cgi_t) libs_dontaudit_write_lib_dirs(mailman_cgi_t) +logging_search_logs(mailman_cgi_t) + +miscfiles_read_localization(mailman_cgi_t) + + optional_policy(` apache_sigchld(mailman_cgi_t) apache_use_fds(mailman_cgi_t) @@ -116,24 +143,61 @@ optional_policy(` # allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config }; -allow mailman_mail_t self:process { signal signull }; +allow mailman_mail_t self:process { signal signull setsched }; + +allow mailman_mail_t mailman_archive_t:dir manage_dir_perms; +allow mailman_mail_t mailman_archive_t:file manage_file_perms; +allow mailman_mail_t mailman_archive_t:lnk_file manage_lnk_file_perms; + +allow mailman_mail_t mailman_data_t:dir rw_dir_perms; +allow mailman_mail_t mailman_data_t:file manage_file_perms; +allow mailman_mail_t mailman_data_t:lnk_file read_lnk_file_perms; + +allow mailman_mail_t mailman_lock_t:dir rw_dir_perms; +allow mailman_mail_t mailman_lock_t:file manage_file_perms; + +allow mailman_mail_t mailman_log_t:dir search; +allow mailman_mail_t mailman_log_t:file read_file_perms; + +domtrans_pattern(mailman_mail_t, mailman_queue_exec_t, mailman_queue_t) +allow mailman_mail_t mailman_queue_exec_t:file ioctl; + +can_exec(mailman_mail_t, mailman_mail_exec_t) manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir }) -corenet_sendrecv_innd_client_packets(mailman_mail_t) -corenet_tcp_connect_innd_port(mailman_mail_t) -corenet_tcp_sendrecv_innd_port(mailman_mail_t) +kernel_read_system_state(mailman_mail_t) +corenet_tcp_connect_smtp_port(mailman_mail_t) corenet_sendrecv_spamd_client_packets(mailman_mail_t) +corenet_sendrecv_innd_client_packets(mailman_mail_t) +corenet_tcp_connect_innd_port(mailman_mail_t) corenet_tcp_connect_spamd_port(mailman_mail_t) +corenet_tcp_sendrecv_innd_port(mailman_mail_t) corenet_tcp_sendrecv_spamd_port(mailman_mail_t) dev_read_urand(mailman_mail_t) +corecmd_exec_bin(mailman_mail_t) + +files_search_locks(mailman_mail_t) + fs_rw_anon_inodefs_files(mailman_mail_t) +# this is far from ideal, but systemd reduces the importance of initrc_t +init_signal_script(mailman_mail_t) +init_signull_script(mailman_mail_t) + +# for python .path file +libs_read_lib_files(mailman_mail_t) + +logging_search_logs(mailman_mail_t) + +miscfiles_read_localization(mailman_mail_t) + +mta_use_mailserver_fds(mailman_mail_t) mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) mta_dontaudit_rw_queue(mailman_mail_t) @@ -159,18 +223,40 @@ allow mailman_queue_t self:capability { setgid setuid }; allow mailman_queue_t self:process { setsched signal_perms }; allow mailman_queue_t self:fifo_file rw_fifo_file_perms; +allow mailman_queue_t mailman_archive_t:dir manage_dir_perms; +allow mailman_queue_t mailman_archive_t:file manage_file_perms; + +allow mailman_queue_t mailman_data_t:dir rw_dir_perms; +allow mailman_queue_t mailman_data_t:file manage_file_perms; +allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms; + +allow mailman_queue_t mailman_lock_t:dir rw_dir_perms; +allow mailman_queue_t mailman_lock_t:file manage_file_perms; + +allow mailman_queue_t mailman_log_t:dir list_dir_perms; +allow mailman_queue_t mailman_log_t:file manage_file_perms; + +kernel_read_system_state(mailman_queue_t) + +auth_domtrans_chk_passwd(mailman_queue_t) + +corecmd_read_bin_files(mailman_queue_t) +corecmd_read_bin_symlinks(mailman_queue_t) corenet_sendrecv_innd_client_packets(mailman_queue_t) corenet_tcp_connect_innd_port(mailman_queue_t) corenet_tcp_sendrecv_innd_port(mailman_queue_t) -auth_domtrans_chk_passwd(mailman_queue_t) - files_dontaudit_search_pids(mailman_queue_t) +files_search_locks(mailman_queue_t) + +miscfiles_read_localization(mailman_queue_t) seutil_dontaudit_search_config(mailman_queue_t) userdom_search_user_home_dirs(mailman_queue_t) +cron_rw_tmp_files(mailman_queue_t) + optional_policy(` apache_read_config(mailman_queue_t) ') diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if index a5034276..7e268b80 100644 --- a/policy/modules/contrib/mta.if +++ b/policy/modules/contrib/mta.if @@ -338,6 +338,24 @@ interface(`mta_sendmail_mailserver',` typeattribute $1 mailserver_domain; ') +######################################## +## +## Inherit FDs from mailserver_domain domains +## +## +## +## Type for a list server or delivery agent that inherits fds +## +## +# +interface(`mta_use_mailserver_fds',` + gen_require(` + attribute mailserver_domain; + ') + + allow $1 mailserver_domain:fd use; +') + ####################################### ## ## Make a type a mailserver type used diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te index 9a3ee20e..f7280b11 100644 --- a/policy/modules/contrib/mta.te +++ b/policy/modules/contrib/mta.te @@ -1,4 +1,4 @@ -policy_module(mta, 2.8.1) +policy_module(mta, 2.8.2) ######################################## # From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 993B4139694 for ; Sat, 25 Feb 2017 14:52:08 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 09C4DE0D39; Sat, 25 Feb 2017 14:52:08 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id CB751E0D39 for ; Sat, 25 Feb 2017 14:51:57 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 9ADCC341616 for ; Sat, 25 Feb 2017 14:51:46 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 7E90B543D for ; Sat, 25 Feb 2017 14:51:43 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1488034254.232701f0d9090cd34c22f350a7dfbda7c58a0ea0.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/cron.if policy/modules/contrib/cron.te policy/modules/contrib/mailman.fc policy/modules/contrib/mailman.te policy/modules/contrib/mta.if policy/modules/contrib/mta.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 232701f0d9090cd34c22f350a7dfbda7c58a0ea0 X-VCS-Branch: master Date: Sat, 25 Feb 2017 14:51:43 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 1662c440-15a7-4868-9892-c2a7960a535a X-Archives-Hash: d8fce055942d802639f40f75dc178a80 Message-ID: <20170225145143.OJsZrwqMWh-c-e3NoKE1eUpFa1jKwb8MF3AIh8-iAMg@z> commit: 232701f0d9090cd34c22f350a7dfbda7c58a0ea0 Author: Chris PeBenito ieee org> AuthorDate: Fri Feb 24 01:58:41 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 25 14:50:54 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=232701f0 mailman: Fixes from Russell Coker. policy/modules/contrib/cron.if | 18 +++++++ policy/modules/contrib/cron.te | 2 +- policy/modules/contrib/mailman.fc | 24 ++++----- policy/modules/contrib/mailman.te | 100 +++++++++++++++++++++++++++++++++++--- policy/modules/contrib/mta.if | 18 +++++++ policy/modules/contrib/mta.te | 2 +- 6 files changed, 143 insertions(+), 21 deletions(-) diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if index 6737f53c..5739d4f0 100644 --- a/policy/modules/contrib/cron.if +++ b/policy/modules/contrib/cron.if @@ -705,6 +705,24 @@ interface(`cron_manage_system_spool',` ######################################## ## +## Read and write crond temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_rw_tmp_files',` + gen_require(` + type crond_tmp_t; + ') + + allow $1 crond_tmp_t:file rw_file_perms; +') + +######################################## +## ## Read system cron job lib files. ## ## diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te index 3513e1f2..b51524a4 100644 --- a/policy/modules/contrib/cron.te +++ b/policy/modules/contrib/cron.te @@ -1,4 +1,4 @@ -policy_module(cron, 2.11.1) +policy_module(cron, 2.11.2) gen_require(` class passwd rootok; diff --git a/policy/modules/contrib/mailman.fc b/policy/modules/contrib/mailman.fc index 1a226daf..d5734fc9 100644 --- a/policy/modules/contrib/mailman.fc +++ b/policy/modules/contrib/mailman.fc @@ -2,11 +2,11 @@ /etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) -/usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/lib/mailman.*/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/lib/mailman.*/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) +/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) /var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) -/var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) +/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) /var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0) /var/lock/subsys/mailman.* -- gen_context(system_u:object_r:mailman_lock_t,s0) @@ -17,16 +17,16 @@ /var/spool/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) -/usr/lib/cgi-bin/mailman.*/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) -/usr/lib/mailman.*/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) -/usr/lib/mailman.*/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) -/usr/lib/mailman.*/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/lib/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/lib/mailman.*/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) +/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) +/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) +/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/mailman.*/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/share/doc/mailman.*/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/share/doc/mailman/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) ifdef(`distro_gentoo',` # Bug 536666 diff --git a/policy/modules/contrib/mailman.te b/policy/modules/contrib/mailman.te index 7421ce3a..3de43d20 100644 --- a/policy/modules/contrib/mailman.te +++ b/policy/modules/contrib/mailman.te @@ -1,4 +1,4 @@ -policy_module(mailman, 1.12.0) +policy_module(mailman, 1.12.1) ######################################## # @@ -91,12 +91,39 @@ miscfiles_read_localization(mailman_domain) # CGI local policy # +allow mailman_cgi_t self:unix_dgram_socket { create connect }; + +allow mailman_cgi_t mailman_archive_t:dir search_dir_perms; +allow mailman_cgi_t mailman_archive_t:file read_file_perms; + +allow mailman_cgi_t mailman_data_t:dir rw_dir_perms; +allow mailman_cgi_t mailman_data_t:file manage_file_perms; +allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms; + +allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms; +allow mailman_cgi_t mailman_lock_t:file manage_file_perms; + +allow mailman_cgi_t mailman_log_t:file { append_file_perms read_file_perms }; +allow mailman_cgi_t mailman_log_t:dir search_dir_perms; + +kernel_read_crypto_sysctls(mailman_cgi_t) +kernel_read_system_state(mailman_cgi_t) + +corecmd_exec_bin(mailman_cgi_t) + dev_read_urand(mailman_cgi_t) +files_search_locks(mailman_cgi_t) + term_use_controlling_term(mailman_cgi_t) libs_dontaudit_write_lib_dirs(mailman_cgi_t) +logging_search_logs(mailman_cgi_t) + +miscfiles_read_localization(mailman_cgi_t) + + optional_policy(` apache_sigchld(mailman_cgi_t) apache_use_fds(mailman_cgi_t) @@ -116,24 +143,61 @@ optional_policy(` # allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config }; -allow mailman_mail_t self:process { signal signull }; +allow mailman_mail_t self:process { signal signull setsched }; + +allow mailman_mail_t mailman_archive_t:dir manage_dir_perms; +allow mailman_mail_t mailman_archive_t:file manage_file_perms; +allow mailman_mail_t mailman_archive_t:lnk_file manage_lnk_file_perms; + +allow mailman_mail_t mailman_data_t:dir rw_dir_perms; +allow mailman_mail_t mailman_data_t:file manage_file_perms; +allow mailman_mail_t mailman_data_t:lnk_file read_lnk_file_perms; + +allow mailman_mail_t mailman_lock_t:dir rw_dir_perms; +allow mailman_mail_t mailman_lock_t:file manage_file_perms; + +allow mailman_mail_t mailman_log_t:dir search; +allow mailman_mail_t mailman_log_t:file read_file_perms; + +domtrans_pattern(mailman_mail_t, mailman_queue_exec_t, mailman_queue_t) +allow mailman_mail_t mailman_queue_exec_t:file ioctl; + +can_exec(mailman_mail_t, mailman_mail_exec_t) manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir }) -corenet_sendrecv_innd_client_packets(mailman_mail_t) -corenet_tcp_connect_innd_port(mailman_mail_t) -corenet_tcp_sendrecv_innd_port(mailman_mail_t) +kernel_read_system_state(mailman_mail_t) +corenet_tcp_connect_smtp_port(mailman_mail_t) corenet_sendrecv_spamd_client_packets(mailman_mail_t) +corenet_sendrecv_innd_client_packets(mailman_mail_t) +corenet_tcp_connect_innd_port(mailman_mail_t) corenet_tcp_connect_spamd_port(mailman_mail_t) +corenet_tcp_sendrecv_innd_port(mailman_mail_t) corenet_tcp_sendrecv_spamd_port(mailman_mail_t) dev_read_urand(mailman_mail_t) +corecmd_exec_bin(mailman_mail_t) + +files_search_locks(mailman_mail_t) + fs_rw_anon_inodefs_files(mailman_mail_t) +# this is far from ideal, but systemd reduces the importance of initrc_t +init_signal_script(mailman_mail_t) +init_signull_script(mailman_mail_t) + +# for python .path file +libs_read_lib_files(mailman_mail_t) + +logging_search_logs(mailman_mail_t) + +miscfiles_read_localization(mailman_mail_t) + +mta_use_mailserver_fds(mailman_mail_t) mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) mta_dontaudit_rw_queue(mailman_mail_t) @@ -159,18 +223,40 @@ allow mailman_queue_t self:capability { setgid setuid }; allow mailman_queue_t self:process { setsched signal_perms }; allow mailman_queue_t self:fifo_file rw_fifo_file_perms; +allow mailman_queue_t mailman_archive_t:dir manage_dir_perms; +allow mailman_queue_t mailman_archive_t:file manage_file_perms; + +allow mailman_queue_t mailman_data_t:dir rw_dir_perms; +allow mailman_queue_t mailman_data_t:file manage_file_perms; +allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms; + +allow mailman_queue_t mailman_lock_t:dir rw_dir_perms; +allow mailman_queue_t mailman_lock_t:file manage_file_perms; + +allow mailman_queue_t mailman_log_t:dir list_dir_perms; +allow mailman_queue_t mailman_log_t:file manage_file_perms; + +kernel_read_system_state(mailman_queue_t) + +auth_domtrans_chk_passwd(mailman_queue_t) + +corecmd_read_bin_files(mailman_queue_t) +corecmd_read_bin_symlinks(mailman_queue_t) corenet_sendrecv_innd_client_packets(mailman_queue_t) corenet_tcp_connect_innd_port(mailman_queue_t) corenet_tcp_sendrecv_innd_port(mailman_queue_t) -auth_domtrans_chk_passwd(mailman_queue_t) - files_dontaudit_search_pids(mailman_queue_t) +files_search_locks(mailman_queue_t) + +miscfiles_read_localization(mailman_queue_t) seutil_dontaudit_search_config(mailman_queue_t) userdom_search_user_home_dirs(mailman_queue_t) +cron_rw_tmp_files(mailman_queue_t) + optional_policy(` apache_read_config(mailman_queue_t) ') diff --git a/policy/modules/contrib/mta.if b/policy/modules/contrib/mta.if index a5034276..7e268b80 100644 --- a/policy/modules/contrib/mta.if +++ b/policy/modules/contrib/mta.if @@ -338,6 +338,24 @@ interface(`mta_sendmail_mailserver',` typeattribute $1 mailserver_domain; ') +######################################## +## +## Inherit FDs from mailserver_domain domains +## +## +## +## Type for a list server or delivery agent that inherits fds +## +## +# +interface(`mta_use_mailserver_fds',` + gen_require(` + attribute mailserver_domain; + ') + + allow $1 mailserver_domain:fd use; +') + ####################################### ## ## Make a type a mailserver type used diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te index 9a3ee20e..f7280b11 100644 --- a/policy/modules/contrib/mta.te +++ b/policy/modules/contrib/mta.te @@ -1,4 +1,4 @@ -policy_module(mta, 2.8.1) +policy_module(mta, 2.8.2) ######################################## #