From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 00155158089 for ; Fri, 6 Oct 2023 16:44:36 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 008022BC022; Fri, 6 Oct 2023 16:44:36 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 911172BC022 for ; Fri, 6 Oct 2023 16:44:35 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id D1619335D1B for ; Fri, 6 Oct 2023 16:44:34 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 4E8C69E2 for ; Fri, 6 Oct 2023 16:44:33 +0000 (UTC) From: "Kenton Groombridge" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Kenton Groombridge" Message-ID: <1696606026.98ebbf0f2916e7541905c03eef89330b51c9ff97.concord@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/services/clamav.te policy/modules/services/dkim.fc policy/modules/services/dkim.te policy/modules/services/milter.fc policy/modules/services/milter.te policy/modules/services/spamassassin.te X-VCS-Directories: policy/modules/services/ X-VCS-Committer: concord X-VCS-Committer-Name: Kenton Groombridge X-VCS-Revision: 98ebbf0f2916e7541905c03eef89330b51c9ff97 X-VCS-Branch: master Date: Fri, 6 Oct 2023 16:44:33 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: a6a377db-205e-489f-8326-82bf4ae4d8f0 X-Archives-Hash: 055be3ded5c43b0be9d829fdd0cba4df commit: 98ebbf0f2916e7541905c03eef89330b51c9ff97 Author: Russell Coker coker com au> AuthorDate: Thu Sep 21 16:01:24 2023 +0000 Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:27:06 2023 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=98ebbf0f policy patches for anti-spam daemons (#698) * Patches for anti-spam related policy * Added a seperate tunable for execmem, can be enabled for people who need it which means Debian rspam users and some of the less common SpamAssassin configurations Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/clamav.te | 5 ++-- policy/modules/services/dkim.fc | 1 + policy/modules/services/dkim.te | 2 +- policy/modules/services/milter.fc | 2 ++ policy/modules/services/milter.te | 41 +++++++++++++++++++++++++++++++++ policy/modules/services/spamassassin.te | 16 ++++++++++++- 6 files changed, 63 insertions(+), 4 deletions(-) diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te index c171fd7dc..a9476a561 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -75,7 +75,7 @@ logging_log_file(freshclam_var_log_t) allow clamd_t self:capability { chown fowner fsetid kill setgid setuid dac_override }; dontaudit clamd_t self:capability sys_tty_config; -allow clamd_t self:process signal; +allow clamd_t self:process { signal getsched }; allow clamd_t self:fifo_file rw_fifo_file_perms; allow clamd_t self:unix_stream_socket { accept connectto listen }; allow clamd_t self:tcp_socket { listen accept }; @@ -174,7 +174,7 @@ optional_policy(` # Freshclam local policy # -allow freshclam_t self:capability { dac_override setgid setuid }; +allow freshclam_t self:capability { chown dac_override setgid setuid }; allow freshclam_t self:fifo_file rw_fifo_file_perms; allow freshclam_t self:unix_stream_socket { accept listen }; allow freshclam_t self:tcp_socket { accept listen }; @@ -225,6 +225,7 @@ dev_read_urand(freshclam_t) domain_use_interactive_fds(freshclam_t) files_read_etc_runtime_files(freshclam_t) +files_read_usr_files(freshclam_t) files_search_var_lib(freshclam_t) auth_use_nsswitch(freshclam_t) diff --git a/policy/modules/services/dkim.fc b/policy/modules/services/dkim.fc index 08b652630..0b269c0af 100644 --- a/policy/modules/services/dkim.fc +++ b/policy/modules/services/dkim.fc @@ -1,4 +1,5 @@ /etc/opendkim/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) +/etc/dkimkeys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) /etc/rc\.d/init\.d/((opendkim)|(dkim-milter)) -- gen_context(system_u:object_r:dkim_milter_initrc_exec_t,s0) diff --git a/policy/modules/services/dkim.te b/policy/modules/services/dkim.te index 32468194b..e960818da 100644 --- a/policy/modules/services/dkim.te +++ b/policy/modules/services/dkim.te @@ -24,7 +24,7 @@ init_daemon_runtime_file(dkim_milter_data_t, dir, "opendkim") # allow dkim_milter_t self:capability { dac_read_search dac_override setgid setuid }; -allow dkim_milter_t self:process { signal signull }; +allow dkim_milter_t self:process { signal signull getsched }; allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms; read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc index 42fe5e941..71b168061 100644 --- a/policy/modules/services/milter.fc +++ b/policy/modules/services/milter.fc @@ -8,6 +8,7 @@ /usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) /usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) /usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) +/usr/sbin/postfwd.* -- gen_context(system_u:object_r:postfwd_milter_exec_t,s0) /usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0) /var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) @@ -16,6 +17,7 @@ /run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) /run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) +/run/postfwd\.pid -- gen_context(system_u:object_r:postfwd_milter_runtime_t,s0) /run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) /run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) /run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te index a8a7c1f29..01e45842c 100644 --- a/policy/modules/services/milter.te +++ b/policy/modules/services/milter.te @@ -9,9 +9,16 @@ attribute milter_domains; attribute milter_data_type; milter_template(greylist) +milter_template(postfwd) milter_template(regex) milter_template(spamass) +type postfwd_milter_runtime_t; +files_runtime_file(postfwd_milter_runtime_t) + +type postfwd_milter_tmp_t; +files_tmp_file(postfwd_milter_tmp_t) + type spamass_milter_initrc_exec_t; init_script_file(spamass_milter_initrc_exec_t) @@ -74,6 +81,40 @@ optional_policy(` mysql_stream_connect(greylist_milter_t) ') +######################################## +# +# postfwd local policy +# + +allow postfwd_milter_t self:process { signal signull }; +allow postfwd_milter_t self:capability { chown dac_override dac_read_search kill setgid setuid }; +allow postfwd_milter_t self:unix_stream_socket connectto; + +files_runtime_filetrans(postfwd_milter_t, postfwd_milter_runtime_t, file, "postfwd.pid") +allow postfwd_milter_t postfwd_milter_runtime_t:file manage_file_perms; + +allow postfwd_milter_t postfwd_milter_tmp_t:sock_file manage_sock_file_perms; +allow postfwd_milter_t postfwd_milter_tmp_t:file manage_file_perms; +files_tmp_filetrans(postfwd_milter_t, postfwd_milter_tmp_t, { file sock_file }) + +kernel_read_kernel_sysctls(postfwd_milter_t) + +corecmd_exec_bin(postfwd_milter_t) +corecmd_exec_shell(postfwd_milter_t) +corecmd_mmap_bin_files(postfwd_milter_t) +corenet_tcp_bind_all_unreserved_ports(postfwd_milter_t) +corenet_tcp_connect_all_unreserved_ports(postfwd_milter_t) + +dev_read_urand(postfwd_milter_t) + +files_read_usr_files(postfwd_milter_t) +files_read_usr_symlinks(postfwd_milter_t) +files_search_tmp(postfwd_milter_t) + +optional_policy(` + postfix_read_config(postfwd_milter_t) +') + ######################################## # # regex local policy diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te index ac3c340f6..1d28b3069 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -39,6 +39,14 @@ gen_tunable(spamassassin_network_update, true) ## gen_tunable(rspamd_spamd, false) +## +##

+## Determine whether execmem should be allowed +## Needed if LUA JIT is enabled for rspamd +##

+## +gen_tunable(spamd_execmem, false) + attribute_role spamd_update_roles; type spamassassin_t; @@ -415,10 +423,16 @@ tunable_policy(`spamd_enable_home_dirs',` userdom_manage_user_home_content_symlinks(spamd_t) ') +tunable_policy(`spamd_execmem',` + allow spamd_t self:process execmem; +') + tunable_policy(`rspamd_spamd',` allow spamd_t self:process setrlimit; allow spamc_t self:process setrlimit; + kernel_read_network_state(spamd_t) + list_dirs_pattern(spamd_t, spamd_etc_t, spamd_etc_t) mmap_read_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t) allow spamd_t spamd_etc_t:dir watch; @@ -427,7 +441,7 @@ tunable_policy(`rspamd_spamd',` allow spamd_t spamd_var_lib_t:dir watch; filetrans_pattern(spamd_t, spamd_var_lib_t, spamd_runtime_t, sock_file) - search_dirs_pattern(spamd_t, spamd_log_t, spamd_log_t) + allow spamd_t spamd_log_t:dir rw_dir_perms; fs_search_tmpfs(spamd_t) manage_dirs_pattern(spamd_t, spamd_tmpfs_t, spamd_tmpfs_t)