From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1560513-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 00155158089
	for <garchives@archives.gentoo.org>; Fri,  6 Oct 2023 16:44:36 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 008022BC022;
	Fri,  6 Oct 2023 16:44:36 +0000 (UTC)
Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 911172BC022
	for <gentoo-commits@lists.gentoo.org>; Fri,  6 Oct 2023 16:44:35 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id D1619335D1B
	for <gentoo-commits@lists.gentoo.org>; Fri,  6 Oct 2023 16:44:34 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 4E8C69E2
	for <gentoo-commits@lists.gentoo.org>; Fri,  6 Oct 2023 16:44:33 +0000 (UTC)
From: "Kenton Groombridge" <concord@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Kenton Groombridge" <concord@gentoo.org>
Message-ID: <1696606026.98ebbf0f2916e7541905c03eef89330b51c9ff97.concord@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/services/clamav.te policy/modules/services/dkim.fc policy/modules/services/dkim.te policy/modules/services/milter.fc policy/modules/services/milter.te policy/modules/services/spamassassin.te
X-VCS-Directories: policy/modules/services/
X-VCS-Committer: concord
X-VCS-Committer-Name: Kenton Groombridge
X-VCS-Revision: 98ebbf0f2916e7541905c03eef89330b51c9ff97
X-VCS-Branch: master
Date: Fri,  6 Oct 2023 16:44:33 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: a6a377db-205e-489f-8326-82bf4ae4d8f0
X-Archives-Hash: 055be3ded5c43b0be9d829fdd0cba4df

commit:     98ebbf0f2916e7541905c03eef89330b51c9ff97
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Thu Sep 21 16:01:24 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:27:06 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=98ebbf0f

policy patches for anti-spam daemons (#698)

* Patches for anti-spam related policy

* Added a seperate tunable for execmem, can be enabled for people who need it
which means Debian rspam users and some of the less common SpamAssassin
configurations

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/clamav.te       |  5 ++--
 policy/modules/services/dkim.fc         |  1 +
 policy/modules/services/dkim.te         |  2 +-
 policy/modules/services/milter.fc       |  2 ++
 policy/modules/services/milter.te       | 41 +++++++++++++++++++++++++++++++++
 policy/modules/services/spamassassin.te | 16 ++++++++++++-
 6 files changed, 63 insertions(+), 4 deletions(-)

diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index c171fd7dc..a9476a561 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -75,7 +75,7 @@ logging_log_file(freshclam_var_log_t)
 
 allow clamd_t self:capability { chown fowner fsetid kill setgid setuid dac_override };
 dontaudit clamd_t self:capability sys_tty_config;
-allow clamd_t self:process signal;
+allow clamd_t self:process { signal getsched };
 allow clamd_t self:fifo_file rw_fifo_file_perms;
 allow clamd_t self:unix_stream_socket { accept connectto listen };
 allow clamd_t self:tcp_socket { listen accept };
@@ -174,7 +174,7 @@ optional_policy(`
 # Freshclam local policy
 #
 
-allow freshclam_t self:capability { dac_override setgid setuid };
+allow freshclam_t self:capability { chown dac_override setgid setuid };
 allow freshclam_t self:fifo_file rw_fifo_file_perms;
 allow freshclam_t self:unix_stream_socket { accept listen };
 allow freshclam_t self:tcp_socket { accept listen };
@@ -225,6 +225,7 @@ dev_read_urand(freshclam_t)
 domain_use_interactive_fds(freshclam_t)
 
 files_read_etc_runtime_files(freshclam_t)
+files_read_usr_files(freshclam_t)
 files_search_var_lib(freshclam_t)
 
 auth_use_nsswitch(freshclam_t)

diff --git a/policy/modules/services/dkim.fc b/policy/modules/services/dkim.fc
index 08b652630..0b269c0af 100644
--- a/policy/modules/services/dkim.fc
+++ b/policy/modules/services/dkim.fc
@@ -1,4 +1,5 @@
 /etc/opendkim/keys(/.*)?				gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+/etc/dkimkeys(/.*)?					gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
 
 /etc/rc\.d/init\.d/((opendkim)|(dkim-milter))	--	gen_context(system_u:object_r:dkim_milter_initrc_exec_t,s0)
 

diff --git a/policy/modules/services/dkim.te b/policy/modules/services/dkim.te
index 32468194b..e960818da 100644
--- a/policy/modules/services/dkim.te
+++ b/policy/modules/services/dkim.te
@@ -24,7 +24,7 @@ init_daemon_runtime_file(dkim_milter_data_t, dir, "opendkim")
 #
 
 allow dkim_milter_t self:capability { dac_read_search dac_override setgid setuid };
-allow dkim_milter_t self:process { signal signull };
+allow dkim_milter_t self:process { signal signull getsched };
 allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
 
 read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)

diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc
index 42fe5e941..71b168061 100644
--- a/policy/modules/services/milter.fc
+++ b/policy/modules/services/milter.fc
@@ -8,6 +8,7 @@
 /usr/sbin/milter-greylist	--	gen_context(system_u:object_r:greylist_milter_exec_t,s0)
 /usr/sbin/sqlgrey		--	gen_context(system_u:object_r:greylist_milter_exec_t,s0)
 /usr/sbin/milter-regex		--	gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/usr/sbin/postfwd.*		--	gen_context(system_u:object_r:postfwd_milter_exec_t,s0)
 /usr/sbin/spamass-milter	--	gen_context(system_u:object_r:spamass_milter_exec_t,s0)
 
 /var/lib/milter-greylist(/.*)?		gen_context(system_u:object_r:greylist_milter_data_t,s0)
@@ -16,6 +17,7 @@
 
 /run/milter-greylist(/.*)?		gen_context(system_u:object_r:greylist_milter_data_t,s0)
 /run/milter-greylist\.pid	--	gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/run/postfwd\.pid		--	gen_context(system_u:object_r:postfwd_milter_runtime_t,s0)
 /run/spamass(/.*)?			gen_context(system_u:object_r:spamass_milter_data_t,s0)
 /run/sqlgrey\.pid		--	gen_context(system_u:object_r:greylist_milter_data_t,s0)
 /run/spamass-milter(/.*)?		gen_context(system_u:object_r:spamass_milter_data_t,s0)

diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te
index a8a7c1f29..01e45842c 100644
--- a/policy/modules/services/milter.te
+++ b/policy/modules/services/milter.te
@@ -9,9 +9,16 @@ attribute milter_domains;
 attribute milter_data_type;
 
 milter_template(greylist)
+milter_template(postfwd)
 milter_template(regex)
 milter_template(spamass)
 
+type postfwd_milter_runtime_t;
+files_runtime_file(postfwd_milter_runtime_t)
+
+type postfwd_milter_tmp_t;
+files_tmp_file(postfwd_milter_tmp_t)
+
 type spamass_milter_initrc_exec_t;
 init_script_file(spamass_milter_initrc_exec_t)
 
@@ -74,6 +81,40 @@ optional_policy(`
 	mysql_stream_connect(greylist_milter_t)
 ')
 
+########################################
+#
+# postfwd local policy
+#
+
+allow postfwd_milter_t self:process { signal signull };
+allow postfwd_milter_t self:capability { chown dac_override dac_read_search kill setgid setuid };
+allow postfwd_milter_t self:unix_stream_socket connectto;
+
+files_runtime_filetrans(postfwd_milter_t, postfwd_milter_runtime_t, file, "postfwd.pid")
+allow postfwd_milter_t postfwd_milter_runtime_t:file manage_file_perms;
+
+allow postfwd_milter_t postfwd_milter_tmp_t:sock_file manage_sock_file_perms;
+allow postfwd_milter_t postfwd_milter_tmp_t:file manage_file_perms;
+files_tmp_filetrans(postfwd_milter_t, postfwd_milter_tmp_t, { file sock_file })
+
+kernel_read_kernel_sysctls(postfwd_milter_t)
+
+corecmd_exec_bin(postfwd_milter_t)
+corecmd_exec_shell(postfwd_milter_t)
+corecmd_mmap_bin_files(postfwd_milter_t)
+corenet_tcp_bind_all_unreserved_ports(postfwd_milter_t)
+corenet_tcp_connect_all_unreserved_ports(postfwd_milter_t)
+
+dev_read_urand(postfwd_milter_t)
+
+files_read_usr_files(postfwd_milter_t)
+files_read_usr_symlinks(postfwd_milter_t)
+files_search_tmp(postfwd_milter_t)
+
+optional_policy(`
+	postfix_read_config(postfwd_milter_t)
+')
+
 ########################################
 #
 # regex local policy

diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index ac3c340f6..1d28b3069 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -39,6 +39,14 @@ gen_tunable(spamassassin_network_update, true)
 ## </desc>
 gen_tunable(rspamd_spamd, false)
 
+## <desc>
+##	<p>
+##	Determine whether execmem should be allowed
+##	Needed if LUA JIT is enabled for rspamd
+##	</p>
+## </desc>
+gen_tunable(spamd_execmem, false)
+
 attribute_role spamd_update_roles;
 
 type spamassassin_t;
@@ -415,10 +423,16 @@ tunable_policy(`spamd_enable_home_dirs',`
 	userdom_manage_user_home_content_symlinks(spamd_t)
 ')
 
+tunable_policy(`spamd_execmem',`
+	allow spamd_t self:process execmem;
+')
+
 tunable_policy(`rspamd_spamd',`
 	allow spamd_t self:process setrlimit;
 	allow spamc_t self:process setrlimit;
 
+	kernel_read_network_state(spamd_t)
+
 	list_dirs_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
 	mmap_read_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
 	allow spamd_t spamd_etc_t:dir watch;
@@ -427,7 +441,7 @@ tunable_policy(`rspamd_spamd',`
 	allow spamd_t spamd_var_lib_t:dir watch;
 	filetrans_pattern(spamd_t, spamd_var_lib_t, spamd_runtime_t, sock_file)
 
-	search_dirs_pattern(spamd_t, spamd_log_t, spamd_log_t)
+	allow spamd_t spamd_log_t:dir rw_dir_perms;
 
 	fs_search_tmpfs(spamd_t)
 	manage_dirs_pattern(spamd_t, spamd_tmpfs_t, spamd_tmpfs_t)