add spamassassin

2005-10-22 23:50:23 +00:00 · 2005-10-22 23:50:23 +00:00 · f932d8e3cb
commit f932d8e3cb
parent 385dcd4e70
10 changed files with 218 additions and 9 deletions
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@ -12,6 +12,7 @@
 	networkmanager
 	pegasus
 	radius
+	spamassassin
 	xdm

 * Wed Oct 19 2005 Chris PeBenito <selinux@tresys.com> - 20051019
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@ -101,6 +101,9 @@ gen_tunable(read_untrusted_content,false)
 ## Allow ssh to run from inetd instead of as a daemon.
 gen_tunable(run_ssh_inetd,false)

+## Allow user spamassassin clients to use the network.
+gen_tunable(spamassassin_can_network,false)
+
 ## Allow squid to connect to all ports, not just
 ## HTTP, FTP, and Gopher ports.
 gen_tunable(squid_connect_any,false)
--- a/refpolicy/policy/modules/services/mta.fc
+++ b/refpolicy/policy/modules/services/mta.fc
@ -1,12 +1,11 @@

 /etc/aliases			--	gen_context(system_u:object_r:etc_aliases_t,s0)
 /etc/aliases\.db		--	gen_context(system_u:object_r:etc_aliases_t,s0)
+/etc/mail(/.*)?				gen_context(system_u:object_r:etc_mail_t,s0)

-ifdef(`sendmail.te',`',`
 /usr/lib(64)?/sendmail		--	gen_context(system_u:object_r:sendmail_exec_t,s0)

 /usr/sbin/sendmail(.sendmail)?	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
-')

 /var/mail(/.*)?				gen_context(system_u:object_r:mail_spool_t,s0)

--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@ -329,6 +329,24 @@ interface(`mta_exec',`
 	can_exec($1, sendmail_exec_t)
 ')

+########################################
+## <summary>
+##	Read mail server configuration.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`mta_read_config',`
+	gen_require(`
+		type etc_mail_t;
+	')
+
+	files_search_etc($1)
+	allow spamd_t etc_mail_t:dir list_dir_perms;
+	allow spamd_t etc_mail_t:file r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read mail address aliases.
--- a/refpolicy/policy/modules/services/sendmail.fc
+++ b/refpolicy/policy/modules/services/sendmail.fc
@ -1,5 +1,3 @@
-# sendmail file contexts
-/etc/mail(/.*)?				gen_context(system_u:object_r:etc_mail_t,s0)

 /var/log/sendmail\.st		--	gen_context(system_u:object_r:sendmail_log_t,s0)
 /var/log/mail(/.*)?			gen_context(system_u:object_r:sendmail_log_t,s0)
--- a/refpolicy/policy/modules/services/spamassassin.fc
+++ b/refpolicy/policy/modules/services/spamassassin.fc
@ -0,0 +1,11 @@
+
+/usr/bin/sa-learn	--	gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/spamc		--	gen_context(system_u:object_r:spamc_exec_t,s0)
+/usr/bin/spamd		--	gen_context(system_u:object_r:spamd_exec_t,s0)
+
+/usr/sbin/spamd		--	gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/spamassassin	--	gen_context(system_u:object_r:spamassassin_exec_t,s0)
+
+ifdef(`targeted_policy',`',`
+HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
+')
--- a/refpolicy/policy/modules/services/spamassassin.if
+++ b/refpolicy/policy/modules/services/spamassassin.if
@ -0,0 +1,3 @@
+## <summary>Filter used for removing unsolicited email.</summary>
+
+# cjp: TODO: integrate old spamassassin_macros.te
--- a/refpolicy/policy/modules/services/spamassassin.te
+++ b/refpolicy/policy/modules/services/spamassassin.te
@ -0,0 +1,158 @@
+
+policy_module(spamassassin,0.9)
+
+########################################
+#
+# Declarations
+#
+
+# spamassassin client executable
+type spamc_exec_t;
+files_type(spamc_exec_t)
+
+type spamd_t;
+type spamd_exec_t;
+init_daemon_domain(spamd_t,spamd_exec_t)
+
+type spamd_tmp_t;
+files_tmp_file(spamd_tmp_t)
+
+type spamd_var_run_t;
+files_pid_file(spamd_var_run_t)
+
+type spamassassin_exec_t;
+files_type(spamassassin_exec_t)
+
+########################################
+#
+# Spamassassin daemon local policy
+#
+
+# Spamassassin, when run as root and using per-user config files,
+# setuids to the user running spamc.  Comment this if you are not
+# using this ability.
+
+allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
+dontaudit spamd_t self:capability sys_tty_config;
+allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow spamd_t self:fd use;
+allow spamd_t self:fifo_file rw_file_perms;
+allow spamd_t self:shm create_shm_perms;
+allow spamd_t self:sem create_sem_perms;
+allow spamd_t self:msgq create_msgq_perms;
+allow spamd_t self:msg { send receive };
+allow spamd_t self:unix_dgram_socket create_socket_perms;
+allow spamd_t self:unix_stream_socket create_stream_socket_perms;
+allow spamd_t self:unix_dgram_socket sendto;
+allow spamd_t self:unix_stream_socket connectto;
+allow spamd_t self:tcp_socket create_stream_socket_perms;
+allow spamd_t self:udp_socket create_socket_perms;
+
+allow spamd_t spamd_tmp_t:dir create_dir_perms;
+allow spamd_t spamd_tmp_t:file create_file_perms;
+files_create_tmp_files(spamd_t, spamd_tmp_t, { file dir })
+
+allow spamd_t spamd_var_run_t:file create_file_perms;
+allow spamd_t spamd_var_run_t:dir rw_dir_perms;
+files_create_pid(spamd_t,spamd_var_run_t)
+
+kernel_read_all_sysctl(spamd_t)
+kernel_read_system_state(spamd_t)
+
+corenet_tcp_sendrecv_all_if(spamd_t)
+corenet_udp_sendrecv_all_if(spamd_t)
+corenet_raw_sendrecv_all_if(spamd_t)
+corenet_tcp_sendrecv_all_nodes(spamd_t)
+corenet_udp_sendrecv_all_nodes(spamd_t)
+corenet_raw_sendrecv_all_nodes(spamd_t)
+corenet_tcp_bind_all_nodes(spamd_t)
+corenet_udp_bind_all_nodes(spamd_t)
+corenet_tcp_sendrecv_all_ports(spamd_t)
+corenet_tcp_bind_spamd_port(spamd_t)
+
+dev_read_sysfs(spamd_t)
+dev_read_urand(spamd_t)
+
+fs_getattr_all_fs(spamd_t)
+fs_search_auto_mountpoints(spamd_t)
+
+term_dontaudit_use_console(spamd_t)
+
+auth_dontaudit_read_shadow(spamd_t)
+
+corecmd_exec_bin(spamd_t)
+corecmd_search_sbin(spamd_t)
+
+domain_use_wide_inherit_fd(spamd_t)
+
+files_read_usr_files(spamd_t)
+files_read_etc_files(spamd_t)
+files_read_etc_runtime_files(spamd_t)
+
+init_use_fd(spamd_t)
+init_use_script_pty(spamd_t)
+init_dontaudit_rw_script_pid(spamd_t)
+
+libs_use_ld_so(spamd_t)
+libs_use_shared_libs(spamd_t)
+# Various Perl bits
+libs_use_lib(spamd_t)
+
+logging_send_syslog_msg(spamd_t)
+
+miscfiles_read_localization(spamd_t)
+
+sysnet_read_config(spamd_t)
+
+userdom_use_unpriv_users_fd(spamd_t)
+userdom_search_unpriv_user_home_dirs(spamd_t)
+userdom_dontaudit_search_sysadm_home_dir(spamd_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_tty(spamd_t)
+	term_dontaudit_use_generic_pty(spamd_t)
+	files_dontaudit_read_root_file(spamd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_files(spamd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_files(spamd_t)
+')
+
+optional_policy(`cron.te',`
+	cron_system_entry(spamd_t,spamd_exec_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(spamd_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(spamd_t)
+')
+
+optional_policy(`sendmail.te',`
+	sendmail_stub(spamd_t)
+	mta_read_config(spamd_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(spamd_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(spamd_t)
+')
+
+optional_policy(`amavis.te', `
+# for bayes tokens
+allow spamd_t var_lib_t:dir { getattr search };
+allow spamd_t amavisd_lib_t:dir rw_dir_perms;
+allow spamd_t amavisd_lib_t:file create_file_perms;
+allow spamd_t amavisd_lib_t:lnk_file create_lnk_perms;
+')
+') dnl end TODO
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@ -195,6 +195,26 @@ interface(`libs_exec_lib_files',`
 	can_exec($1,lib_t)
 ')

+########################################
+## <summary>
+##	Load and execute functions from generic
+##	lib files as shared libraries.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`libs_use_lib',`
+	gen_require(`
+		type lib_t;
+	')
+
+	files_list_usr($1)
+	allow $1 lib_t:dir r_dir_perms;
+	allow $1 lib_t:lnk_file r_file_perms;
+	allow $1 lib_t:file rx_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Relabel files to the type used in library directories.
@ -223,9 +243,6 @@ interface(`libs_relabelto_lib_files',`
 interface(`libs_use_shared_libs',`
 	gen_require(`
 		type lib_t, shlib_t, texrel_shlib_t;
-		class dir r_dir_perms;
-		class lnk_file r_file_perms;
-		class file { rx_file_perms execmod };
 	')

 	files_list_usr($1)
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -1799,7 +1799,7 @@ interface(`userdom_dontaudit_search_sysadm_home_dir',`
 		type sysadm_home_dir_t;
 	')

-	dontaudit $1 sysadm_home_dir_t:dir { getattr search };
+	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
 ')

 ########################################
@ -2223,7 +2223,8 @@ interface(`userdom_search_unpriv_user_home_dirs',`
 		attribute user_home_dir_type;
 	')

-	allow $1 user_home_dir_type:dir search;
+	files_search_home($1)
+	allow $1 user_home_dir_type:dir search_dir_perms;
 ')

 ########################################