# # DCC - Distributed Checksum Clearinghouse # Author: David Hampton <hampton@employees.org> # # # NOTE: DCC has writeable files in /etc/dcc that should probably be in # /var/lib/dcc. For now this policy supports both directories being # writable. # Files common to all dcc programs type dcc_client_map_t, file_type, sysadmfile; type dcc_var_t, file_type, sysadmfile; type dcc_var_run_t, file_type, sysadmfile; ########## ########## # # common to all dcc variants # define(`dcc_common',` # Access files in /var/dcc. The map file can be updated r_dir_file($1_t, dcc_var_t) allow $1_t dcc_client_map_t:file rw_file_perms; # Read mtab, nsswitch and locale allow $1_t { etc_t etc_runtime_t }:file { getattr read }; read_locale($1_t) #Networking can_resolve($1_t) ifelse($2, `server', ` can_network_udp($1_t) ', ` can_network_udp($1_t, `dcc_port_t') ') allow $1_t self:unix_dgram_socket create_socket_perms; # Create private temp files tmp_domain($1) # Triggered by a call to gethostid(2) in dcc client libs allow $1_t self:unix_stream_socket { connect create }; allow $1_t sysadm_su_t:process { sigchld }; allow $1_t dcc_script_t:fd use; dontaudit $1_t kernel_t:fd use; dontaudit $1_t root_t:file read; ') allow initrc_t dcc_var_run_t:dir rw_dir_perms; ########## ########## # # dccd - Server daemon that can be accessed over the net # daemon_domain(dccd, `, privlog, nscd_client_domain') dcc_common(dccd, server); # Runs the dbclean program allow dccd_t bin_t:dir search; domain_auto_trans(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t) # The daemon needs to listen on the dcc ports allow dccd_t dcc_port_t:udp_socket name_bind; # Updating dcc_db, flod, ... create_dir_file(dccd_t, dcc_var_t); allow dccd_t self:capability net_admin; allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; # Reading /proc/meminfo allow dccd_t proc_t:file { getattr read }; # # cdcc - control dcc daemon # application_domain(cdcc, `, nscd_client_domain') role system_r types cdcc_t; dcc_common(cdcc) # suid program allow cdcc_t self:capability setuid; # Running from the command line allow cdcc_t sshd_t:fd use; allow cdcc_t sysadm_devpts_t:chr_file rw_file_perms; ########## ########## # # DCC Clients # # # dccifd - Spamassassin and general MTA persistent client # daemon_domain(dccifd, `, privlog, nscd_client_domain') dcc_common(dccifd); file_type_auto_trans(dccifd_t, dcc_var_run_t, dccifd_var_run_t, file) # Allow the domain to communicate with other processes allow dccifd_t self:unix_stream_socket create_stream_socket_perms; # Updating dcc_db, flod, ... create_dir_notdevfile(dccifd_t, dcc_var_t); # Updating map, ... allow dccifd_t dcc_client_map_t:file rw_file_perms; # dccifd communications socket type dccifd_sock_t, file_type, sysadmfile; file_type_auto_trans(dccifd_t, dcc_var_t, dccifd_sock_t, sock_file) # Reading /proc/meminfo allow dccifd_t proc_t:file { getattr read }; # # dccm - sendmail milter client # daemon_domain(dccm, `, privlog, nscd_client_domain') dcc_common(dccm); file_type_auto_trans(dccm_t, dcc_var_run_t, dccm_var_run_t, file) # Allow the domain to communicate with other processes allow dccm_t self:unix_stream_socket create_stream_socket_perms; # Updating map, ... create_dir_notdevfile(dccm_t, dcc_var_t); allow dccm_t dcc_client_map_t:file rw_file_perms; # dccm communications socket type dccm_sock_t, file_type, sysadmfile; file_type_auto_trans(dccm_t, dcc_var_run_t, dccm_sock_t, sock_file) # # dccproc - dcc procmail interface # application_domain(dcc_client, `, privlog, nscd_client_domain') role system_r types dcc_client_t; dcc_common(dcc_client) # suid program allow dcc_client_t self:capability setuid; # Running from the command line allow dcc_client_t sshd_t:fd use; allow dcc_client_t sysadm_devpts_t:chr_file rw_file_perms; ########## ########## # # DCC Utilities # # # dbclean - database cleanup tool # application_domain(dcc_dbclean, `, nscd_client_domain') role system_r types dcc_dbclean_t; dcc_common(dcc_dbclean) # Updating various files. create_dir_file(dcc_dbclean_t, dcc_var_t); # wants to look at /proc/meminfo allow dcc_dbclean_t proc_t:dir search; allow dcc_dbclean_t proc_t:file { getattr read }; # Running from the command line allow dcc_dbclean_t sshd_t:fd use; allow dcc_dbclean_t sysadm_devpts_t:chr_file rw_file_perms; ########## ########## # # DCC Startup scripts # # These are shell sccripts that start/stop/restart the various dcc # programs. # init_service_domain(dcc_script, `, nscd_client_domain') general_domain_access(dcc_script_t) general_proc_read_access(dcc_script_t) can_exec_any(dcc_script_t) dcc_common(dcc_script) # Allow calling the script from an init script (initrt_t) or from # rc.local (staff_t) domain_auto_trans({ initrc_t staff_t }, dcc_script_exec_t, dcc_script_t) # Start up the daemon process. These scripts run 'su' to change to # the dcc user (even though the default dcc user is root). allow dcc_script_t self:capability setuid; su_restricted_domain(dcc_script, system) role system_r types dcc_script_su_t; domain_auto_trans(dcc_script_su_t, dccd_exec_t, dccd_t) domain_auto_trans(dcc_script_su_t, dccm_exec_t, dccm_t) domain_auto_trans(dcc_script_su_t, dccifd_exec_t, dccifd_t) # Stop the daemon process allow dcc_script_t { dccifd_t dccm_t }:process { sigkill signal }; # Access various DCC files allow dcc_script_t { var_t var_run_t dcc_var_run_t}:dir { getattr search }; allow dcc_script_t { dccifd_var_run_t dccm_var_run_t }:file { getattr read }; allow { dcc_script_t dcc_script_su_t } initrc_t:fd use; allow { dcc_script_t dcc_script_su_t } devpts_t:dir search; allow { dcc_script_t dcc_script_su_t } initrc_devpts_t:chr_file rw_file_perms; allow dcc_script_t devtty_t:chr_file { read write }; allow dcc_script_su_t sysadm_home_dir_t:dir search; allow dcc_script_su_t sysadm_t:process { noatsecure rlimitinh siginh transition }; allow dcc_script_su_t initrc_devpts_t:chr_file { relabelfrom relabelto }; dontaudit dcc_script_su_t kernel_t:fd use; dontaudit dcc_script_su_t root_t:file read; dontaudit dcc_script_t { home_root_t user_home_dir_t}:dir { getattr search }; allow sysadm_t dcc_script_t:fd use; ########## ########## # # External spam checkers need to run and/or talk to DCC # define(`access_dcc',` domain_auto_trans($1_t, dcc_client_exec_t, dcc_client_t); allow $1_t dcc_var_t:dir search; allow $1_t dccifd_sock_t:sock_file { getattr write }; allow $1_t dccifd_t:unix_stream_socket connectto; allow $1_t dcc_script_t:unix_stream_socket connectto; ') ifdef(`amavis.te',`access_dcc(amavisd)') ifdef(`spamd.te',`access_dcc(spamd)')